SAE security

8/11/2019 SAE security

1/37

3GPP SAE/LTE Security

Anand R. Prasad

NEC Corporation

NIKSUN WWSMC, 26 July, 2011, Princeton, NJ, USAMI M11-0043

Disclaimer: This presentation gives views/opinion of the speakerand not necessarily that of NEC Corporation.


2/37

NEC Corporation 2009Page 2 NEC Confidential

Outline

Background on how this thing came into being:Next Generation Mobile Networks (NGMN) andThird Generation Partnership Project (3GPP)

Brief overview of Evolved packet system (EPS), i.e., SAE/LTE Security in EPS:

Requirements

Security per network elements and protocol layersKey hierarchyAuthentication and key agreementMobility

Today and Tomorrow including current security activities inGlobal ICT Standardisation Forum for India (GISFI)

For abbreviations check Slide 34


3/37


4/37


9.6

14.4

14.4

57.6

14

171

384

1.3

144

2

1

21

1

12

11

42

50

100

100

1 G

1993 11996 . 96

1997 . 971998 . 98

2000 .32002 . 5

2004 . 62007 . 7

2009 .8 F

G

G

B I

C

A

Towards NGMN

Next Generation Mobile Network (NGMN):A project by mobile operators with theobjective to establish recommendations,requirements and scenario for futuremobile broadband networks


5/37


L

C

. . I

G

E

F

GA

E . .

, L ,I

C

A GE A

NGMN Architecture

SAE (or EPC)

LTE (or E-UTRAN)

E ( E)

I ( I )

I

3GPP Basic Architecture

E ( E)


6/37


PCGPCGPCGPCG (Project Coordination Group)(Project Coordination Group)(Project Coordination Group)(Project Coordination Group)

RAN Plenary (RadioRAN Plenary (RadioRAN Plenary (RadioRAN Plenary (Radio

Access NetworkAccess NetworkAccess NetworkAccess Network) )))

SA Plenary (SA Plenary (SA Plenary (SA Plenary (Service &Service &Service &Service &

Systems AspectSystems AspectSystems AspectSystems Aspect) )))

CT Plenary (CoreCT Plenary (CoreCT Plenary (CoreCT Plenary (Core

Network & TerminalNetwork & TerminalNetwork & TerminalNetwork & Terminal) )))

RAN WG1RAN WG1RAN WG1RAN WG1(Layer 1)(Layer 1)(Layer 1)(Layer 1)

RAN WG2RAN WG2RAN WG2RAN WG2(L(L(L(Layerayerayerayer 2222/3/3/3/3))))

RAN WG3RAN WG3RAN WG3RAN WG3((((RAN to wiredRAN to wiredRAN to wiredRAN to wired) )))

RAN WG4RAN WG4RAN WG4RAN WG4(Performance)(Performance)(Performance)(Performance)

RAN WG5RAN WG5RAN WG5RAN WG5(UE conformance test)(UE conformance test)(UE conformance test)(UE conformance test)

SA WG1SA WG1SA WG1SA WG1(Requirement)(Requirement)(Requirement)(Requirement)

SA WG2SA WG2SA WG2SA WG2(Architecture)(Architecture)(Architecture)(Architecture)

SA WG3SA WG3SA WG3SA WG3(Security)(Security)(Security)(Security)

SA WG4SA WG4SA WG4SA WG4(Codec)(Codec)(Codec)(Codec)

SA WG5 (Management)SA WG5 (Management)SA WG5 (Management)SA WG5 (Management)

CT WG1CT WG1CT WG1CT WG1((((UE/Core NWUE/Core NWUE/Core NWUE/Core NW Layer 3)Layer 3)Layer 3)Layer 3)

CT WG3CT WG3CT WG3CT WG3(Interwo(Interwo(Interwo(Interworrrrkingkingkingking externalexternalexternalexternal) )))

CT WG4CT WG4CT WG4CT WG4(Core NW protocol)(Core NW protocol)(Core NW protocol)(Core NW protocol)

CT WG5CT WG5CT WG5CT WG5(Open Service Access)(Open Service Access)(Open Service Access)(Open Service Access)

CT WG6 (SIM)CT WG6 (SIM)CT WG6 (SIM)CT WG6 (SIM)

3GPP Overview


7/37


A IBJ

A IA

CC AC

E IE

AK

CJ

CG

G I

3G

This is how it works

Third Generation Partnership Project(3GPP) develops specification standardizedby organizational partners (OPs)

OPs follow their government / regulatory

mandate OPs participate in the project coordinationgroup (PCG)

Individual members are member of at leastone of the OPs and provide input to the

technical specification group (TSG) Result of TSG is a TR or TS that formsstandars by OPs

3GPP also takes input from ITU and uses itsguideline

Resulting specification from 3GPP TSG istaken to ITU by individual members asspecification


8/37

Evolved Packet System (EPS)

Overview and Security EPS is also know as System Architecture Evolution (SAE) /Long Term Evolution (LTE)

SAE is also known as Evolved Packet Core (EPC) LTE is also known as Evolved UTRAN


9/37


10/37


Basic Requirements

Continued usage of current USIM, i.e., there should not be anychange in USIM for accessing EPS network. The USIM that isused in UMTS networks should be thus reusable.

Security should be at least of the same level or better than thatcompared to UMTS.


11/37


eNodeB

MME SGWUE

Uu

S1-U

S11S1-MME

I & I EI( )

I EI( ) A

E

C

A (

3G AE )eNodeB

X2

I ,

/ E / C /

K

C

B &

O&M

Security Requirements


12/37


eNodeB

MME SGWUE

Uu

S1-U

S11

S1-MME

E ( E )

C

A I E A

E ( E )

A A

A E

G A HI E A

C 3G AE ( C

)

S6a

HSS (AuC,HLR,EIR,DNS)

E G A

Network Elements and Security Functions


13/37


A

C

DC

LC/ AC/L1

A / I

C

C

H A ( C )

DC

A

A

Protocol Layers and Security Functions


14/37


Key Hierarchy

K A C I A K A (AKA)

CK, IK

K

C AKA H A C E I

G H E C CK IK

KA KA

K B

K C K CK

A : E A ( )

K B B E A : D B C

( ), C

A C & I

H & E

E & E

B & E

Key separationdepending onpurpose


15/37


Uu

S1-US11

(3) AKA

( C)

E B E H G G

(2) A

(1)

(4)

(5) I

(6)

A

E B

C A E C

A

E A E E

C

H E E

C D G D G I

L

C

EPS Terminal Start-up and Security


16/37


I H (

A C)E

1. I

2. A

3. A

(A )

4. A

5. C A A E

(A ). G E .

6. A E

7. E = E ?(A E)

Authentication and Key Agreement (AKA)

Network and UE are

authenticated to each other.The top-level-key (Kasme)is created


17/37


SMC: NAS Algorithm Selection

eNB MMEUE

NAS integrityprotection start

NAS Security Mode Command (eKSI, UE sec capabilities,ENEA, ENIA, [IMEI request,] [NONCEue, NONCEmme,]NAS-MAC)

NAS Security Mode Complete ([IMEI,] NAS-MAC)

Configured with list of NASconfidentiality and integrity algorithmsthat can be used and with priority

Choose highestpriority algorithms

Verify NAS SMC integrity. If succesful,start ciphering/

deciphering and integrity protection andsend NAS Security Mode Complete.

NAS de-ciphering/ciphering start

Integrity protected with the newalgorithm if there was change inalgorithm

Algorithm is chosen for NAS and NASkeys are generated. NAS security starts.


18/37


SMC: AS Algorithm Selection

eNB MMEUE

UE AS security context setup

UE capabilities., eKSI

RRC/UP integrityprotection start

AS Security Mode Command RRC-Integrity protected (Integrity algo, ciphering algo, MAC-I)

AS Security Mode Complete (MAC-I)

Configured with list of ASconfidentiality and integrity algorithmsthat can be used and with priority

Choose highestpriority algorithms

Verify AS SMC integrity.If succesful, start RRC/UP integrity

protection, downlink deciphering, andsend AS Security Mode Complete.

RRC/UP cipheringstart

RRC/UP de-ciphering start

RRC/UP cipheringstart

UE security capabilities is sent to MME duringconnection establishment together with START

value. This is informed back to UE integrityprotected. UE responds back with the same thing

again integrity protected. All in NAS.

Algorithm is chosen for AS &AS keys are generated. ASsecurity starts.


19/37


SGSNMME MME

eNodeB eNodeB

eNodeB

NodeB NodeB

RNC

Cell 1 Cell 2 eNodeB

/

/ 1

S1-MME S1-MME S1-MME S1-MME

X2

S10 S3

Mobility in EPS


20/37


21/37


CC=1

CC=3

CC=2

H

KDF

KDF

KA E

H

A C

IK B

KA E

KDF

H

KA E

KDF

H

KA E

KDF

CI,EA FC DL

K B *= K B KDF

CI,

EA FC DL

K B *= K B KDF

CI,EA FC DL

K B *= K B

KDF

CI,EA FC DL

K B *= K B KDF

CI,EA FC DL

K B *= K B KDF

CI,EA FC DL

K B *= K B

K B KDF

CI,EA FC DL

K B *= K B KDF

CI,EA FC DL

K B *= K B CC=0

KDF: Key Derivation FunctionNH: Next HopNCC: Next hop Chaining Counter PCI: Physical Cell Identity

Handover and Key Handling

Detail of key derivation and handling on handover


22/37


Inter-Technology Handover for EPS

eNodeB

UMTS

NodeB

Derive keys in servingnetwork for the target

network and in UEbased on current keys

before handover

EPS

The idea here is to derive keys bothways from the existing context and doAKA at the earliest possible

especially in E-UTRAN The keys are named as follows:Mapped context is the one derivedfrom other RAT keys

Current context is the context beingusedNative context is the context of E-UTRAN

On handover to E-UTRAN mappedcontext is used although it isrecommended that native contextshould be used as it is consideredstronger


23/37

Today to Tomorrow


24/37


Protection against Unsolicited Communication in IMS (PUCI)

- Accounting &Charging server

- IMS applicationServer

Bots, virus etc.

Threats

Data confidentiality

Fraud Activities

Phishing

Denial of Service

Bandwidth Availability

Productivity Loss

Call Quality Degradation

Unauthorized Access

Eavesdropping

SPIT

Customer Satisfaction

Authentication

Re-Routing

Caller ID Spoofing

There are several VoIP threats that can lead to SPIT

Can lead to SPIT


25/37


Protection against Unsolicited Communication in IMS (PUCI)

Identification(check with automatic

means and staticoperator/user settings)

Marking(indicate the likelihood of UCthrough marking)

Result

Reacting(check threshold level and

take action, e.g. re-route, voicemailbox, further test etc.)

Marking level F

u r t

h e r

t e s

t

Other (based on user or operator policycommunication is sent to a given

network element for action.)Marking or no marking

Destination UE(user takes action based on

marking and sender IDif available)

Source device

Challenge

Solve it with Identify, Mark and React

3GPP TR 33.937 available. Further workon-going under SPUCI work-item.


26/37


Machine to Machine Communication

Known as Machine TypeCommunication (MTC)

Scenarios are, for example, smart

metering or healthcare Issues can be from the point ofaccess control to attack on thedevice itself

The biggest problem will be the hugenumber of devices trying to connectto the mobile network and thusoverwhelming the network due tohigh traffic volume


27/37


GISFI Security Activities

The security activity in Global ICT Standardisation Forum for India(GISFI) provides solution for all the activities being carried out bythe standardization forum

Security SIG also provides input to Indian government The activity is still at its early stage, some of the topics coveredare:

Cyber security and childrenCloud securityInter-of-Things (starting from machine-to-machine, M2M,communication)


28/37


What is happening today and where will it lead to?

Some observations of today:Average age of knowledge generation is decreasing with time data andinformation in readily availableWorld is slowly but steadily moving towards similar level of life globally

impact on age of population and education levelReachability is at 24 / 7Need for convenience is increasingComputing, telecommunications and networking has converged, if not, thetrend has only become faster Openness, free and shared are key wordsTechnology enhancement is moving at a faster pace:

Wireless data-rate is catching up with wired Computing power is high and increasing while becoming available to all

Human society is maturingBusiness models are changing very fast: 10 to 2 years to 6 months and now 3monthsOperators business: conventional, data only, take a ride


29/37


Thoughts: Security?

Potentially faster cycle for algorithm development Need of increased awareness and concern of privacy and security Necessity of ever more system security consideration

Top-to-bottomEnd-to-end

Better privacy control mechanisms Choice of level of security Fast threat analysis together with proper understanding of risk and

input to security solution .


30/37

Conclusions


31/37


32/37


.the book

Security in Next Generation Mobile Networks: SAE/LTE andWiMAXAuthors: Anand R. Prasad and

Seung-Woo SeoPublisher: River Publishers Available: August 2011ISBN: 978-87-92329-63-9Table of Contents:

1. Introduction to NGMN2. Security Overview3. Standardization: 3GPP, IEEE 802.16 and WiMAX4. SAE/LTE Security5. Security in IEEE 802.16e / WiMAX6. Security for Other Systems: MBMS, M2M, Femto

Contact:


33/37


34/37


Abbreviations

3G G A A A A ( C ) G G A C A C C F C FA A DC D C D D D D

EI E I D G G

D G

E C E C L L

DG D G CI

C IE A E A A A

GE A G EDGE A LC L CGI FI G IC F I C C

HL H L AE A E ( E C

)H H I I I I G G

I I G GL E L E ( E A E EAC A C E E I I E E A A


35/37


Security Overview

Home stratum/ Serving Stratum

Transport stratum ME

Application stratum User Application Provider Application

(IV)

(III)

(II)

(I)

(I)

(I)

(I)

(I)

SN

AN (I)

USIM

(II)

HE

Network access security (I) Network domain security (II)

User domain security (III)

Application domain security (IV) Visibility and configurability of security (V)


36/37

O h S i A


37/37


Other Security Aspects

Network domain control plane protectionProtection of IP based control plane will be done using 33.210. If theinterfaces are trusted then such protection is not required.Thus for S1-MME and X2-C

Implement IPsec ESP [RFC 4303 and TS 33.210] IKEv2 certificate based authentication [TS 33.310] Tunnel mode IPsec mandatory on eNB while SEG can be used in core Transport mode is optional

Backhaul link user plane protectionProtection of user plane will be done using 33.210. If the interfacesare trusted then such protection is not required.S1-U and X2-U

IPsec ESP as in RFC 4303 and TS 33.210 with confidentiality, integrityand replay protection

IKEv2 certificate based authentication [TS 33.310]

Tunnel mode IPsec mandatory on eNB while SEG can be used in core Transport mode is optional Management plane protection

Same as S1-U and X2-UThere is no management traffic over X2

Documents

SAE security