Lte security overview

Irfan Ali 1

LTE Security Overview

Irfan Ali

Version: 2 (October 2012)

Irfan Ali 2Irfan Ali 2

Overview

• Security in LTE Security Architecture for 3GPP During Attach

• Key Derivation• Mutual Authentication• NAS Security• AS Security

Handovers• Key derivation at target eNB

Irfan Ali 3Irfan Ali 3

Key Cryptographic Methods

• Two cryptographic Methods: Symmetric key: uses same key at both ends (shared key)

• Encryption algos: Data Encryption Standard (DES), 3DES,International Data Encryption Algorithm (IDEA)

• Used in UMTS and LTE Asymmetric key: uses two different keys (private and public

keys)

• Another tool used with the above is: Hash function: One way transformation, used for digital

signature generation.

LTE uses Symmetric Key Cryptography

Irfan Ali 4Irfan Ali 4

Symmetric Key Cryptography: Encryption and MessageAuthentication

A AAlice Bob

CommunicationMedium

m mc

Ke Kd

A (Ke, m) = cA (Kd, c) = m

A AlgorithmKe Encryption keyKd Decryption keym messageC encrypted message

Ke := Kd

Alice Bob

Hello

R1

R2, Kab( R1 | R2)

Kab( R2 | R1)

Mutual Authentication withSecret Key

DATA

MACD

ATAMAC

DATA

MAC=?

Alice Bob

Message Authentication or Integrity Protection withSecret Key

Secret Key

Secret Key

MACAlgorithm

MACAlgorithm

Irfan Ali 5Irfan Ali 5

3GPP Overall Security Architecture

IMS Internet

eNBeNB

MME

S-GW

S-GW

P-GWHSS

eNBRRC Connection

NAS Connection

HPLMN

Network AccessSecurity

User DomainSecurity

IMS Internet

eNB eNB

MME

S-GW

S-GW

P-GWHSS

eNB

HPLMNNetwork Domain

Security

SEG

SEG

Security Domain A

Security Domain B

SEG Security Gateway

VPLMN

Irfan Ali 6Irfan Ali 6

3GPP Overall Security Architecture• Network Access Security

Primarily radio link security• Encryption and Integrity protection of RRC• Encryption and Integrity protection of NAS• Encryption of Data Radio bearers (optional)

• Network Domain Security Security of the wireline network between

PLMNs• Key negoation using IKE• Use of ISAKMP for setting up the security

association between the SEG• Tunnel-mode ESP to be used

• Encryption triple DES• Data Integrity and Authentication: MD5 and SHA-1

• User Domain Security User – USIM authentication:

• Access to the USIM is restricted until theUSIM has authenticated the user. Use ofPIN. If user does not know PIN, user is notallowed to use SIM.

USIM – Terminal authentication• Used only for SIM-Locked Mobiles. When an

ME is SIM-locked (SIM/USIM personalisationindicator in the ME to "on“), the ME storesthe IMSI of the USIM. If the inserted USIMhas a different IMSI, the ME goes into aemergency call only mode. Ref TS 22.022Section 8.

IKE/ISAKMP

IPSec/ESP

IKE Internet Key ExchangeISAKMP Internet Security Association and Key Management ProtocolESP Encapsulation Security ProtocolIPSec IP Security

PLMN-A PLMN-B

• NOTE: Maintaining Security on wiredlinks within a security domain (i.e PLMN,eg between eNB and MME) isresponsibility of operator. Onlyrecommendations in 3GPPSpecifications. In general, links should be either

physically secured or through IPSec(NDS/IP)

Irfan Ali 7Irfan Ali 7

UE eNB

MME

SGW PGW

HSS

Encrypted Info

Integrity ProtectedInfo

ASME Access Security Management Entity (MME)CK, IK Ciphering Key, Integrity Protection Key

SRB-0

S1-MME

GTPC-1

GTP-U-10

GTP

C-1

GTP-U-10

S6a

Key Heirarchy for LTE

KasmeKasme Kasme

KeNBKeNB KeNB

SRB-2

SRB-1

CK, IKCK, IK

Data Radio Bearer-10

CK CK

KK

NAS

CK, IKCK, IK

Irfan Ali 8Irfan Ali 8

LTE Key Hierarchy

• ASME = AccessSecurityManagementEntity, locatedat the MME

USIM / AuC

UE / MMEKASME

K

KUPenc

KeNB / NH

KNASint

UE / HSS

UE / eNB

KNASenc

CK, IK

KRRCint KRRCenc

Irfan Ali 9Irfan Ali 9

Identity Protection

• The two permanent identities of UE are: IMSI (subscriber identity)

• Seldom send over the air (only during attach, if no other validtemporary ID is present in the UE).

• Temporary identities used instead (S-TMSI, GUTI) IMEI (hardware identity)

• Only sent to MME (in NAS), not to eNB.• Sent only after NAS security is setup (i.e encrypted and

integrity protected).

S-TMSI System architecture evolution Temporary Mobile Subscriber IdentityGUTI Globally Unique Temporary Identity

Irfan Ali 10Irfan Ali 10

General Security Characteristics

• Use of UMTS AKA (Authentication and Key Agreement) procedure• Use of 128-bit keys truncated from generated 256-bit keys• Ciphering Algorithms (AS and NAS):

0 = Null; 1= SNOW 3G; 2 = AES

• Integrity Algorithms (AS, NAS): 1= SNOW 3G; 2 = AES

• Access Stratum (AS), between eNB and UE: Ciphering applicable to both user traffic and RRC-level signaling traffic. Integrity protection applicable only to RRC-level signaling traffic. Integrity information is ciphered. Located at the PDCP sublayer in both eNB and UE

• Non-Access Stratum (NAS), between MME and UE: Ciphering and Integrity of NAS messages, independent of the AS security

• Keys change at every intra-E-UTRAN handover, including intra-eNB handovers.

Rel-8 UE is required tosupport these algorithms

AES Advanced Encryption Standard

Irfan Ali 11Irfan Ali 11

LTE AKA

Generate authenticationvectors AV(1..n)

Store authentication vectors AV(1..n)

Select authentication vector AV

Authentication data request(IMSI, VPLMN, NetworkType = E-UTRAN)

Authentication dataresponse AV

User authentication requestRAND || AUTN

User authentication responseRES

Compre RES and XRES

Verify AUTNCompute RES

HSSMMEUE

Function

SQN K RAND

XRES

AUTN

CK

IK

KDF

SQN

IMSI

VPLMN

Kasme

RAND

AUTN, RAND, XRES, KasmeAV

SQN RAND

RES CK

IK

KDF

SQN

IMSI

VPLMN

Kasme

RAND

USIM K

AUTN

Security ModeCommand Used to

Derive NAS keys fromKasme

AKA Authentication and Key AgreementAUTN Authentication TokeNGUTI Globally Unique Temporary IdentityKSI Key Set Identifier

Irfan Ali 12Irfan Ali 12

User authentication function in the USIM

K

SQN

RAND

f1 f2 f3 f4

f5

XMAC RES CK IK

AK

SQN AK AMF MAC

AUTN

Verify MAC = XMAC

Verify that SQN is in the correct range

AUTN Authentication TokeNAMF Authentication management fieldSQN Sequence NumberAK Anonymity KeyMAC Message Authentication Code

• USIM keeps track of last SQN received, SQNms• USIM only accepts a sequence number from HSS if

|SQN – SQNms | < ∆

Irfan Ali 13Irfan Ali 13

Overview of NAS and AS Security negotiationsHSSMME-1eNBUE

EPS-AKA EPS-AKA

Partial EPSnative Context.

NAS- Security Mode Command (SMC)NAS Security Algorithms decided here

Partial EPSnative

Context

Full EPSnative

Context

Full EPSnative

Context

Kasme, KSImmeCurrent eKSI Kasme Current

AS-SMCAS Security Algorithms decided here

AS Keys AS Keys

UE’s security Capability

ASME Access Security Management Entity (MME)KSI Key Set Identifier

Irfan Ali 14Irfan Ali 14

Negotiation of NAS/AS Enc & Inc Algorithm

ME provides support of different EPS encryption (EEA) and integrityprotection (EIA) algorithm support as part of “UE Network Capability”IE.

• The same set of ciphering and integrity algorithms shall be supported bythe UE both for AS and NAS level

The eNB and MME are configured with a prioritized list of EEA andEIA algorithms to use. Eg

• Priority-0 EIA2• Priority-1: EIA1

eNB/MME selects first intersection of configured algorithm with UE’scapability.

NAS and AS security algorithms can be different.

Irfan Ali 15Irfan Ali 15

Power-off/Power-on issue

• Power-off The objective is to store a fully valid native EPS security

context, preferably in USIM otherwise in non-volatilememory of the ME.

• Power-on Retrieve a “valid” EPS security context either from (a)

USIM, or (b) if-not from ME non-volatile memory. Thisbecomes the current EPS security context.

If no valid EPS security context can be retrieved, UEsignals to MME in attach that it has “no valid keys”.

Irfan Ali 16Irfan Ali 16

UE Performs attach – Part 1 of 3

DL-SCH: Common CC

1. Random Access PreambleRACH

2. Random AccessPreamble

UL-SCH: SRB0

3. RRC ConnectionRequest

DL-SCH: Common CC4. RRC Connection Setup

UL-SCH: SRB1

5. RRC Connection CompleteNAS Msg: AttachRequest IMSI

SGWPGWeNBUE

InternetMME

Random AccessProcedure

RRC SetupProcedure

NAS Msg PDNConnect Req

Irfan Ali 17Irfan Ali 17

6. Initial UE Message

S1-MME

NAS MSG: AttachRequest, IMSI, UENetwork Capability

NAS MSG: AttachRequest, IMSI, UENetwork Capability

UE Performs Attach – Part 2 of 3SGW

HSSeNBUE

PGW

MME

InterneteNB selects

MME

Encryption+ IntegrityProtection Algorithmsupport

S6a7. Auth Info RequestIMSI, VPLMN,Net=EUTRAN

8. Auth Info AnswerKasme, AUTN, RAND,XRES

9. DL NAS XportAuthn Request

UL-SCH: SRB1

10. DL Info XferAuthn Request:AUTN, RAND, eKSI

11. UL Info Transport 12. UL NAS XportAuthn Response

MME ComparesRES with XRES.If same, AKAsuccessful

DL-SCH:CCH SRB1

13. DL NAS Xport

UL-SCH: SRB1

14. DL Info Transport

Security ModeComplete

15. UL Info Transport 16. UL NAS XportSMC Complete

DL-SCH:CCH SRB1

SMC: eKSI, NAS Algo,UE Security Capability

NAS Security

Authn Response:RES

Security Mode Command

17. Location Update RequestIMSI, …

18. Location Update ResponseSubscription Data

MMEauthorizes UE

UserAuthenticationProcedure

NAS Security SetupProcedure

Authorization

NAS Msg PDNConnect Req

Irfan Ali 18Irfan Ali 18

S1-MME

UE Performs Attach – Part 3 of 3SGW

HSSeNBUE PGWMME InternetNAS Security GTPC

22. Create SessionResponse(IMSI, TEIDs)

19. Create SessionRequest ((IMSI, TEIDs,PGW IP,…)

GTPC-220. Create SessionRequest (IMSI, TEIDs, )

21. Create SessionResponse(IMSI, TEIDs)

23. Initial Context Setup Request(UE Context Info: UE SecurityCapability, KeNB

DL-SCH:CCH SRB124. RRC Security ModeCommand, AS Algorithm

UL-SCH: SRB1

25. RRC Security ModeComplete

31. UL NAS Xport

AS Security

Data Radio Bearer-10 GTP-U-10 TunnelGTPU-10 TunnelGTPC Tunnel GTPC-1 TunnelS1-MME

NAS: Attach AcceptNAS: Activatedefault bearer req

DL-SCH:CCH SRB2

27. RRC ConnectionReconfiguration

UL-SCH: SRB2

30. UL Information Transfer

NAS1NAS2

SRB-2SRB-1SRB-0

26. Obtain UE’s RadioCapability

GTPC

33. Modify Bearer Resp(IMSI, S1U TEID)

32. Modify BearerReq. (IMSI, TEIDs…)

AS Security SetupProcedure

SRB-2

NAS1 NAS2 NAS: Attach CompleteNAS: Activatedefault bearer acpt

29. Initial Context SetupComplete (S1U TEIDs)

28. RRC Reconfig Complete

Irfan Ali 19Irfan Ali 19

Kenb Key Derivation at S1 Handover

PCI: Physical Cell IdentityEARFCN-DL: E-UTRAN Absolute Frequency Channel –DLNH Next Hop ParameterNCC NH Chaining Counter

KeNB_1

Kasme

KeNB_1Kasme

KeNB_1

NH_1, NCC=1

NH_1, NCC=1

f1

NH_2 NCC=2PCIEARFCN-DL

Kenb_2

KeNB_2

KeNB_2

NCC=2

NH_2, NCC=2

KasmeNH_2, NCC=2

Kasme

NH_2, NCC=2

2

4

3 eNB computes Kenb_2 using funciton f1

5UE checks NCC value to be correctUE computes NH_2 using function f2.UE computes Kenb_2 using funciton f1

f2

{NH_2, NCC=2}

KasmeNH_1 NCC++MME

eNB_1 eNB_2

0Handover Required

1 MME creates NH_2 and NCC=2

Irfan Ali 20Irfan Ali 20

Specifications

TS 33.401 – LTE Security TS 33.102 – 3G Security