Upload
phungthu
View
249
Download
4
Embed Size (px)
Citation preview
3GPP SAE/LTE Security
Anand R. Prasad<[email protected]>
NEC Corporation
NIKSUN WWSMC, 26 July, 2011, Princeton, NJ, USAMI事企画M11-0043
Disclaimer: This presentation gives views/opinion of the speaker and not necessarily that of NEC Corporation.
© NEC Corporation 2009Page 2 NEC Confidential
Outline
▐ Background on how this thing came into being:� Next Generation Mobile Networks (NGMN) and� Third Generation Partnership Project (3GPP)
▐ Brief overview of Evolved packet system (EPS), i.e., SAE/LTE▐ Security in EPS:
� Requirements� Security per network elements and protocol layers� Key hierarchy� Authentication and key agreement� Mobility
▐ Today and Tomorrow – including current security activities in Global ICT Standardisation Forum for India (GISFI)
For abbreviations check Slide 34
Next Generation Mobile Networks
(NGMN) and 3GPP
© NEC Corporation 2009Page 4 NEC Confidential
9.6 kbps
14.4 kbps
14.4 kbps
57.6 kbps
14 kbps
171 kbps
384 kbps
1.3 Mbps
144 kbps
2 Mbps
1 Mbps
21 Mbps
1 Mbps
12 Mbps
11 Mbps
42 Mbps
50 Mbps
100 Mbps
100 Mbps
1 Gbps
1993 Phase 1
1996 Rel. 96
1997 Rel. 97
1998 Rel. 98
2000 Rel.3
2002 Rel. 5
2004 Rel. 6
2007 Rel. 7
2009 Rel.8 Future
NGMN
Time-line of standard development towards NGMN
Broadband IP based
Cellular network
and WiMAX
Towards NGMN
Next Generation Mobile Network (NGMN): A project by mobile operators with the objective to establish recommendations, requirements and scenario for future mobile broadband networks
© NEC Corporation 2009Page 5 NEC Confidential
Service
Layer
Service
Control
e.g. IMS
PS core of NGMN
Enablers
Other
networks
like WiFi
NGMN
Access
Network
Other External
Networks e.g.
PSTN, PLMN,
Internet
CS core network
UTRANGERAN
NGMN Architecture
SAE (or EPC)
LTE (or E-UTRAN)
User Equipment (UE)
Subscriber Identity
Module (SIM)
Internet
3GPP Basic Architecture
Mobile Equipment (ME)
© NEC Corporation 2009Page 6 NEC Confidential
PCG PCG PCG PCG (Project Coordination Group)(Project Coordination Group)(Project Coordination Group)(Project Coordination Group)
RAN Plenary (RadioRAN Plenary (RadioRAN Plenary (RadioRAN Plenary (RadioAccess NetworkAccess NetworkAccess NetworkAccess Network))))
SA Plenary (SA Plenary (SA Plenary (SA Plenary (Service & Service & Service & Service & Systems AspectSystems AspectSystems AspectSystems Aspect))))
CT Plenary (Core CT Plenary (Core CT Plenary (Core CT Plenary (Core Network & TerminalNetwork & TerminalNetwork & TerminalNetwork & Terminal))))
RAN WG1 RAN WG1 RAN WG1 RAN WG1 (Layer 1)(Layer 1)(Layer 1)(Layer 1)
RAN WG2RAN WG2RAN WG2RAN WG2(L(L(L(Layer ayer ayer ayer 2222/3/3/3/3))))
RAN WG3RAN WG3RAN WG3RAN WG3((((RAN to wiredRAN to wiredRAN to wiredRAN to wired))))
RAN WG4RAN WG4RAN WG4RAN WG4(Performance)(Performance)(Performance)(Performance)
RAN WG5RAN WG5RAN WG5RAN WG5(UE conformance test)(UE conformance test)(UE conformance test)(UE conformance test)
SA WG1SA WG1SA WG1SA WG1(Requirement)(Requirement)(Requirement)(Requirement)
SA WG2 SA WG2 SA WG2 SA WG2 (Architecture)(Architecture)(Architecture)(Architecture)
SA WG3 SA WG3 SA WG3 SA WG3 (Security)(Security)(Security)(Security)
SA WG4 SA WG4 SA WG4 SA WG4 (Codec)(Codec)(Codec)(Codec)
SA WG5 (Management)SA WG5 (Management)SA WG5 (Management)SA WG5 (Management)
CT WG1CT WG1CT WG1CT WG1((((UE/Core NWUE/Core NWUE/Core NWUE/Core NW Layer 3)Layer 3)Layer 3)Layer 3)
CT WG3CT WG3CT WG3CT WG3(Interwo(Interwo(Interwo(Interworrrrkingkingkingking externalexternalexternalexternal))))
CT WG4 CT WG4 CT WG4 CT WG4 (Core NW protocol)(Core NW protocol)(Core NW protocol)(Core NW protocol)
CT WG5 CT WG5 CT WG5 CT WG5 (Open Service Access)(Open Service Access)(Open Service Access)(Open Service Access)
CT WG6 (SIM)CT WG6 (SIM)CT WG6 (SIM)CT WG6 (SIM)
3GPP Overview
© NEC Corporation 2009Page 7 NEC Confidential
ARIBJapan
ATISUSA
CCSAChina
ETSIEurope
TTAKorea
TTCJapan
PCG
TSG ITU
3GPP
Organizational
Partners
This is how it works
• Third Generation Partnership Project (3GPP) develops specification standardized by organizational partners (OPs)
• OPs follow their government / regulatory mandate
• OPs participate in the project coordination group (PCG)
• Individual members are member of at least one of the OPs and provide input to the technical specification group (TSG)
• Result of TSG is a TR or TS that formsstandars by OPs
• 3GPP also takes input from ITU and uses its guideline
• Resulting specification from 3GPP TSG is taken to ITU by individual members as specification
Evolved Packet System (EPS)
Overview and Security
• EPS is also know as System Architecture Evolution (SAE) / Long Term Evolution (LTE)
• SAE is also known as Evolved Packet Core (EPC)• LTE is also known as Evolved UTRAN
© NEC Corporation 2009Page 9 NEC Confidential
HSS (AuC,HLR,
EIR,DNS)
SGSN
eNodeB
MMESGW
MME
MEUSIM
Uu
S1-U
S10
S11
S4
S5 SGi
PDN -
Operator IP
services
(IMS etc.)
eNodeB
ePDG
SWp
S2aS2b
X2
S3S6a
S8 for Inter-PLMN
UE
UTRANS6d/Gr
PCRF
GXc Gx Rx
GERAN
S12
E-UTRAN EPC
S1-MME
Trusted 3GPP
access, e.g.
cdma2000
Un-trusted
3GPP access,
e.g. WiFi
PDNGW or PGW
X2, S1-U, S2a, Rx etc. are reference points between network elements. Protocols are defined for each reference point.
Solid lines between network elements are mainly for user plane traffic as defined by 3GPP while dashed lines are mainly for control plane.
Highlighted network elements are newly introduced network elements in SAE/LTE (EPS). Explanation of network elements related to security are given here.
Iu
Gb
Network Overview
• evolved NodeB
(eNodeB) takes over
RNC and NodeB
function of UMTS
• End-point for Access
Stratum (Radio
resource control and
User Plane)
• Mobility Management Entity (MME) takes
care of mobility within EPS and inter-RAT
• Performs authentication
• End-point for Non-Access Stratum (NAS)
• Selects gateways for UE
AS (RRC & UP)
NAS
© NEC Corporation 2009Page 10 NEC Confidential
Basic Requirements
▐ Continued usage of current USIM, i.e., there should not be any change in USIM for accessing EPS network. The USIM that is used in UMTS networks should be thus reusable.
▐ Security should be at least of the same level or better than that compared to UMTS.
© NEC Corporation 2009Page 11 NEC Confidential
eNodeB
MMESGWUE
Uu
S1-U
S11S1-MME
•MSIN & IMEI(SV) should be
confidentiality protected
•IMEI(SV) should be sent only
after NAS security is activated
•Mutual authentication between UE and
network
•Optional confidentiality
•Mandatory integrity protection for RRC
and NAS and optional for UP (algorithms
are SNOW 3G and AES)eNodeB
X2
• Integrity, confidentiality and
replay-protection based on
operator decision
• Mutual authentication
between network elements
• Sensitive part of boot-up in secure environment
• Uses authorized data/software
• Ensure data/software change attempts are authorized
• Ciphering /deciphering of control and user plane done
in secure environment
• Keys stored in secure environment
• Secure environment integrity ensured
• Sensitive data of secure environment not exposed
• Confidentiality and integrity
protection of software transfer
• Mutual authentication
between eNB and O&M
O&M
Security Requirements
© NEC Corporation 2009Page 12 NEC Confidential
eNodeB
MMESGWUE
Uu
S1-U
S11
E-UTRAN EPC
S1-MME
• End-point (UE is other end-point)
for integrity and confidentiality
protection of RRC and
confidentiality protection of UP
• Manages AS keys
• Initiates UE AS security
• End-point (UE is other end-point) for
integrity protection and
confidentiality protection of NAS
• Manages NAS keys and participates
in AS key handling
• Verifies UE authorization to access
service and network
• Gets AVs from HSS
• Initiates UE NAS security
Confidentiality is optional and integrity protection is mandatory and uses SNOW 3G or AES (ZUC was
added recently)
S6a
HSS (AuC,HLR,
EIR,DNS)
• Performs UE authentication
• Generates AVs
Network Elements and Security Functions
© NEC Corporation 2009Page 13 NEC Confidential
NAS
RRC
PDCP
RLC/MAC/L1
Application / IP
Performs integrity
protection of RRC and
confidentiality of RRC
and UP
Has the role of AS (RRC
and UP) key handling
and security activation
in PDCP
Performs NAS key
handling and integrity
and confidentiality
protection of NAS
Protocol Layers and Security Functions
© NEC Corporation 2009Page 14 NEC Confidential
Key Hierarchy
K • Pre-shared secret between the AuC and the USIM
• Used for Authentication and Key Agreement (AKA)
CK, IK
Kasme
• Confidentiality and integrity keys resulting from AKA
• Passed to HSS from AuC and ME from USIM
• Generated by HSS and passed to MME
• Concatenation of CK and IK
KNASenc KNASint
KeNB
KRRCenc KRRCSintKUenc
• NAS keys: stays in MME for NAS
confidentiality (encryption) and
integrity protection
• KeNB is passed to eNB from MME
• AS keys: Derived from keNB for RRC
confidentiality (encryption), RRC integrity
protection and U-plane confidentiality
AuC & USIM
HSS & ME
MME & ME
eNB & ME
Location of the keys
Key separation depending on purpose
© NEC Corporation 2009Page 15 NEC Confidential
Uu
S1-US11
(3) AKA and start integrity and
ciphering by security mode command
(SMC)
UE eNB MME HSS SGW PGW
(2) Attach request
(1)
(4)
(5)IP address
allocation
(6)
• Mutual authentication
• Set up keys
• Activate security
• Radio level access and control channel are
setup
• With random access the UE gets radio
access to eNB
• RRC messages are not security protected
• NAS message from UE piggy backed in RRC
message
• NAS message may or may not be security
protected
• UE needs registration to the network
• All UE and radio details are sent
• ME identity can be checked by the
network
• Can be security protected
• HSS is informed at which
MME the UE is located
• Create path to PDNGW
• PDNGW assigns the IP
address
• Leads to completion of attach and
setting of session
• RRC message maybe sent without
protection
EPS Terminal Start-up and Security
© NEC Corporation 2009Page 16 NEC Confidential
USIMHSS (with
AuC)MME
1. USIM identification
2. Authentication data request
3. Authentication data
response with authentication
vector (AV)
4. Authentication request
5. Check whether AUTN –part of AV
sent to UE– is acceptable
(Authenticate network). Generate
keys and RES.
6. Authentication response
{RES}
7. RES = XRES?
(Authenticate UE)
Authentication and Key Agreement (AKA)
Network and UE are authenticated to each other.The top-level-key (Kasme) is created
© NEC Corporation 2009Page 17 NEC Confidential
SMC: NAS Algorithm Selection
eNB MMEUE
NAS integrity protection start
NAS Security Mode Command (eKSI, UE sec capabilities,
ENEA, ENIA, [IMEI request,] [NONCEue, NONCEmme,]NAS-MAC)
NAS Security Mode Complete ([IMEI,] NAS-MAC)
Configured with list of NASconfidentiality and integrity algorithms that can be used and with priority
Choose highest priority algorithms
Verify NAS SMC integrity. If succesful, start ciphering/
deciphering and integrity protection and send NAS Security Mode Complete.
NAS de-ciphering/ciphering start
Integrity protected with the newalgorithm if there was change inalgorithm
Algorithm is chosen for NAS and NAS keys are generated. NAS security starts.
© NEC Corporation 2009Page 18 NEC Confidential
SMC: AS Algorithm Selection
eNB MMEUE
UE AS security context setup
UE capabilities., eKSI
RRC/UP integrity protection start
AS Security Mode Command RRC-Integrity protected
(Integrity algo, ciphering algo, MAC-I)
AS Security Mode Complete (MAC-I)
Configured with list of ASconfidentiality and integrity algorithms
that can be used and with priority
Choose highest priority algorithms
Verify AS SMC integrity. If succesful, start RRC/UP integrity
protection, downlink deciphering, and send AS Security Mode Complete.
RRC/UP ciphering start
RRC/UP de-ciphering start
RRC/UP ciphering start
UE security capabilities is sent to MME duringconnection establishment together with START
value. This is informed back to UE integrity protected. UE responds back with the same thing
again integrity protected. All in NAS.
Algorithm is chosen for AS & AS keys are generated. AS security starts.
© NEC Corporation 2009Page 19 NEC Confidential
SGSNMME MME
eNodeB eNodeB
eNodeB
NodeB NodeB
RNC
Cell 1 Cell 2 eNodeB
Intra-eNodeB
Inter-MME
Inter-RAT
Inter-eNodeB / X2
Inter-eNodeB/S1
EPS UMTS
S1-MME S1-MME S1-MME S1-MME
X2
S10 S3
Mobility in EPS
© NEC Corporation 2009Page 20 NEC Confidential
Secure Handover in Evolved Packet System (EPS)
BS
BS
CN device
BS BS
CN device
Provide security
material before
handover ���� Not
good
Serving �bad guy
TargetServing �
bad guyTargetServing �
bad guyTarget
Security material
given by core
network ���� Good
EPS
Core Network (CN)
Provide security
material during
handover ���� Not
good
Provide security
material after
handover ����
Good
Security material
given by BS ����
Not good
• Provides forward and backward security
• Key changed at each handover
• Algorithm can be changed at each handover
© NEC Corporation 2009Page 21 NEC Confidential
NCC=1
NCC=3
NCC=2
Horizontal key derivation
Ve
rtic
al
ke
y d
eri
vati
on
KDF
KDF
KASME
NH
NAS uplink COUNT
Initial
KeNB
KASME
KDF
NH
KASME
KDF
NH
KASME
KDF
PCI,
EARFCN-DL
KeNB*= KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNB
KDF
PCI,
EARFCN-DL
KeNB*= KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNB
KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNB KDF
PCI,
EARFCN-DL
KeNB*= KeNBNCC=0
KDF: Key Derivation FunctionNH: Next HopNCC: Next hop Chaining CounterPCI: Physical Cell Identity
Handover and Key Handling
Detail of key derivation and handling on handover
© NEC Corporation 2009Page 22 NEC Confidential
Inter-Technology Handover for EPS
eNodeB
UMTS
NodeB
Derive keys in serving network for the target
network and in UE based on current keys
before handover
EPS
▐ The idea here is to derive keys both ways from the existing context and do AKA at the earliest possible especially in E-UTRAN
▐ The keys are named as follows:� Mapped context is the one derived
from other RAT keys� Current context is the context being
used� Native context is the context of E-
UTRAN
▐ On handover to E-UTRAN mapped context is used although it is recommended that native context should be used as it is considered stronger
Today to Tomorrow
© NEC Corporation 2009Page 24 NEC Confidential
Protection against Unsolicited Communication in IMS (PUCI)
- Accounting & Charging server
- IMS – applicationServer
Bots, virus etc.
Threats
Data confidentiality
Fraud Activities
Phishing
Denial of Service
Bandwidth Availability
Productivity Loss
Call Quality Degradation
Unauthorized Access
Eavesdropping
SPIT
Customer Satisfaction
Authentication
Re-Routing
Caller ID Spoofing
There are several VoIP threats that can lead to SPIT
Can lead to SPIT
© NEC Corporation 2009Page 25 NEC Confidential
Protection against Unsolicited Communication in IMS (PUCI)
Identification(check with automatic
means and static operator/user settings)
Marking(indicate the likelihood of UC
through marking)
Result
Reacting(check threshold level and
take action, e.g. re-route, voice mailbox, further test etc.)
Marking level
Fur
ther
test
Other(based on user or operator policy communication is sent to a given
network element for action.)
Marking or no marking
Destination UE(user takes action based on
marking and sender ID if available)
Source device
Challenge
Solve it with Identify, Mark and React
3GPP TR 33.937 available. Further work on-going under SPUCI work-item.
© NEC Corporation 2009Page 26 NEC Confidential
Machine to Machine Communication
▐ Known as Machine Type Communication (MTC)
▐ Scenarios are, for example, smart metering or healthcare
▐ Issues can be from the point of access control to attack on the device itself
▐ The biggest problem will be the huge number of devices trying to connect to the mobile network and thus overwhelming the network due to high traffic volume
© NEC Corporation 2009Page 27 NEC Confidential
GISFI Security Activities
▐ The security activity in Global ICT Standardisation Forum for India (GISFI) provides solution for all the activities being carried out by the standardization forum
▐ Security SIG also provides input to Indian government▐ The activity is still at its early stage, some of the topics covered
are:� Cyber security and children� Cloud security� Inter-of-Things (starting from machine-to-machine, M2M,
communication)
© NEC Corporation 2009Page 28 NEC Confidential
What is happening today and where will it lead to?
▐ Some observations of today:� Average age of knowledge generation is decreasing with time – data and
information in readily available� World is slowly but steadily moving towards similar level of life globally –
impact on age of population and education level� Reachability is at 24 / 7� Need for convenience is increasing � Computing, telecommunications and networking has converged, if not, the
trend has only become faster� Openness, free and shared are key words� Technology enhancement is moving at a faster pace:
• Wireless data-rate is catching up with wired• Computing power is high and increasing while becoming available to all
� Human society is maturing� Business models are changing very fast: 10 to 2 years to 6 months and now 3
months� Operators business: conventional, data only, take a ride
© NEC Corporation 2009Page 29 NEC Confidential
Thoughts: Security?
▐ Potentially faster cycle for algorithm development▐ Need of increased awareness and concern of privacy and security▐ Necessity of ever more system security consideration
� Top-to-bottom� End-to-end
▐ Better privacy control mechanisms▐ Choice of level of security▐ Fast threat analysis together with proper understanding of risk and
input to security solution▐ …….
Conclusions
© NEC Corporation 2009Page 31 NEC Confidential
Conclusions
▐ Today we took a look at Evolved Packet System (EPS) security – the next generation of mobile communications� For more: write to me, check my book or check the 3GPP technical
specification TS 33.401 <http://www.3gpp.org/ftp/Specs/html-info/33401.htm>
▐ Some of the topics currently 3GPP is working on:� Taking care of unsolicited communication (I am the rapporteur in 3GPP)� Relay node security – IMT-advanced etc.
▐ Global ICT Standardisation Forum for India (GISFI) is working on several security topics starting from Indian requirements
▐ Penetration of security understanding should increase which will bring with it more demand on security itself
▐ Complete system consideration of security from the beginning will become even more necessary – Bringing potential changes in business arena – providers of service at different layers working together?
© NEC Corporation 2009Page 32 NEC Confidential
….the book
▐ Security in Next Generation Mobile Networks: SAE/LTE and
WiMAX
Authors: Anand R. Prasad <http://www.prasad.bz/> and Seung-Woo Seo
Publisher: River Publishers <http://riverpublishers.com/river_publisher/>Available: August 2011ISBN: 978-87-92329-63-9Table of Contents:
1. Introduction to NGMN2. Security Overview3. Standardization: 3GPP, IEEE 802.16 and WiMAX4. SAE/LTE Security5. Security in IEEE 802.16e / WiMAX6. Security for Other Systems: MBMS, M2M, Femto
Contact: <[email protected]>
© NEC Corporation 2009Page 34 NEC Confidential
Abbreviations
3GPP Third Generation Partnership Project NAS Non Access Stratum
AS Access Stratum (RRC and UP) NGMN Next Generation Mobile Network
AuC Authentication Center PCRF Policy and Charging Rules Function
AV Autentication Vector PDCP Packet Data Control Protocol
DNS Domain Name System PDN Packet Data network
EIR Equipment Identity RegisterPDNGW
or PGWPacket Data Network Gateway
EPC Evolved Packet Core PLMN Public Land-Mobile Network
ePDG evolved Packet Data Gateway PUCIProtection against Unsolicited
Communication in IMS
E-UTRAN Evolved-UTRAN RAN Radio Access Network
GERAN GSM EDGE Radio Access Network RLC Radio Link Control
GISFI Global ICT Standardisation Forum for India RRC Radio Resource Control
HLR Home Location Register SAESystem Architecture Evolution (or EPC
for core network)
HSS Home Subscriber Subsystem SPIT Spam over Internet Telephony
IMS IP Multemedia Subsystem SGSN Serving GPRS Support Node
IP Internet Protocol SGW Serving Gateway
LTE Long-Term Evolution (or E-UTRAN for UE User Equipment
MAC Medium Access Control UP User Plane
ME Mobile Equipment USIM Universal Subscriber Identity Module
MME Mobility Management Entity UTRAN UMTS Terrestrial Radio Access Network
© NEC Corporation 2009Page 35 NEC Confidential
Security Overview
Home stratum/ Serving Stratum
Transport stratum ME
Application stratum
User Application Provider Application (IV)
(III)
(II)
(I)
(I)
(I)
(I)
(I)
SN
AN (I)
USIM
(II)
HE
▐ Network access security (I)
▐ Network domain security (II)
▐ User domain security (III)
▐ Application domain security (IV)
▐ Visibility and configurability of security (V)
© NEC Corporation 2009Page 36 NEC Confidential
EPS AKA
USIM MME
GUTI or IMSI
HSS
Authentication data request
[IMSI, SNID (MCC+MNC), Network Type]
RAND, AUTN, eKSI Authentication data response
AVs(1….n) [RAND, XRESHSS ,KASME , AUTN]
K
RAND AKA
RESUSIM
XRESHSS
=
RESUSIM
?
RESUSIM ,CK, IK, AUTN
AUTN
acceptable?
eNB
CK || IK
SNIDKDFK_ASME
K
RANDAKARESUSIM ,CK, IK, AUTN
HSS delete all AVsCK,IK never leave HSS
Pre-computed or computed on demandRecommended to fetch only 1 AV
RRC connection setup
Start of NAS communication
3 bits for 7 values. 111 from network to UE reserved other way it signals deletion
Allocated by MME after NAS cipheringS-TMSI (short GUTI) used for efficient radio resource usage e.g. service req.,
paging (GUTI allocation in 23.401)
© NEC Corporation 2009Page 37 NEC Confidential
Other Security Aspects
▐ Network domain control plane protection� Protection of IP based control plane will be done using 33.210. If the
interfaces are trusted then such protection is not required.� Thus for S1-MME and X2-C
• Implement IPsec ESP [RFC 4303 and TS 33.210]• IKEv2 certificate based authentication [TS 33.310]• Tunnel mode IPsec mandatory on eNB while SEG can be used in core• Transport mode is optional
▐ Backhaul link user plane protection� Protection of user plane will be done using 33.210. If the interfaces
are trusted then such protection is not required.� S1-U and X2-U
• IPsec ESP as in RFC 4303 and TS 33.210 with confidentiality, integrity and replay protection
• IKEv2 certificate based authentication [TS 33.310]• Tunnel mode IPsec mandatory on eNB while SEG can be used in core• Transport mode is optional
▐ Management plane protection� Same as S1-U and X2-U� There is no management traffic over X2