Security Session 2 - LTE Security Architecture Fundamentals - V1

Presentation Title Size 30PTCISCO PROPRIETARY
Klaas Wierenga
Presentation_ID
Presentation_ID
Presentation_ID
Improvements in spectral efficiency, user throughput, latency
Simplification of the radio network
Efficient support of packet based services: Multicast,
VoIP, etc.
Simplification of the core network
Optimization for IP traffic and services
Simplified support and handover to non-3GPP access technologies
© 2006 Cisco Systems, Inc. All rights reserved.
Presentation_ID
UE
eNodeB
eNodeB
MME
S-GW
S-GW = Serving Gateway
PDN-GW = PDN Gateway
S5
S1-U
S1-MME
X2
Presentation_ID
Serving GW functions include:
Local Mobility Anchor point for inter-eNodeB handover (i.e. GTP termination)
PMIP or GTP support towards PDN Gateway
Per flow QoS Policy Enforcement
Lawful Interception
Traffic Accounting
Per-user based packet filtering
Mobility anchoring for intra- and inter-3GPP mobility (requires GTP and MIP HA)
Charging Support
Lawful Interception
Both can be combined if there is a full mesh between base stations and GWs
IP Tunnel
IP Tunnel
Presentation_ID
Presentation_ID
eNB placement in untrusted locations
Keep security breaches local
More complex key hierarchy
More complex interworking security
Additional security for (home)eNB
Presentation_ID
CISCO PROPRIETARY
LTE/SAE architecture
(I) Network access security: secure access to services, protect against attacks on (radio) access links
(II) Network domain security: enable nodes to securely exchange signaling data & user data (between AN/SN and within AN, protect against attacks wireline network
(III) User domain security: secure access to mobile stations
(IV) Application domain security: enable applications in the user and in the provider domain to securely exchange messages
ME = Mobile Equipment
AN = Access Network
HE = Home Environment
SN = Serving Network
Presentation_ID
AN = Access Network
HE = Home Environment
SN = Serving Network
*
- Network access security (I): the set of security features that provide users with secure access to services while terminated at 3GPP EPC. Radio Access protection is a non-3GPP access specific.
- Network domain security (II): the set of security features that enable nodes to securely exchange signaling data, and protect against attacks on the wireline network.
- Non-3GPP domain security (III): the set of security features are a non-3GPP access specific.
- Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.
*
Presentation_ID
Entity authentication
Presentation_ID
Subscription Identification Module
Used as Identity & Security key
IMSI is used as user identity
Benefits
Easy to get authentication from home network while in visited network without having to handle Ki
Source: ETRI
Presentation_ID
SIM access to LTE explicitly excluded
Signaling protection
User plane protection
Presentation_ID
Presentation_ID
RRC signaling between UE and E-UTRAN
NAS signaling between UE and MME
S1 interface signaling (optional) protection not UE-specific
Presentation_ID
Integrity not protected
Presentation_ID
Presentation_ID
If keys are passed unmodified, compromised eNB compromises other eNB
One-way function before passing over
MME is involved after HO for further key passing
Presentation_ID
Presentation_ID
Secure tunnel for backhaul
Trusted environment inside HeNB
Presentation_ID
between Access Network and Serving Network and within Access Network
Protect against attacks on wireline network
No security in 2G core network
Now security is needed:
Open and easily accessible protocols
New service providers (content, data service, HLR)
Network elements can be remote (eNB)
Presentation_ID
Border between security domains protected by Security Gateway (SEG)
Za
Zb
Zb
Zb
SEG
A
Presentation_ID
AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for negotiating, establishing and maintaining secure ESP tunnel
Handle communication over (optional) Zb interface (SEG- NE or NE-NE)
Implement ESP tunnel and IKEv1 or IKEv2
ESP with AuthN, integrity, optional encryption
All traffic flows through SEG before leaving or entering security domain
Secure storage of long-term keys used for IKEv1 and IKEv2
Hop-by-hop security (chained tunnels or hub-and-spoke)
Presentation_ID
Between SEGs: tunnel mode
Key management: IKEv1 or IKEv2
Security associations from NE only to SEG or NE’s in own domain
Presentation_ID
Presentation_ID
Presentation_ID
Few slides
Presentation_ID
Application domain security
The set of security features that enable applications in the user and in the provider domain to securely exchange messages.
Secure messaging between the USIM and the network (TS 22.048)
Slides about IMS, SIP
Presentation_ID
Typically implemented on UICC (ISIM application)
UMTS AKA integrated into HTTP digest (RFC3310)
NASS-IMS bundled AuthN
Presentation_ID
Presentation_ID
Presentation_ID
Architecture, mechanisms and algorithms
TS 33.102 Security architecture
TS 33.103 Integration guidelines
TS 35.20x Access network algorithm specifications
Presentation_ID
(http://www.3gpp.org/ftp/Specs/archive/33_series/33.210/)
http://www.3gpp.org/ftp/Specs/archive/33_series/33.310/
TS 33.402 V9.0.0: SAE security aspects of non 3GPP access
http://www.3gpp.org/ftp/Specs/archive/33_series/33.820/33820-810.zip
Presentation_ID
Presentation_ID
Presentation_ID
UMTS Authentication and Key Agreement (AKA)
Procedure to authenticate the user and establish pair of cipher and integrity between VLR/SGSN and USIM
Source: ETRI
Presentation_ID
SGW
Presentation_ID
See you in 2 weeks for the Final Session!
Presentation_ID
Presentation_ID
Presentation_ID
UE
eNodeB
eNodeB
MME
S-GW
HSS
PCRF
PDN-GW
Encryption Recommended
Security Mechanisms highly recommended for inter-network connections such as for roaming
(under study?)
Authentication Required

Documents

Security Session 2 - LTE Security Architecture Fundamentals - V1