Upload
abhay1712
View
244
Download
0
Embed Size (px)
Citation preview
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 1/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 11
3GPP LTESecurity Aspects
Dionisio ZumerleTechnical Officer, 3GPP
ETSI
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 2/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 22
Contents
LTE security architecture
Security algorithms
Lawful Interception
Backhaul Security
Relay Node Security
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 3/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 33
LTE Security Architecture
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 4/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 44
LTE Security:
UMTS Security and LTE Architectural impact
UMTS security enhancements:• Mutual authentication
• Integrity keys
• Public algorithms
• “Deeper” encryption
• Longer key length
LTE Architecture:
• Flat architecture
• Separation of control plane and
user plane
• eNodeB instead of NodeB/RNC
• All-IP network
• Interworking with legacy
and non-3GPP networks
Characteristics of LTE Security
• Re-use of UMTS Authentication
and Key Agreement (AKA)
• Use of USIM required
(GSM SIM excluded)
•Extended key hierarchy
• Possibility for longer keys
• Greater protection for backhaul
• Integrated interworking security
for legacy and non-3GPP
networks
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 5/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 55
AKA and signalling protection
S12
S3 S1-MME S6a
HSS
S10
UE
SGSN
LTE-Uu E-UTRAN
MME S11
S5 Serving Gateway
S1-U
S4
UTRAN
GERAN
Confidentiality and integrity for signalling only (NAS)
Optional user plane protection (IPsec)
Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS)
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 6/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 66
Authentication and Key Agreement
UE eNB MME AuCNAS attach request (IMSI)
AUTH data request
(IMSI, SN_id)
AUTH data response
(AV={AUTN, XRES, RAND, Kasme})NAS auth request (AUTN, RAND, KSIasme)
NAS auth response (RES)
NAS SMC (confidentiality and integrity algo)
NAS Security Mode Complete
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete
S1AP Initial Context Setup
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 7/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 77
Security Algorithms
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 8/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 88
LTE Security Algorithms
Currently two separate algorithms specified• In addition to one NULL algorithm
Current keylength 128 bits
• Possibility to extend to 256 in the future
Confidentiality protection of NAS/AS signalling recommended
Integrity protection of NAS/AS signalling mandatory
User data confidentiality protection recommended
Ciphering/Deciphering applied on PDCP and NAS
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 9/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 99
LTE Ciphering and Integrity
mechanisms
PLAINTEXTBLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAMBLOCK
PLAINTEXTBLOCK
Sender Receiver
KEY
MAC-I/NAS-MACSender
COUNT DIRECTION
MESSAGE BEARER
XMAC-I/XNAS-MAC
COUNT DIRECTION
MESSAGE BEARER
KEY
Receiver
EIA EIA
ciphering
integrity
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 10/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1010
128-EEA1/EIA1
Based on SNOW 3G
• stream cipher
• keystream produced by Linear Feedback Shift Register
(LFSR) and a Finite State Machine (FSM)
Different from KASUMI as possible
• selected during UMTS security design
Allows for:
• low power consumption
• low gate count implementation in hardware
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 11/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1111
128-EEA2/EIA2
AES block cipher
• Counter (CTM) Mode for ciphering
• CMAC Mode for MAC-I creation (integrity)
Different from SNOW 3G as possible• Cracking one would not affect the other
Reasons why KASUMI was not re-used:
• eNB already supports AES
• needs to support AES for NDS/IP
• Similarity with other non-3GPP accesses (e.g. 802.11i)
• Other
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 12/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1212
128-EEA3/EIA3
Based on Chinese ZUC
• stream cipher
Three-phase evaluation ongoing
•
Public evaluation ongoing! http://zucalg.forumotion.net/• 2nd International Workshop on ZUC: June 5-6 in Beijing
http://www.3gpp.org/Call-for-Papers-Beijing-ZUC
Network-mandatory/network-optional to be decided
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 13/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1313
Deeper Key hierarchy in LTE
Faster handovers and key changes, independent of AKA
Added complexity in handling of security contexts
Security breaches local
USIM / AuC
UE / MME
UE / ASME
K
KUPenc
KNASint
UE / HSS
UE / eNB
KNASenc
CK, IK
KRRCint KRRCenc
KASME
KeNB
KUPint
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 14/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1414
Key Derivation
Key distribution and key derivation scheme for EPS (network side), found in 33.401
Key Derivation Function (KDF) specification can be found in 33.220
MMEHSSCK,IK
KDF
256
256
SN id, SQN
AK
KeNB
KASME
256
KDF
KDF KDF
KNASenc KNASint
KNASenc KNASint
Trunc Trunc
256 256
128 128
256
256256
NAS-enc-alg,Alg-ID
NAS-int-alg,Alg-ID
NAS UPLINK COUNT
KDF KDF
KUPenc KRRCint
KUPenc KRRCint
Trunc Trunc
256 256
128 128
256
UP-enc-alg, Alg-ID
RRC-int-alg, Alg-ID
RRC-enc-alg, Alg-ID
256256
Physical cell ID, EARFCN-DL
256
KeNB
s
eNB
eNB
KeNB*
KDF
KRRCe
nc
KRRCenc
256
256
128
Trunc
KDF NH
NHKeNB
256
256
KDF
Trunc
UP-int-alg, Alg-ID
KUPint
256
KUPint
128
256
KDF
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 15/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1515
Lawful Interception
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 16/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1616
Lawful Interception in 3GPP
HandoverRetrieval
Cost Political
LegalBusiness
Relations
process
Storage
Interception
Analysis
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 17/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1717
Lawful Interception in EPS
Context and mechanisms similar to case of UMTS PS• Different core entities (ICE, Intercepting Control Elements)
• ADMF handles requests from Law Enforcement Authorities
• target identity: IMSI, MSISDN and IMEI
• X1 interface provisions ICEs and Delivery Functions
• X2 delivers IRI (Intercept Related Information)
• X3 delivers CC (Content of Communication)
•
HI1,2,3: Handover Interfaces with law enforcement• Convey requests for interception of targets (HI1)
• Deliver IRI (HI2) and CC (HI3) to LEAs
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 18/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1818
SGi S12
S3 S1-MME
PCRF Gx
S6a HSS
Operator's IPServices
(e.g. IMS, PSS etc.)
Rx
S10 UE
SGSN
LTE-Uu E-UTRAN
MME S11
Serving Gateway PDN
Gateway S1-U
S4
UTRAN
GERAN
EPS LI Architecture
LEMF
MediationFunction
DeliveryFunction 2
Mediation
Function
Delivery
Function 3
MediationFunction
ADMF
X1_1
X1_2
X1_3
X2 X3
HI1 HI2 HI3
X2
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 19/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1919
Backhaul Security
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 20/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2020
Backhaul Security
Base stations becoming more powerful• LTE eNode B includes functions of NodeB and RNC
Coverage needs grow constantly
Infrastructure sharing
Not always possible to trust physical security of eNB
Greater backhaul link protection necessary
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 21/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2121
Certificate Enrollment
for Base Stations
RA/CA
base stationbase station obtains operator-signedcertificate on its own public key from RA/CA
using CMPv2.
CMPv2
Vendor-signed certificate
of base station public key
pre-installed.
Vendor root certificatepre-installed.
SEG
Operator root certificate
pre-installed.
Enrolled base stationcertificate is used in IKE/IPsec.
IPsec
Picture from 3GPP TS 33.310
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 22/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2222
Relay Node Security
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 23/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2323
Relay Node Authentication
Mutual authentication between Relay Node and network• AKA used (RN attach)
• credentials stored on UICC
Binding of Relay Node and USIM:
•Based on symmetric pre-shared keys, or
• Based on certificates
RelayDonor
eNBUE
Core
NW
Radio Radio Backhaul
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 24/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2424
Relay Node Security
Control plane traffic integrity protectedUser plane traffic optionally integrity protected
Relay Node and network connection confidentiality protected
Device integrity check
Secure environment for storing and processing sensitive data
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 25/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2525
Conclusions
LTE Security: building on GSM and UMTS Security
Newer security algorithms, longer keys
Extended key hierarchy
New features, addressing new scenarios
• Backhaul Security
• Relay Node Security
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 26/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2626
Thank You!
www.3gpp.org
More
Information
about 3GPP:
8/4/2019 LTE Security Pres 1105 3GPP
http://slidepdf.com/reader/full/lte-security-pres-1105-3gpp 27/27
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2727
Backup:
Selection of 3GPP Security Standards
LTE Security:
33.401 System Architecture Evolution (SAE); Security architecture
33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP
Lawful Interception:
33.106 Lawful interception requirements
33.107 Lawful interception architecture and functions
33.108 Handover interface for Lawful Interception
Key Derivation Function:
33.220 GAA: Generic Bootstrapping Architecture (GBA)
Backhaul Security:
33.310 Network Domain Security (NDS); Authentication Framework (AF)
Relay Node Security33.816 Feasibility study on LTE relay node security (also 33.401)
Home (e) Node B Security:
33.320 Home (evolved) Node B Security