TKK 2009-12-09
T-110.5120

Dan Forsberg

dan@forsberg.fi
http://forsberg.fi/



Topics


1. General: Mobile Network Security
2. LTE Security Architecture
3. Authentication and Security Setup
4. Intra-LTE Mobility Security
5. Intersystem Mobility Security
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 2 / 54


1. General: Mobile Network
Security

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 4 / 54
Terminology
. Non-repudiation
. kiistattomuus (finnish)
. Something that can not be
denied
. Service Theft
. Stealing service from others or
from the service provider

Why Mobile Network Security?


. Main goal is to secure the business and services
. Protect business models and services
. Sufficient non-repudiation of charging
. Privacy: user identity and data confidentiality
. Sufficiently future proof as a design goal
. Regulatory requirements (Legal Interception)
. Perceived security
.…
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 5 / 54


How to Apply Security?


.
Goal is to minimize risks and reduce the number of security threats
.
Need to be interoperable with legacy systems (e.g. UMTS andGSM)
.
Need to be cost efficient and with high performance
.
Practical design issues
.
Network architecture decisions influence design/complexity of security
but also other way around in the early phase…
.
Standardization challenges, schedule (especially with security)
.
Link layer or application layer security or both?
.
End-to-end or hop-by-hop security?
.
What is good enough?
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
6 / 54


.
LTE Main Security Objectives
1.
User and network authentication
2.
Signaling data integrity
3.
User data and signaling data confidentiality
4.
User and device identity confidentiality
5.
User location confidentiality
6.
User untraceability
7.
Ciphering and integrity requirements - algorithms
8.
At least two strong security algorithms and algorithm extensibility
for future proofness
9.
UMTS Evolution
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
7 / 54


2. LTE Security Architecture

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 9 / 54
Terminology
. MME . Mobile Management Entity
. Similar to SGSN and takes care of the
Control Plane
. SAE GW . System Architecture
Evolution Gateway
. Similar to GGSN, user plane gateway
. PDN GW . Packet Data Network
Gateway
. Home network gateway
. eNB . Evolved Node B
. LTE Base station
. HeNB . Home eNB
. LTE Base station in home environment
. HSS . Home Subscriber Server
. User credential storage, like home AAA
server
. EPS . Evolved Packet System
. ~ EPC + E-UTRAN
. LTE - Long Term Evolution
. Short name for Evolved UTRAN (EUTRAN)
network
. UE . User Equipment

Peek: Changes compared to UMTS


.
Security at different protocol layers
.
Termination point for air interface security
.
Key hierarchy
.
Cryptographic network separation, key binding . serving network
authentication
.
Key separation in intra-LTE handovers
.
Use of trusted base station platforms (implementation)
.
Two strong security algorithms and algorithm extensibility for futureproofness from day one
.
Key separation in intersystem mobility
.
Homogeneous security concept for connecting heterogeneous
access networks (not handled in this presentation)
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
11 / 54


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 13 / 54
Integrity protected
Ciphered
(NDS/IP)*
Integrity protected
Ciphered
Secure Control Plane (CP)
eNB
eNB
UE MME
NAS
RRC RRC S 1 - AP
X 2 - AP
X 2 - AP
NAS
S 1 - AP
NAS signaling
Integrity protected & Ciphered
* IPSec is optional .
needed only if access
network is considered
to be untrusted
X2 C-Plane
Security (as
S1-AP)
. NAS . Non-Access
Stratum
. Control Plane
between UE and
MME
. AS . Access Stratum
. Control (and User)
Plane between UE
and eNB

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 14 / 54
Secure User Plane (UP)
eNB
eNB
UE SAE GW
U _ Plane
Data
Stream
L 1 / L 2
X 2 data
forwarding
X 2 data
forwarding
U _ Plane
Data
Stream
S 1 - U
Radio and
S 1 Bearers
SAP
L 1 / L 2
S 1 - U
Radio and
S 1 Bearers
SAP
Security for IP packets provided by lower layers (hop-by-hop)
Ciphered
no integrity protection
(performed by PDCP)
Ciphered
no integrity protection
(NDS/IP)*
X2 U-Plane
Security as
for S1-U * IPSec is optional .
needed only if access
network is considered to
be untrusted

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 15 / 54
eNB
Secure Path - example
Secure environment
Secure key
Storage?
Sec GW
SAE GW
UE MME
UP
CP CP
3GPP UP
Security
O&M
system
Mgmnt
Plane
3GPP
Security IPsec IPsec
. eNB implements termination of encryption of UP and CP
. eNB’s backhaul traffic is encrypted
. optional, used if network is untrusted
. Encryption / decryption takes place in a secure environment in eNB
. Secure storage solution for long term keys in eNB

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 16 / 54
Protocol Stack
MME
NAS
UE
PHY
MAC
RLC
NAS
IP
PDCP
eNB
PHY
MAC
RLC
PDCP
NAS Control Plane
(CP) signaling is
e2e encrypted and
integrity protected
between UE and
MME
AS Control Plane
(CP) (RRC) is
encrypted and
integrity protected
over the air on PDCP
User Plane (UP)
(TCP/IP) is
encrypted over the
air on PDCP
SAE GW
RRC IP RRC

3. Authentication and Security
Setup

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 18 / 54
Terminology
ARCHITECTURE
. HSS . Home Subscriber Server
. Contains the User credentials and
profile settings
. ME . Mobile Equipment
. UE without UICC / USIM
. UICC . Universal Integrated Circuit
Card
. Smart Card used in UMTS and GSM
. (U)SIM . (UMTS) Subscriber Identity
Module
. Application in the UICC for (3G) 2G
FUNCTION
. KDF . Key Derivation Function
. One way hash function like SHA256
EPS AKA
. AKA . Authentication and Key
Agreement
. RAND . AKA: Random challenge
. AUTN . AKA: Authentication Token
. XRES . AKA: Expected Response
. E-AV . EPS Authentication Vector
. Contains: AUTN, XRES, KASME, RAND
. KASME . EPS AKA: 256bit root key
. Created in HSS from CK, IK, and SN
identity
IDENTITY
. IMSI . International Mobile Subscriber
Identity (user id)
. IMEI . International Mobile Equipment
Identity (device id)
. GUTI . Globally Unique Temporary
Identity
. Similar to P-TMSI in UMTS but longer

SN

Auth Data Req

Auth Data Resp
AV(1..n)

User Auth Req
RAND(i) || AUTN(i)

Verify AUTN(i)
Compute RES(i)

User Auth RespRES(i)


Compare RES(i)
and XRES(i)


HN

Distribution of
authentication
vectors from HE
to SN

Authentication and
key establishment

Compute CK(i) and IK(i) Select CK(i) and IK(i)


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 22 / 54
EPS AKA: KASME
eNB
eNB
eNB
MME
UE
HSS/AuC
SAE GW Home Network (HN)
Serving Network (SN)
K
K
CK, IK
CK, IK
K ASME
K
K ASME
K ASME
256 bits
SN Id
. Bind CK and IK
from UMTS AKA
with Serving
Network identity
. Serving
Network
Authentication

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 23 / 54
EPS AKA: KASME
eNB
eNB
eNB
MME
UE
HSS/AuC
SAE GW Home Network (HN)
Serving Network (SN)
K
K
CK, IK
CK, IK
K ASME
K
K ASME
K ASME
256 bits
SN Id
. Bind CK and IK
from UMTS AKA
with Serving
Network identity
. Serving
Network
Authentication

Key Separation and Freshness


. Key separation:
. Separate keys for control (CP) and user planes (UP)
. Separate keys for access (AS) and core connectivity (NAS)
. Separate keys for integrity and ciphering
. Separate keys for different algorithms (algorithm id binding)
. Key freshness:
. New AS keys in every idle to active state transition
. New keys AS+NAS in intersystem handovers (except cached keys)
. New AS keys during handovers
. New keys with EPS AKA
. New keys before COUNT wraps around
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 24 / 54


Key Lengths


.
System design allows longer future key lengths: keys that are
transported toward the crypto endpoints are 256-bit
. KeNB
.
KASME

.
Actual AS and NAS protection keys are 128-bit
.
KNASInt

.

KNASEnc

.

KRRCEnc

.

KRRCInt

.

KUPEnc

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
25 / 54


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 26 / 54
Basic Key Hierarchy
eNB / MME / S-GW
IPSec keys for
User Plane and
Control Plane K eNB - UPenc
CK, IK
K
K ASME
K NASenc
K eNB - RRCint K eNB - RRCenc
UE / MME
UE / e NB
UE / HSS
USIM / A uC
K NASint
Home Network (HN)
256-bit Serving Network (SN)
K eNB
256-bit

Security Algorithms


.
Two different mandatory 128-bit EPS ciphering and integrity
algorithms for CP an UP from day one
.
Snow3G (UMTS based, UIA2 and UEA2) and
.
AES (by US NIST, FIPS standard 197) algorithms
.
Algorithm-id:
.
\"0000\" 128-EEA0 NULL ciphering algorithm
.
\"0001\" 128-EEA1 SNOW 3G
.
\"0010\" 128-EEA2 AES
.
\"0001\" 128-EIA1 SNOW 3G
.
\"0010\" 128-EIA2 AES
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
27 / 54


Basic Key Derivations


. KDF = Key Derivation Function, a one way hash function (SHA256)
. KASME = KDF(CK, IK, PLMN Id, SQN .
AK)
. KeNB = KDF(KASME, COUNTNAS-UL)
. NAS Keys
. KNASInt = KDF(KASME, NAS-int-alg, algorithm-id)
. KNASEnc = KDF(KASME, NAS-enc-alg, algorithm-id)
. AS Keys
. KRRCInt = KDF(KeNB, RRC-int-alg, algorithm-id)
. KRRCEnc = KDF(KeNB, RRC-enc-alg, algorithm-id)
. KUPEnc = KDF(KeNB, UP-enc-alg, algorithm-id)
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 28 / 54


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 29 / 54
. Derived Keys
eNB
eNB
eNB
MME
UE
HSS/AuC
SAE GW
Serving Network (VN)
K
K
CK, IK
CK, IK
K ASME
K ASME K NASenc K NASint
K eNB
K eNB - UPenc K eNB - RRCint K eNB - RRCenc
HeNB
K eNB
K eNB - UPenc K eNB - RRCint K eNB - RRCenc
Home Network (HN)
K NASenc K NASint
K ASME

Ciphering Algorithm Inputs



Figure B.1-1: Ciphering of data [TS33.401]


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 30 / 54


Integrity Algorithm Inputs



Figure B.2-1: Derivation of MAC-I (or XMAC-I) [TS33.401]


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 31 / 54


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 32 / 54
Summary: Security Architecture
1) Distribution of authentication data
X2 IPSec
2) Challenge / response authentication
and key agreement (EPS AKA)
UE
3) Encr. + int. pr. (AS CP)
3) Encr. (UP)
Serving Network (SN)
UICC
K
K
eNB
SAE-GW
3) Encr. + int. pr. (NAS CP)
3) Encr. (S1-UP)
3) Encr. + int. pr. (S1-CP)
To other
networks
S1 IPSec
MME
Encryption
termination
in eNB
Home Network (HN)
HSS
S1 IPSec

4. Intra-LTE Mobility Security

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 34 / 54
Terminology
. Refresh of KeNB
. Derivation of a new KeNB from the same
KASME and including a freshness
parameter
. Re-keying of KeNB
. Derivation of a new KeNB from a new
KASME (i.e., after an AKA has taken
place)
. Re-derivation of NAS keys
. Derivation of new NAS keys from the
same KASME but including different
algorithms (and no freshness
parameter)
. Re-keying of NAS keys
. Derivation of new NAS keys from a
new KASME
. KDF . Key Derivation Function
. One way hash function like SHA256
. Chaining of KeNB - \"KeNB*\"
. Derivation of a new KeNB from another
KeNB (i.e., at cell handover)
. Key Separation
. Keys are cryptographically not directly
related
. Forward Key Separation
. New key can not be deduced from the
old key
. Backward Key Separation
. Old key can not be deduced from the
new key
. NH - Next Hop Key
. Cryptographically separate key from
KeNB (from MME to the eNB)
. NCC - Next Hop Chaining Count
. Short round robin key derivation (NH)
index
. {NH, NCC} pair
. NH/KeNB and NCC are always carried
together

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 35 / 54
Idle to Active State Transition
MME
K eNB
K eNB - UPenc K eNB - RRCint K eNB - RRCenc
K eNB
2. Service Request
1. Service Request
3. UE Context
4. OK
K ASME K eNB . Fresh KeNB is derived
from KASME and NAS
uplink COUNT value
. eNB selects security
algorithms (AES or
SNOW 3G)
. No need for EPS AKA

Keys in Mobility


.
In case of handover new keys (KeNB) are derived
.
fast key derivation
.
Intersystem mobility (handled in more details on next chapter)
.
Security context transfer in handover to/from UTRAN and GERAN
.
Handover from UTRAN and GERAN may be followed by key change on
the fly in active state
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
36 / 54


KeNB*A

KeNB*D

KeNB*C


KeNB*B



HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 38 / 54
Handover: Next Hop (NH) Key
. KeNB0 = KDF(KASME, NAS uplink COUNT)
. NH0 = KDF(KASME, KeNB0)
. NHNCC+1 = KDF(KASME, NHNCC)
. Derived in MME and delivered to the eNB as KeNB
K eNB - UPenc
K ASME
K eNB - RRCint K eNB - RRCenc
UE / MME
UE / e NB
K eNB
NH K eNB
Horizontal key derivation
Vertical key derivation
*

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 39 / 54
S1 Handover - \"Vertical Key
Derivation\"
MME
NH,NCC
2. Handover Required
3. Handover Request
1. Measurement Report
K ASME NHi+1 . Fresh KeNB is derived
from NH and KASME
. eNB selects security
algorithms (AES or
SNOW 3G)
5. Handover
Command
6. Handover
Command (NCC)
7. Handover
Confirm
+ NHi
4. Ack
KeNB
K eNB - UPenc K eNB - RRCint K eNB - RRCenc
+ PCI KeNB

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 40 / 54
X2 Handover - \"Horizontal Key
Derivation\"
MME
NH,NCC
7. Path Switch Ack
1. Measurement Report
K ASME NHi+1 . Fresh KeNB is derived
from previous KeNB
. MME provides fresh
NH for target eNB
after HO
. eNB selects security
algorithms (AES or
SNOW 3G)
4. Handover
Command (NCC)
5. Handover
Confirm
+ NHi
6. Path Switch
KeNB
K eNB - UPenc K eNB - RRCint K eNB - RRCenc
+ PCI KeNB
2. Handover Request
3. Ack

1. Vertical key derivation .
forward key separation
2. Horizontal key derivation .
backward key separation

MME eNB




KeNB*A

KeNB*D

KeNB*C


KeNB*B



5. Intersystem Mobility
Security

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 45 / 54
Terminology
. EPS security context
. Includes EPS NAS and AS security context
. UE Security capabilities
. The set of identifiers corresponding to the
ciphering and integrity algorithms
implemented in the UE. This includes
capabilities for E-UTRAN, and includes
capabilities for UTRAN and GERAN if these
access types are supported by the UE.
. EPS AS security context
. The cryptographic keys at AS level with their
identifiers
. The identifiers of the selected AS level
cryptographic algorithms
. Counters used for replay protection.
. Exists only when the UE is in ECMCONNECTED
state
. EPS NAS security context
. KASME with the associated key set identifier
(KSIASME)
. NAS keys: KNASint and KNASenc,
. UE security capabilities,
. Algorithm identifiers of the selected NAS
integrity and encryption algorithms
. Uplink and downlink NAS COUNT values
. The distinction between cached and mapped
EPS security contexts also applies to EPS
NAS security contexts. For EMM-ACTIVE
mode UEs, the EPS NAS security context
shall also include the Next Hop parameter
NH, and the Next Hop Chaining Counter
parameter NCC.
. Native security context
. A security context that was created for a given
system during prior access
. Current security context
. The security context which has been taken
into use by the network most recently
. Legacy security context
. A security context which has been established
according to TS 33.102 [4].
. Mapped security context
. Security context created by converting the
current security context for the target system
in inter-system mobility, e.g., UMTS keys
created from EPS keys.

RAU




TAU




HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 49 / 54
IDLE: UTRAN . E-UTRAN with
Cached Context (UMTS . LTE)
. TAU Request is integrity
protected with cached keys
. NonceUE is included in TAU
Request
. Allow fallback to mapped
context
MME
UTRAN
SGSN
E-UTRAN
TAU

HO: UTRAN to E-UTRAN with


Mapped Context (UMTS .
LTE)


HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 51 / 54

Summary



Summary: Changes compared to
UMTS


.
Security at different protocol layers
.
Termination point for air interface security
.
New key hierarchy
.
Cryptographic network separation, key binding . serving network
authentication
.
Key separation in intra-LTE handovers
.
Use of trusted base station platforms (implementation)
.
Two strong security algorithms and algorithm extensibility for futureproofness from Day One
.
Key separation in intersystem mobility
.
Homogeneous security concept for connecting heterogeneous
access networks (not handled in this presentation)
HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg
54 / 54


References


[TS33.401] 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3GPP System Architecture Evolution (SAE): Security
architecture; (Release 9)

[TS33.402] 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3GPP System Architecture Evolution (SAE); Security aspects of
non-3GPP accesses; (Release 9)

[TS33.102] 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; 3G Security; Security architecture (Release 8)

[TS23.401] 3rd Generation Partnership Project; Technical Specification Group Services
and System Aspects; General Packet Radio Service (GPRS) enhancements for
Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access (Release 9)

HUT 2009-12-09 \"LTE Security Tutorial\" / Dan Forsberg 55 / 54