Security Architecture EPS

IEEE Communications Magazine • February 200984 0163-6804/09/$25.00 © 2009 IEEE

INTRODUCTION

The Third Generation Partnership Program(3GPP) Long Term Evolution/System Architec-ture Evolution (LTE/SAE) system seeks to takemobile technology to the next level through therealization of higher bandwidths, better spec-trum efficiency, wider coverage, and full inter-working with other access/backend systems.LTE/SAE proposes to do all this using an all-IParchitecture [1, 2] with well defined interworkingwith circuit-switched systems. In order to handlefuture requirements, the system is defined towork across multiple access networks (both3GPP-defined and non-3GPP-defined). 3GPPaccess networks include E-UTRAN, UTRAN,and GERAN [1, 3]. Non-3GPP access networksinclude both trusted and non-trusted networks(CDMA-2000, WiFi, etc.) [4] In this heteroge-neous framework, there is a greater risk ofunlawful accessing and tampering with informa-tion that travels between the various entities.Hence, security functions assume paramountimportance to ensure that the setup works asintended and is future proof [5].

The security mechanism in wireless systemshas evolved right from the original analog systemsthrough Global System for Mobile Communica-tions (GSM) and Universal Mobile Telecommu-nications System (UMTS). In GSM the focus ofsecurity was largely on the radio path. In UMTS

its scope was enhanced to include several networkfunctionalities too. The ever-increasing focus onIP-based mechanisms meant more threats tosecurity; hence, a more robust security architec-ture is needed in the evolved packet system(EPS). In EPS the 3G security framework hasbeen enhanced to handle the more diverse natureof the architecture and increase robustness. Theseenhancements include adding security (bothintegrity protection and ciphering) on the non-access stratum (NAS) plane, additional layers ofabstraction to protect important information likekeys, security inter-working between 3GPP andnon-3GPP networks, and so on. We look at thesein detail in later sections.

EPS ARCHITECTUREThe EPS architecture and protocols are given inFig. 1. The overall architecture has two distinctcomponents: the access network and the corenetwork. The access network is the evolved uni-versal terrestrial radio access network (E-UTRAN), based on orthogonalfrequency-division multiplexing (OFDM) andsingle-carrier frequency-division multiple access(SC-FDMA) technologies [6]. The core networkis called the evolved packet core (EPC); it is dif-ferent from the UMTS core network. E-UTRANand EPC together constitute the EPS.

Some of the highlights of the LTE and EPCarchitectures are listed below. For the UMTSarchitecture, refer to [7], and for the EPS archi-tecture, refer to [1, 2].

E-UTRANThe E-UTRAN consists of just one node, theeNode-B, which has the functionality of theNode-B and radio network controller (RNC) inUTRAN. The emphasis is on self-configurationand self-optimization of eNodeBs. The eNode-Btalks to the mobility management entity (MME)on the signaling plane and directly to the servinggateway (S-GW) on the data plane The eNode-Bhosts the physical (PHY), medium access control(MAC), radio link control (RLC), PDCP, andRRC layers. The access stratum (AS) securitymechanism consists of ciphering and integrityprotection of RRC signaling messages andciphering of user plane (UP) packets. The baseAS security keys are generated using the NASauthentication and key agreement (AKA) proce-

ABSTRACT

The 3GPP Release 8 Long Term Evolution/Sys-tem Architecture Evolution marks the advance-ment of mobile cellular technology afterUMTS-3G. The evolved packet system (EPS)architecture proposed in Release 8 introducesfundamental changes on top of UMTS in severaldesign areas, including security. This article pro-vides a tutorial overview of the proposed securi-ty mechanism in EPS. It first gives thebackground, a brief overview of the overall EPSarchitecture. It goes on to list the variousrequirements to be met for EPS security. Adescription of the EPS security architecture anddetailed security procedures are given subse-quently. The innovations that have been intro-duced in EPS, on top of UMTS, are highlightedall through the article. The article concludes bylisting some open security issues at the moment.

LTE — 3GPP RELEASE 8

Sankaran C. B., Motorola

Network Access Security in Next-Generation 3GPP Systems: A Tutorial

SANKARAN LAYOUT 1/19/09 2:49 PM Page 84

Authorized licensed use limited to: Qualcomm. Downloaded on September 2, 2009 at 19:33 from IEEE Xplore. Restrictions apply.

IEEE Communications Magazine • February 2009 85

dure. The configuration and activation of AS-level security is done through the AS securitymode command (SMC) procedure. The lifetimeof an AS security context is tied to the RRCconnection; the keys are generated when the UEmoves to connected mode and deleted when theUE goes to idle mode.

EPCThe EPC is an all-IP network (AIPN) and isfully packet-switched (PS). Services like voice,which are traditionally circuit-switched (CS), willbe handled using the IP multimedia subsystem(IMS) network. Network complexity and latency

are reduced as there are fewer hops in both thesignaling and data planes. The EPC is designedto support non-3GPP access networks too. A rel-evant point is that the EPC supports mobile IP.To improve system robustness security, integrityprotection, and ciphering have been added atthe NAS level also, on top of the security thatexists in the access network. Both integrity pro-tection and ciphering will be applicable to allNAS signaling. This would ensure that even ifthere is a security breach at one level, the otherone can ensure that there is no compromise inoverall security. The other factor is that the EPCwill be in a more controlled environment than

nn

Figure 1. EPS architecture, signaling, and user plane protocols.

NAS

PDCP PDCP SCTPRRC S1-AP

L1 L1

IP

L2

L1

Application

IP

RLC

PDCP

RLC

MAC

L1

PDCP

UDP/IP

Relay

L2

L1

GTP-U

UDP/IP

L2

L1

GTP-U

UDP/IP

Relay

eNode-B Serving GW

L2

L1

GTP-U

MAC

L1

IP

UDP/IP

GTP-U

L2

L1

PDN GWUE

UE MMELTE-Uu

RLCMAC

RRC

IMS

Trusted non-3GPP access

Untrusted non-3GPP access

Um

Gb

Iu

S1-U

S1-MME

Evolved packet core

S3

S6a

S11

Uu

LTE-Uu

SGSN

MME ServingGW

e-PDG

HSS

UMTScore network

GERAN

UTRAN

E-UTRANS5

NAS

L1

RLCMAC

Relay

eNode-B

LTE-Uu S1-U S5/S8 SGi

S1-MME

PDNGW

IP

L2

S1-AP

SCTP

In GSM, the focus of

security was largely

on the radio path.

In UMTS, its scope

was enhanced to

include several

network functionali-

ties too. The ever-

increasing focus on

IP based mechanisms

meant more threats

to security and

hence, a more

robust security

architecture is

needed in EPS.



IEEE Communications Magazine • February 200986

the access network; hence, security at this levelbecomes a must.

The major EPC elements are:• Mobility management entityThe MME is

equivalent to the GERAN/UTRAN servinggeneral packet radio service support node(SGSN), and hosts the NAS plane in EPSand interfaces with the home subscriberserver (HSS, S6a) to enable the transfer ofsubscription and authentication data forauthenticating/authorizing user access. Itterminates the NAS level security.

• Serving gateway and packet data networkgateway: The S-GW handles the IP datafrom eNode-Bs directly and terminates theinterface towards E-UTRAN. The packetdata network gateway (PDN-GW) providesthe interface to the PDN.

MAJOR SECURITY THREATS ANDREQUIREMENTS IN LTE/SAE

Some of the key security threats in EPS are:• Illegal access and usage of the user’s and

mobile equipment’s (ME’)s identities — toaccess network services

• Tracking the user based on the user equip-ment’s (UE’s) temporary identity, signalingmessages, and so on

• Illegal access and usage of the keys used insecurity procedures to access network ser-vices

• Malicious modification of UE parameters(e.g., failure timers, retry timers) to lockout the phone from normal services eitherpermanently or for an extended period oftime

• Willful tampering with the system informa-tion broadcast by the E-UTRAN

• Eavesdropping and illegal modification ofIP packet contents

• Denial of service to the UE• Attacks on the integrity of data (signaling or

user traffic) by replaying

The key requirements could be summarizedas:• Improved overall security robustness over

UMTS — to take care of the added/newfunctionality and the use cases thereof, andwork in a secure environment

• User identity confidentiality — to ensurethat any illegal identification and trackingof any user is not possible

• Mutual authentication of the user and net-work — to ensure that both sides are surethey are communicating with the correctentity, authorized to make that transaction

• Data confidentiality — to ensure that anyeavesdropping of exchanged data is notpossible

• Data integrity — to ensure that datareceived by any entity cannot be tamperedwith

• Interworking with GERAN/UTRAN — toensure that inter-radio access technology(RAT) procedures work as designed with-out allowing any security weakness of theother access technologies to compromiseLTE/SAE security

• Replay protection — to ensure that anintruder is not able to replay control mes-sages already transmitted

• Allowing/requiring dynamic setup of allrespected security association as much aspossibleThese are generic high-level requirements

that are applicable across multiple entities andinterfaces in the LTE/SAE architecture. Thespecific implementation of the same requirementcould be different across these different entities.We look at the detailed architecture below,where we see how these requirements are met.

SECURITY ARCHITECTURE FOR EPSThere are four levels of security defined in thespecifications. These are:• Network access security (level I): These are

security features that protect the radio link

n Table 1. Summary of LTE security functions and procedures.

Key requirement Level I Level II Level III

Improve overall robustnessover UMTS

Add NAS security, keys and identities are betterprotected, security association alive through idle

Support IPSecAdd NAS security Same as UMTS

User identity confidentiality Usage of temporary identities Support IPSec Secure storageof IMSI

Mutual authentication ofuser and network AKA procedure N/A N/A

Data confidentiality Ciphering at the AS (both signaling and data)and NAS levels (signaling only)

Support IPSecNAS ciphering(signaling only) N/A

Data integrity Integrity protection at the AS and NAS levels Support IPSecNAS integrity protection N/A

Interworking withGERAN/UTRAN

The specs have defined the gracious handling ofsecurity in all the inter-RAT mobility scenarios

The specs have defined the gra-cious handling of security in allthe inter-RAT mobility scenarios

N/A




and provide users with secure access to theEPC and the backend networks. This levelhas security mechanisms between theUSIM, ME, E-UTRAN, and elements inthe EPC (both serving and home networks).The integrity protection and cipheringdefined in EPC are examples.

• Network domain security (level II): Theseare security features that protect the wire-line networks and enable them to exchangedata in a safe manner. This could be, forexample, the IPSec used to protect the S1control plane.

• User domain security (level III): Here thescope is between the USIM and the ME. Itwould include the mutual authentication ofthe USIM and the ME before they canaccess each other, using a secret PIN.

• Application domain security (level IV): Thesecurity features that enable applications inthe UE and the backend network toexchange information in a secure manner.For example, the IMS architecture providesthe framework for this level of security forvoice over IP (VoIP).In Table 1 the different security features and

procedures that implement these requirementsat each level are summarized. EPS uses the fol-lowing procedures and mechanisms as effectivecounter-measures at levels I, II, and III:• Usage of temporary user identities: Mandat-

ing AKA-based mutual authentication dur-ing initial attach and as needed beforeallowing a user to access the network

• Use encryption/ciphering to safeguard thecontent of user data and signaling messages

• Guarantee signaling messages’ integrityusing an applicable integrity protectionmechanism

• Dynamic key distribution and managementin a secure manner using a keying hierarchybased on a preshared master key

• For IP transport (within the network), IPSecwith IKE is used for effective protection

Level IV security is out of scope of this article.

KEY MANAGEMENTThe various keys play a critical role in the work-ing of the overall security mechanism. Their life-times, scope, hierarchy, and properties areclearly defined in the 3GPP Release 8 specifica-tions [8], right from the master key down to thevarious temporary keys. The E-UTRAN keys arecryptographically separated from the EPC keysused, making it impossible to figure out onefrom the other. Figure 2 shows the keys’ hierar-chy and the levels where they are relevant.

The various keys are derived using the KeyDerivation Function (KDF) interface defined in[8]. While the inputs are different for the variouskeys, they are concatenated into a common for-mat S, which is then input to the respective algo-rithm:• KeNB is a key derived by UE and MME

from KASME when the UE goes to con-nected state or by UE and target eNode-Bduring eNode-B handover.

• KNASint is a key used to protect NAS traf-fic with a particular integrity algorithm. It is

derived by the UE and MME from KASMEand an identifier for the integrity algorithm,using the KDF.

• KNASenc is a key used to protect NAS traf-fic with a particular encryption algorithm. Itis derived by UE and MME from KASMEand an identifier for the encryption algo-rithm, using the KDF.

• KUPenc is a key used to protect UP trafficwith a particular encryption algorithm. It isderived by UE and eNode-B from KeNB,and an identifier for the encryption algo-rithm, using the KDF.

• KRRCint is a key to protect RRC trafficwith a particular integrity algorithm. It isderived by UE and eNode-B from KeNBand an identifier for the integrity algorithm,using the KDF.

• KRRCenc is a key used to protect RRCtraffic with a particular encryption algo-rithm. It is derived by UE and eNB fromKeNB and an identifier for the encryptionalgorithm, using the KDF.

SECURITY ROBUSTNESSIMPROVEMENT OVER UMTS

The EPC is designed to handle multiple accessand backend networks. This means use casessuch as eNode-B, where the access networkcould be unreliable. Also, since all traffic wouldbe wholly IP-based, there is an increased risk ofsecurity breach. The major improvement overUMTS is the addition of security functions atthe NAS level (between the UE and the MME),on top of the existing ones at the AS level. Aseparate security sublayer is introduced fordoing this and is positioned in between E-MMand RRC in the protocol stack. This sublayerwould cipher and integrity protect NAS signalingmessages. This would mean that all the NAS sig-naling (with the exception of a few 3GPP definedmessages) would be ciphered and integrity pro-tected twice — once in the NAS security sublay-er and once within AS. This adds to the overall

nn

Figure 2. EPS key hierarchy.

KUSIM / AuC

UE / HSS

UE / ASME

UE / MME

UE / eNB

CK, IK

KASME

KNASenc KNASint

KUPenc KRRCencKRRCint

KeNB




robustness of the architecture; even if one fails,there will be protection from the other.

On the network side, the protection of IP-based internetwork interfaces in EPC and E-UTRAN shall be done using IPSec. This is donefor both the signaling and user data planes.

One more improvement is that during theAKA procedure, the ciphering and integrity keys(Ck and Ik) are computed by the HSS in theuser’s home public land mobile network(HPLMN) when the serving network (SN)queries for the same. While in UMTS these keysare actually communicated back to the SN, it isnot so in EPC. Instead, another key, KASME, iscomputed by the HSS and sent back to the SN.The advantage of KASME is that it is bound tothe MS identity and the identity of the SN.Another advantage is that KASME is returnedto the SN only after the UE authenticationresponse is validated by the HSS. The NASsecurity context has a longer lifetime than theAS security context. It can also stay alive whenthe UE goes to idle.

USER IDENTITY CONFIDENTIALITYThe identity of the user is to be protected toprevent unlawful reading. Threats include track-ing and profiling the user’s movements, gettinginformation on the network’s identity (from theinternational mobile subscriber identity, IMSI).There are defined countermeasures to preventthese threats. Foremost among these are theusage of temporary identities. Temporary identi-ties are assigned and used wherever possible toavoid unnecessary exchange of permanent iden-tities between entities. Some temporary identi-ties are M-temporary mobile subscriber identity(M-TMSI), which is used to identify the UEwithin the MME, the S-TMSI, which is con-structed from the MME code and the M-TMSI,used for paging the UE, and the globally uniquetemporary UE identity (GUTI), allocated by theMME with two components, one uniquely iden-tifying the MME that allocated the GUTI andthe other uniquely identifying the UE withinthat MME. GUTI is used to support subscriberidentity confidentiality, and, in the shortened S-TMSI form, to enable more efficient radio sig-naling procedures (e.g., paging and service

requests). Apart from the temporary identities,the permanent identities (IMSI and IMEI) shallbe stored securely. There is one allowed securitybreach: if the MME queries for the UE’s IMSIin the Identity Request message, the UE shouldsend it, even if security is not configured.

MUTUAL AUTHENTICATION OFUSER AND NETWORK

The AKA procedure ensures that the servingnetwork (SN) authenticates the user’s identity(in the USIM) and the UE validates the signa-ture of the network provided in the authentica-tion token (AUTN). Apart from theauthentication itself, this procedure is used to bythe HN and UE to generate the Ck and Ik fromthe same material by the same functions; theKASME is also computed as part of this proce-dure. The KASME key is subsequently used toderive different session keys for ciphering andintegrity protection for AS and NAS.

During the registration, when the UE’s iden-tity is established with the MME, it sends arequest to the home environment (HE) queryingthe authentication vector for a specific SN-IDand IMSI. The HE responds with an authentica-tion vector (the use of multiple vectors is part ofUMTS and is discouraged for LTE/SAE becausethere is no need for it with the current keys hier-archy). Each vector has AUTN, RAND (a ran-dom value), XRES (which is calculated by theHE using a predefined authentication algorithmusing AUTN, RAND, and a master key Kunique to each IMSI), and KASME, which iscomputed from Ck and Ik (these two keysremain in the HSS and are never sent to theMME). There is an additional level of abstrac-tion, where KASME, Ck, and Ik are stored in akey set and identified by a key set identifier(KSIASME). The KSIASME is sent by theMME to the UE in the Authentication Requestmessage along with the AUTN and RAND. TheUSIM computes the KASME, Ck, Ik, and RES,stores KASME along with the received KSI-ASME, and sends back the calculated RES inthe Authentication Response message. TheMME compares the RES with the XRES it gotearlier and completes the procedure if they arefound to be the same. This enables the MME tostart ciphering and integrity protection at thenext establishment of an NAS signaling connec-tion without executing a new authentication orSMC procedure. It is to be noted that the UEderives the KASME using the SN-ID as a param-eter; hence, successful use of the keys derivedfrom KASME implicitly authenticates the net-work’s identity.

Some of the concepts used during the authen-tication procedure have been described here.The authentication vector has to be fresh (i.e.,not used before). This is ensured by the sequencenumbers exchanged in the messages that serve asan input to the ciphering and integrity algo-rithms. Also, the algorithms used in the HE andUSIM to compute the authentication vectors arelargely one-way mathematical functions, wherean output is gotten given a set of inputs, using adefined algorithm. However, to get back the

nn

Figure 3. Message flow for EPS AKA.

User’s identity establishedAuthentication datarequest (IMSI, SN-ID,

network type)

Authentication dataresponse (AUTN, RAND,

XRES and KASME)Authentication request(AUTN, RAND, KSIASME)

Authentication response(RES)

ME/USIM SN-MME HE




inputs using the output is extremely complex.This helps in countering security threats. All thedifferent keys used in the AKA and other proce-dures are interlinked with a defined hierarchywith the single source being the master key K,which is unique to a user and is stored in asecure manner in both the USIM and the HN.Please refer to [1, 8] for more details.

DATA CONFIDENTIALITY: CIPHERINGAND INTEGRITY PROTECTION

Once the UE and network have completed theirmutual authentication, they can start communi-cating in a secure manner, using ciphering andintegrity protection. For a detailed description,please refer to [1, 8].

Ciphering is an encryption methodology con-sisting of adding a random-looking mask bit bybit to the plaintext data to encrypt it. Theciphered message is unintelligible to any thirdparty as the inputs to the algorithm are confi-dential and protected. On the receiving side thesame mask, when added again, retrieves theoriginal plaintext data. This ensures the confi-dentiality of the data communicated over theradio link. Ciphering is applied on signaling mes-sages (in both NAS and AS) and user plane data(at AS).

Integrity protection ensures that the datareceived at an entity is what was sent by thesender. In other words, it ensures that the datahas not been tampered with midway. This is toensure protection at the individual message

level. Integrity protection is applied to all signal-ing messages at both the NAS and AS levels.Integrity protection is not applied to user planedata because it would become too much of anoverhead at the packet level, impacting the datarates. The basic methodology is computing anintegrity tag, which is appended to the messagebeing sent; the same integrity tag is generated onthe receiving side too; the message is acceptedonly when the tags match. Any change in theinput parameters (inputs include the original sig-naling message as well) to the algorithm affectthe output in an unpredictable manner; hence, itprotects the message from tampering.

While the Ck and Ik are assigned in the AKAprocedure, the ciphering and integrity algorithmsand other inputs to these algorithms are commu-nicated in the security mode command (SMC)procedure. There are two SMC proceduresdefined, one at the NAS level and the other oneas the AS level.

NAS SECURITY MECHANISMThe NAS SMC procedure is triggered by theMME immediately after the AKA — the SMCmessage contains the replayed security capabili-ties of the UE, the selected NAS algorithms,and the KSIASME for identifying KASME.This message is integrity protected with anNAS integrity key based on KASME indicatedby the KSIASME. The NAS security modecomplete message from UE to MME is integri-ty protected and ciphered with the algorithmsindicated by the MME NAS uplink. Downlinkciphering at the MME starts after sending the

nn

Figure 4. Establishment of NAS and AS security contexts during initial attach.

ME/USIM

ME/USIM

Attach complete [AS and NAS integrity protected and ciphered]

Attach accept [AS and NAS integrity protected and ciphered]

Authentication response (RES) [not ciphered; not integrity protected]

Authentication request (KSI-ASME, RAND, AUTN) [not ciphered, not integrity protected]

NAS identity procedure

NAS security mode complete (NAS-MAC) [NAS ciphered and integrity protected]

NAS SMC (KSIASME, UE security capability, ENIA, EAEA, NAS-MAC) [NAS integrity protected]

AS security mode complete (AS-MAC)[AS integrity protected]

AS SMC (KSIASME, EUEA, EAIA, EAEA, AS-MAC)[AS integrity protected]

eNode-BAttach request

eNode-B

SN-MME

SN-MME

While the Ck and Ik

are assigned in the

AKA procedure,

the ciphering and

integrity algorithms

and other inputs to

these algorithms are

communicated in the

Security Mode

Command (SMC)

procedure. There are

2 SMC procedures

defined, one at the

NAS level and the

other one at

the AS level.




NAS security mode command message. NASuplink and downlink ciphering at the UE startsafter receiving the NAS security mode com-mand message.

Once the AKA and SMC procedures arecompleted, the NAS security context is said tobe created and will be applicable during the timethe UE is registered. Depending on what trig-gers a subsequent detach procedure, the contextcould be maintained or deleted. While the NASsecurity context exists, all NAS messages shall beintegrity protected and ciphered The inputs forthe integrity and ciphering algorithms would bethe KNASint/KNASenc, NAS COUNT, BEAR-ER identity, and DIRECTION bit.

AS SECURITY MECHANISMThe AS SMC procedure is triggered by theeNode-B by sending the AS SMC to the UE; theUE replies with the AS security mode completemessage. The SMC contains the selected ASalgorithms (for ciphering and integrity protec-tion) and the KSIASME. It will be integrity pro-tected using the KRRCint tied to the KSIASMEthat comes in the SMC.The AS security modecomplete message shall also be integrity protect-ed with the selected RRC algorithm indicated inthe AS security mode command message andRRC integrity key based on the equivalentKASME.

RRC and user plane ciphering at the eNode-B shall start after receiving the AS securitymode complete message. RRC and UP cipher-ing at the UE shall start after sending the ASsecurity mode complete message. The inputparameters for the ciphering and integrity pro-tection algorithm would be the KRRCenc/KRRCint/KUPenc, the PDCP count, the bearerID, and a DIRECTION bit.

Refer to Fig. 4 for the case of establishing theAS and NAS security contexts during initialattach.

EPS SECURITY AND MOBILITY3GPP-Rel 8 defines the handshaking betweenthe UE and the different network elements tohandle security during mobility within the EPSas well as between the EPS and UTRAN/GERAN/non-3GPP networks [5, 8]. The majorchallenge in security during mobility is how thesecurity algorithms, KDFs, and keys are handled.A UE could move either with or without a secu-rity context active. Here, we look at the mobilityof the UE with the security context active. Somecommon points are:• The UE includes its security capabilities,

listing the algorithms it can support in E-UTRAN/UTRAN/GERAN, AttachRequest (in all the RATs), TAU Request(in E-UTRAN), and RAU Request (inUTRAN/GERAN) in Rel-8.

• The MME and eNode-Bs are configured bythe operator with a priority list of algo-rithms and KDF to use.

• When the AS security context is establishedin the eNode-B, the MME shall send theUE’s security capabilities to the eNode-B,containing the algorithms supported by theUE.

Intra E-UTRAN Mobil ity in ConnectedMode — At the time of a handover (HO), thesource eNode-B forwards the UE’s securitycapabilities to the destination eNode-B. Thedestination eNode-B selects an algorithm touse (based on the priority list), and lets the UEand MME know about it . If the MME alsochanges during the HO, the source MMEshares the UE security capability with the tar-get MME, and the target MME selects a set ofalgorithms and KDF (based on the priority list)and assigns them to the UE in the TAU Acceptmessage(if the new values are different fromthe old ones).

Intra E-UTRAN Mobility in Idle Mode — TheUE and network use the RAU/TAU signaling topost the mobility to synchronize on the algo-rithms to use. If there is data to send at the timeof the UE movement, the AS keys need to berecomputed. The KeNode-B is computed usingthe KASME and NAS count; and from the newKeNode-B, the KRRCenc, KRRCint, andKUPenc are derived. An AKA could be eitherrun or not as part of the TAU; key recomputa-tion is different in each case.

Inter-RAT Mobility in Connected Mode —At the time of the HO, the UE’s target RATsecurity capabilities are shared between theMME and the SGSN, and these are furthertransferred to the eNode-B or RNC. The select-ed algorithms (in the target RAT) are then con-veyed to the UE in the HO command. The keysare recomputed on both the UE and networkside at the time of the HO.

Inter-RAT Mobility in Idle Mode — There aretwo cases here: the UE has a cached securitycontext in the target RAT, or it does not. Whenthe cached context exists, either the old keys areaccepted between the UE and the network or anew AKA run is done. In the other case (calledthe mapped security context), the UE sends KSIor KSIASME or the source RAT in theTAU/RAU request; there is additional signalingbetween the network elements to set up thesecurity context.

CONCLUSIONThis article has sought to give an introduction tothe ideas and concepts that have been used inEPS security. While most of the threats andrequirements have been identified, much moreremains to be done given the wholly heteroge-neous nature of the EPS and the immense possi-bilities it throws up in applications, networkconfiguration, and so on. Some specific issuesbeing addressed now are:• Whether or not a single set of high-level

security requirements for all types ofeNode-B (i.e., femto, pico, and macro) isenough is being discussed. There is a viewthat the different deployment environmentsshould dictate the requirements.

• Per user activation of UP ciphering is underdiscussion.

• Negotiation of KDF, used to derive theKASME, and the handling during mobility

3GPP-Rel 8 defines

the handshaking

between the UE and

the different

network elements to

handle security

during mobility

within EPS as well as

between EPS and

UTRAN/GERAN/

non-3GPP networks.




(e.g., handover between two eNode-Bs withdifferent KDFs) is under study.

• Key handling during handover is anothermajor area of study.

• It is not yet fully defined which messagesshould be security protected and whichneed not be (under certain scenarios). Thescenarios and exceptions are being dis-cussed and worked on now.We conclude that security is one area in

3GPP that needs focus in the coming years toensure that there is no compromise in securitywhile realizing the potential of the next genera-tion of mobile systems.

REFERENCES[1] 3GPP Tech. Spec. 23.401 v8.2.0, “General Packet Radio

Service (GPRS) Enhancements for Evolved Universal Ter-restrial Radio Access Network (E-UTRAN) Access,” Rel.8.

[2] 3GPP Tech. Spec. 23.402 v8.0.0, “Architecture Enhance-ments for Non-3GPP Accesses,” Rel. 8.

[3] H. Kaakanen et al., UMTS Network Architecture, Mobili-ty, and Services, Wiley.

[4] 3GPP2 C.S0024-A v2.0, “CDMA 2000 High Rate PacketData Air Interface Specification.”

[5] 3GPP Tech. Spec. 33.402 V8.1.1, “Security Aspects ofNon-3GPP Accesses.”

[6] 3GPP Tech. Spec. 36.300 V8.6.0, “Evolved Universal Ter-restrial Radio Access (E-UTRA) and Evolved UniversalTerrestrial Radio Access Network (E-UTRAN); OverallDescription,” Rel. 8.

[7] E. Dahlman et al., “UMTS/IMT-2000 Based on WidebandCDMA,” IEEE Commun. Mag., vol. 36, no. 9, Sept.1998.

[8] 3GPP Tech. Spec. 33.401 v8.1.1, “3GPP System Archi-tecture Evolution (SAE): Security Architecture,” Rel. 8.

ADDITIONAL READING[1] 3GPP TS 33.102 V8.0.0, “3G Security; Security Architec-

ture,” Rel. 8.[2] 3GPP TR 33.821 V1.0.0, “Rationale and Track of Securi-

ty Decisions in Long Term Evolved (LTE) RAN/3GPP Sys-tem Architecture Evolution (SAE),” Rel. 8.

BIOGRAPHYSANKARAN C. B. ([email protected]) joined MotorolaIndia in 1997 and is currently working as an engineeringmanager in the UMTS/GSM handset stack group. His cur-rent area of interest is the evolved packet core in LTE. Hereceived his Master’s in telecommunications and softwareengineering from Illinois Institute of Technology, Chicago,in 2001 and his B.Tech. in instrumentation engineeringfrom Madras Institute of Technology, Chennai, in 1996.



Documents

Security Architecture EPS