Upload
nguyenanh
View
239
Download
1
Embed Size (px)
Citation preview
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 11
3GPP LTE
Security Aspects
Dionisio ZumerleTechnical Officer, 3GPP
ETSI
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 22
Contents
LTE security architecture
Security algorithms
Lawful Interception
Backhaul Security
Relay Node Security
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 33
LTE Security Architecture
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 44
LTE Security:UMTS Security and LTE Architectural impact
UMTS security enhancements:
• Mutual authentication
• Integrity keys
• Public algorithms
• “Deeper” encryption
• Longer key length
LTE Architecture:
• Flat architecture
• Separation of control plane and user plane
• eNodeB instead of NodeB/RNC
• All-IP network
• Interworking with legacy and non-3GPP networks
Characteristics of LTE Security
• Re-use of UMTS Authentication and Key Agreement (AKA)
• Use of USIM required (GSM SIM excluded)
• Extended key hierarchy
• Possibility for longer keys
• Greater protection for backhaul
• Integrated interworking security for legacy and non-3GPP networks
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 55
AKA and signalling protection
S12
S3
S1-MME S6a
HSS
S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
S5 Serving Gateway
S1-U
S4
UTRAN
GERAN
Confidentiality and integrity for signalling only (NAS)
Optional user plane protection (IPsec)
Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS)
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 66
Authentication and Key Agreement
UE eNB MME AuCNAS attach request (IMSI)
AUTH data request (IMSI, SN_id)
AUTH data response (AV={AUTN, XRES, RAND, Kasme})
NAS auth request (AUTN, RAND, KSIasme)
NAS auth response (RES)
NAS SMC (confidentiality and integrity algo)
NAS Security Mode Complete
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete
S1AP Initial Context Setup
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 77
Security Algorithms
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 88
LTE Security Algorithms
Currently two separate algorithms specified• In addition to one NULL algorithm
Current keylength 128 bits• Possibility to extend to 256 in the future
Confidentiality protection of NAS/AS signalling recommended
Integrity protection of NAS/AS signalling mandatory
User data confidentiality protection recommended
Ciphering/Deciphering applied on PDCP and NAS
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 99
LTE Ciphering and Integrity mechanisms
PLAINTEXT BLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAM BLOCK
CIPHERTEXT BLOCK
EEA
COUNT DIRECTION
BEARER LENGTH
KEY
KEYSTREAM BLOCK
PLAINTEXT BLOCK
Sender Receiver
KEY
MAC-I/NAS-MACSender
COUNT DIRECTION
MESSAGE BEARER
XMAC -I/XNAS-MAC
COUNT DIRECTION
MESSAGE BEARER
KEY
Receiver
EIA EIA
ciphering
integrity
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1010
128-EEA1/EIA1
Based on SNOW 3G
• stream cipher
• keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM)
Different from KASUMI as possible
• selected during UMTS security design
Allows for:
• low power consumption
• low gate count implementation in hardware
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1111
128-EEA2/EIA2
AES block cipher
• Counter (CTM) Mode for ciphering
• CMAC Mode for MAC-I creation (integrity)
Different from SNOW 3G as possible• Cracking one would not affect the other
Reasons why KASUMI was not re-used:
• eNB already supports AES• needs to support AES for NDS/IP
• Similarity with other non-3GPP accesses (e.g. 802.11i)
• Other
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1212
128-EEA3/EIA3
Based on Chinese ZUC
• stream cipher
Three-phase evaluation ongoing
• Public evaluation ongoing! http://zucalg.forumotion.net/
• 2nd International Workshop on ZUC: June 5-6 in Beijing http://www.3gpp.org/Call-for-Papers-Beijing-ZUC
Network-mandatory/network-optional to be decided
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1313
Deeper Key hierarchy in LTE
Faster handovers and key changes, independent of AKA
Added complexity in handling of security contexts
Security breaches local
USIM / AuC
UE / MME
UE / ASME
K
KUPenc
KNASint
UE / HSS
UE / eNB
KNASenc
CK, IK
KRRCint KRRCenc
KASME
KeNB
KUPint
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1414
Key Derivation
Key distribution and key derivation scheme for EPS (network side), found in 33.401Key Derivation Function (KDF) specification can be found in 33.220
MMEHSSCK,IK
KDF
256
256
SN id, SQN
AK
KeNB
KASME
256
K
D
F
KDF KDF
KNASenc KNASint
KNASenc KNASint
Trunc Trunc
256 256
128 128
256
256256
NAS-enc-alg,
Alg-ID
NAS-int-alg,
Alg-ID
NAS UPLINK COUNT
KDF KDF
KUPenc KRRCint
KUPenc KRRCint
Trunc Trunc
256 256
128 128
256
UP-enc-alg, Alg-ID
RRC-int-alg, Alg-ID
RRC-enc-alg, Alg-ID
256256
Physical cell ID, EARFCN-DL
256
KeNB
s
eNB
eNB
KeNB*
KDF
KRRCe
nc
KRRCenc
256
256
128
Trunc
K
D
F NH
NH
KeNB
256
256
KDF
Trunc
UP-int-alg, Alg-ID
KUPint
256
KUPint
128
256
KDF
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1515
Lawful Interception
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1616
Lawful Interception in 3GPP
HandoverRetrieval
Cost Political
LegalBusiness
Relations
process
Storage
Interception
Analysis
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1717
Lawful Interception in EPS
Context and mechanisms similar to case of UMTS PS
• Different core entities (ICE, Intercepting Control Elements)
• ADMF handles requests from Law Enforcement Authorities • target identity: IMSI, MSISDN and IMEI
• X1 interface provisions ICEs and Delivery Functions
• X2 delivers IRI (Intercept Related Information)
• X3 delivers CC (Content of Communication)
• HI1,2,3: Handover Interfaces with law enforcement• Convey requests for interception of targets (HI1)
• Deliver IRI (HI2) and CC (HI3) to LEAs
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1818
SGi
S12
S3
S1-MME
PCRF
Gx
S6a
HSS
Operator's IP Services
(e.g. IMS, PSS etc.)
Rx
S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
Serving Gateway
PDN Gateway
S1-U
S4
UTRAN
GERAN
EPS LI Architecture
LEMF
MediationFunction
DeliveryFunction 2
MediationFunction
DeliveryFunction 3
MediationFunction
ADMF
X1_1
X1_2
X1_3X2 X3
HI1 HI2 HI3
X2
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1919
Backhaul Security
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2020
Backhaul Security
Base stations becoming more powerful• LTE eNode B includes functions of NodeB and RNC
Coverage needs grow constantly
Infrastructure sharing
Not always possible to trust physical security of eNB
Greater backhaul link protection necessary
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2121
Certificate Enrollment for Base Stations
RA/CA
base stationbase station obtains operator-signed certificate on its own public key from RA/CA using CMPv2.
CMPv2
Vendor-signed certificate of base station public key pre-installed.
Vendor root certificate pre-installed.
SEG
Operator root certificate pre-installed.
Enrolled base stationcertificate is used in IKE/IPsec.
IPsec
Picture from 3GPP TS 33.310
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2222
Relay Node Security
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2323
Relay Node Authentication
Mutual authentication between Relay Node and network• AKA used (RN attach)
• credentials stored on UICC
Binding of Relay Node and USIM:• Based on symmetric pre-shared keys, or
• Based on certificates
RelayDonor
eNBUE
Core
NW
Radio Radio Backhaul
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2424
Relay Node Security
Control plane traffic integrity protectedUser plane traffic optionally integrity protectedRelay Node and network connection confidentiality protectedDevice integrity checkSecure environment for storing and processing sensitive data
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2525
Conclusions
LTE Security: building on GSM and UMTS Security
Newer security algorithms, longer keys
Extended key hierarchy
New features, addressing new scenarios
• Backhaul Security
• Relay Node Security
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2626
Thank You!
www.3gpp.org
More Information about 3GPP:
© 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2727
Backup:Selection of 3GPP Security Standards
LTE Security:33.401 System Architecture Evolution (SAE); Security architecture33.402 System Architecture Evolution (SAE); Security aspects of non-3GPPLawful Interception:33.106 Lawful interception requirements33.107 Lawful interception architecture and functions33.108 Handover interface for Lawful InterceptionKey Derivation Function:33.220 GAA: Generic Bootstrapping Architecture (GBA)Backhaul Security:33.310 Network Domain Security (NDS); Authentication Framework (AF)Relay Node Security33.816 Feasibility study on LTE relay node security (also 33.401)Home (e) Node B Security:33.320 Home (evolved) Node B Security