27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1 1 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI

3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

  • Upload
    lekien

  • View
    220

  • Download
    1

Embed Size (px)

Citation preview

Page 1: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 11

3GPP LTE

Security Aspects

Dionisio ZumerleTechnical Officer, 3GPP

ETSI

Page 2: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 22

Contents

LTE security architecture

Security algorithms

Lawful Interception

Backhaul Security

Relay Node Security

Page 3: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 33

LTE Security Architecture

Page 4: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 44

LTE Security:UMTS Security and LTE Architectural impact

UMTS security enhancements:

• Mutual authentication

• Integrity keys

• Public algorithms

• “Deeper” encryption

• Longer key length

LTE Architecture:

• Flat architecture

• Separation of control plane and user plane

• eNodeB instead of NodeB/RNC

• All-IP network

• Interworking with legacy and non-3GPP networks

Characteristics of LTE Security

• Re-use of UMTS Authentication and Key Agreement (AKA)

• Use of USIM required (GSM SIM excluded)

• Extended key hierarchy

• Possibility for longer keys

• Greater protection for backhaul

• Integrated interworking security for legacy and non-3GPP networks

Page 5: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 55

AKA and signalling protection

S12

S3

S1-MME S6a

HSS

S10

UE

SGSN

LTE-Uu

E-UTRAN

MME

S11

S5 Serving Gateway

S1-U

S4

UTRAN

GERAN

Confidentiality and integrity for signalling only (NAS)

Optional user plane protection (IPsec)

Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS)

Page 6: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 66

Authentication and Key Agreement

UE eNB MME AuCNAS attach request (IMSI)

AUTH data request (IMSI, SN_id)

AUTH data response (AV={AUTN, XRES, RAND, Kasme})

NAS auth request (AUTN, RAND, KSIasme)

NAS auth response (RES)

NAS SMC (confidentiality and integrity algo)

NAS Security Mode Complete

RRC SMC (confidentiality and integrity algo)

RRC Security Mode Complete

S1AP Initial Context Setup

Page 7: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 77

Security Algorithms

Page 8: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 88

LTE Security Algorithms

Currently two separate algorithms specified• In addition to one NULL algorithm

Current keylength 128 bits• Possibility to extend to 256 in the future

Confidentiality protection of NAS/AS signalling recommended

Integrity protection of NAS/AS signalling mandatory

User data confidentiality protection recommended

Ciphering/Deciphering applied on PDCP and NAS

Page 9: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 99

LTE Ciphering and Integrity mechanisms

PLAINTEXT BLOCK

EEA

COUNT DIRECTION

BEARER LENGTH

KEY

KEYSTREAM BLOCK

CIPHERTEXT BLOCK

EEA

COUNT DIRECTION

BEARER LENGTH

KEY

KEYSTREAM BLOCK

PLAINTEXT BLOCK

Sender Receiver

KEY

MAC-I/NAS-MACSender

COUNT DIRECTION

MESSAGE BEARER

XMAC -I/XNAS-MAC

COUNT DIRECTION

MESSAGE BEARER

KEY

Receiver

EIA EIA

ciphering

integrity

Page 10: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1010

128-EEA1/EIA1

Based on SNOW 3G

• stream cipher

• keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM)

Different from KASUMI as possible

• selected during UMTS security design

Allows for:

• low power consumption

• low gate count implementation in hardware

Page 11: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1111

128-EEA2/EIA2

AES block cipher

• Counter (CTM) Mode for ciphering

• CMAC Mode for MAC-I creation (integrity)

Different from SNOW 3G as possible• Cracking one would not affect the other

Reasons why KASUMI was not re-used:

• eNB already supports AES• needs to support AES for NDS/IP

• Similarity with other non-3GPP accesses (e.g. 802.11i)

• Other

Page 12: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1212

128-EEA3/EIA3

Based on Chinese ZUC

• stream cipher

Three-phase evaluation ongoing

• Public evaluation ongoing! http://zucalg.forumotion.net/

• 2nd International Workshop on ZUC: June 5-6 in Beijing http://www.3gpp.org/Call-for-Papers-Beijing-ZUC

Network-mandatory/network-optional to be decided

Page 13: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1313

Deeper Key hierarchy in LTE

Faster handovers and key changes, independent of AKA

Added complexity in handling of security contexts

Security breaches local

USIM / AuC

UE / MME

UE / ASME

K

KUPenc

KNASint

UE / HSS

UE / eNB

KNASenc

CK, IK

KRRCint KRRCenc

KASME

KeNB

KUPint

Page 14: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1414

Key Derivation

Key distribution and key derivation scheme for EPS (network side), found in 33.401Key Derivation Function (KDF) specification can be found in 33.220

MMEHSSCK,IK

KDF

256

256

SN id, SQN

AK

KeNB

KASME

256

K

D

F

KDF KDF

KNASenc KNASint

KNASenc KNASint

Trunc Trunc

256 256

128 128

256

256256

NAS-enc-alg,

Alg-ID

NAS-int-alg,

Alg-ID

NAS UPLINK COUNT

KDF KDF

KUPenc KRRCint

KUPenc KRRCint

Trunc Trunc

256 256

128 128

256

UP-enc-alg, Alg-ID

RRC-int-alg, Alg-ID

RRC-enc-alg, Alg-ID

256256

Physical cell ID, EARFCN-DL

256

KeNB

s

eNB

eNB

KeNB*

KDF

KRRCe

nc

KRRCenc

256

256

128

Trunc

K

D

F NH

NH

KeNB

256

256

KDF

Trunc

UP-int-alg, Alg-ID

KUPint

256

KUPint

128

256

KDF

Page 15: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1515

Lawful Interception

Page 16: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1616

Lawful Interception in 3GPP

HandoverRetrieval

Cost Political

LegalBusiness

Relations

process

Storage

Interception

Analysis

Page 17: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1717

Lawful Interception in EPS

Context and mechanisms similar to case of UMTS PS

• Different core entities (ICE, Intercepting Control Elements)

• ADMF handles requests from Law Enforcement Authorities • target identity: IMSI, MSISDN and IMEI

• X1 interface provisions ICEs and Delivery Functions

• X2 delivers IRI (Intercept Related Information)

• X3 delivers CC (Content of Communication)

• HI1,2,3: Handover Interfaces with law enforcement• Convey requests for interception of targets (HI1)

• Deliver IRI (HI2) and CC (HI3) to LEAs

Page 18: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1818

SGi

S12

S3

S1-MME

PCRF

Gx

S6a

HSS

Operator's IP Services

(e.g. IMS, PSS etc.)

Rx

S10

UE

SGSN

LTE-Uu

E-UTRAN

MME

S11

Serving Gateway

PDN Gateway

S1-U

S4

UTRAN

GERAN

EPS LI Architecture

LEMF

MediationFunction

DeliveryFunction 2

MediationFunction

DeliveryFunction 3

MediationFunction

ADMF

X1_1

X1_2

X1_3X2 X3

HI1 HI2 HI3

X2

Page 19: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1919

Backhaul Security

Page 20: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2020

Backhaul Security

Base stations becoming more powerful• LTE eNode B includes functions of NodeB and RNC

Coverage needs grow constantly

Infrastructure sharing

Not always possible to trust physical security of eNB

Greater backhaul link protection necessary

Page 21: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2121

Certificate Enrollment for Base Stations

RA/CA

base stationbase station obtains operator-signed certificate on its own public key from RA/CA using CMPv2.

CMPv2

Vendor-signed certificate of base station public key pre-installed.

Vendor root certificate pre-installed.

SEG

Operator root certificate pre-installed.

Enrolled base stationcertificate is used in IKE/IPsec.

IPsec

Picture from 3GPP TS 33.310

Page 22: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2222

Relay Node Security

Page 23: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2323

Relay Node Authentication

Mutual authentication between Relay Node and network• AKA used (RN attach)

• credentials stored on UICC

Binding of Relay Node and USIM:• Based on symmetric pre-shared keys, or

• Based on certificates

RelayDonor

eNBUE

Core

NW

Radio Radio Backhaul

Page 24: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2424

Relay Node Security

Control plane traffic integrity protectedUser plane traffic optionally integrity protectedRelay Node and network connection confidentiality protectedDevice integrity checkSecure environment for storing and processing sensitive data

Page 25: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2525

Conclusions

LTE Security: building on GSM and UMTS Security

Newer security algorithms, longer keys

Extended key hierarchy

New features, addressing new scenarios

• Backhaul Security

• Relay Node Security

Page 26: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2626

Thank You!

www.3gpp.org

More Information about 3GPP:

[email protected]

[email protected]

Page 27: 3GPP LTE Security Aspects - 3g4g.co.uk · 3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI ... Backhaul Security: 33.310 Network Domain Security (NDS); Authentication

© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2727

Backup:Selection of 3GPP Security Standards

LTE Security:33.401 System Architecture Evolution (SAE); Security architecture33.402 System Architecture Evolution (SAE); Security aspects of non-3GPPLawful Interception:33.106 Lawful interception requirements33.107 Lawful interception architecture and functions33.108 Handover interface for Lawful InterceptionKey Derivation Function:33.220 GAA: Generic Bootstrapping Architecture (GBA)Backhaul Security:33.310 Network Domain Security (NDS); Authentication Framework (AF)Relay Node Security33.816 Feasibility study on LTE relay node security (also 33.401)Home (e) Node B Security:33.320 Home (evolved) Node B Security