Upload
aliirfan04
View
25.953
Download
11
Tags:
Embed Size (px)
DESCRIPTION
Overview of LTE Security architecture and key procedures.
Citation preview
Irfan Ali 1
LTE Security Overview
Irfan Ali
Version: 2 (October 2012)
Irfan Ali 2Irfan Ali 2
Overview
• Security in LTE Security Architecture for 3GPP During Attach
• Key Derivation• Mutual Authentication• NAS Security• AS Security
Handovers• Key derivation at target eNB
Irfan Ali 3Irfan Ali 3
Key Cryptographic Methods
• Two cryptographic Methods: Symmetric key: uses same key at both ends (shared key)
• Encryption algos: Data Encryption Standard (DES), 3DES,International Data Encryption Algorithm (IDEA)
• Used in UMTS and LTE Asymmetric key: uses two different keys (private and public
keys)
• Another tool used with the above is: Hash function: One way transformation, used for digital
signature generation.
LTE uses Symmetric Key Cryptography
Irfan Ali 4Irfan Ali 4
Symmetric Key Cryptography: Encryption and MessageAuthentication
A AAlice Bob
CommunicationMedium
m mc
Ke Kd
A (Ke, m) = cA (Kd, c) = m
A AlgorithmKe Encryption keyKd Decryption keym messageC encrypted message
Ke := Kd
Alice Bob
Hello
R1
R2, Kab( R1 | R2)
Kab( R2 | R1)
Mutual Authentication withSecret Key
DATA
MACD
ATAMAC
DATA
MAC=?
Alice Bob
Message Authentication or Integrity Protection withSecret Key
Secret Key
Secret Key
MACAlgorithm
MACAlgorithm
Irfan Ali 5Irfan Ali 5
3GPP Overall Security Architecture
IMS Internet
eNBeNB
MME
S-GW
S-GW
P-GWHSS
eNBRRC Connection
NAS Connection
HPLMN
Network AccessSecurity
User DomainSecurity
IMS Internet
eNB eNB
MME
S-GW
S-GW
P-GWHSS
eNB
HPLMNNetwork Domain
Security
SEG
SEG
Security Domain A
Security Domain B
SEG Security Gateway
VPLMN
Irfan Ali 6Irfan Ali 6
3GPP Overall Security Architecture• Network Access Security
Primarily radio link security• Encryption and Integrity protection of RRC• Encryption and Integrity protection of NAS• Encryption of Data Radio bearers (optional)
• Network Domain Security Security of the wireline network between
PLMNs• Key negoation using IKE• Use of ISAKMP for setting up the security
association between the SEG• Tunnel-mode ESP to be used
• Encryption triple DES• Data Integrity and Authentication: MD5 and SHA-1
• User Domain Security User – USIM authentication:
• Access to the USIM is restricted until theUSIM has authenticated the user. Use ofPIN. If user does not know PIN, user is notallowed to use SIM.
USIM – Terminal authentication• Used only for SIM-Locked Mobiles. When an
ME is SIM-locked (SIM/USIM personalisationindicator in the ME to "on“), the ME storesthe IMSI of the USIM. If the inserted USIMhas a different IMSI, the ME goes into aemergency call only mode. Ref TS 22.022Section 8.
IKE/ISAKMP
IPSec/ESP
IKE Internet Key ExchangeISAKMP Internet Security Association and Key Management ProtocolESP Encapsulation Security ProtocolIPSec IP Security
PLMN-A PLMN-B
• NOTE: Maintaining Security on wiredlinks within a security domain (i.e PLMN,eg between eNB and MME) isresponsibility of operator. Onlyrecommendations in 3GPPSpecifications. In general, links should be either
physically secured or through IPSec(NDS/IP)
Irfan Ali 7Irfan Ali 7
UE eNB
MME
SGW PGW
HSS
Encrypted Info
Integrity ProtectedInfo
ASME Access Security Management Entity (MME)CK, IK Ciphering Key, Integrity Protection Key
SRB-0
S1-MME
GTPC-1
GTP-U-10
GTP
C-1
GTP-U-10
S6a
Key Heirarchy for LTE
KasmeKasme Kasme
KeNBKeNB KeNB
SRB-2
SRB-1
CK, IKCK, IK
Data Radio Bearer-10
CK CK
KK
NAS
CK, IKCK, IK
Irfan Ali 8Irfan Ali 8
LTE Key Hierarchy
• ASME = AccessSecurityManagementEntity, locatedat the MME
USIM / AuC
UE / MMEKASME
K
KUPenc
KeNB / NH
KNASint
UE / HSS
UE / eNB
KNASenc
CK, IK
KRRCint KRRCenc
Irfan Ali 9Irfan Ali 9
Identity Protection
• The two permanent identities of UE are: IMSI (subscriber identity)
• Seldom send over the air (only during attach, if no other validtemporary ID is present in the UE).
• Temporary identities used instead (S-TMSI, GUTI) IMEI (hardware identity)
• Only sent to MME (in NAS), not to eNB.• Sent only after NAS security is setup (i.e encrypted and
integrity protected).
S-TMSI System architecture evolution Temporary Mobile Subscriber IdentityGUTI Globally Unique Temporary Identity
Irfan Ali 10Irfan Ali 10
General Security Characteristics
• Use of UMTS AKA (Authentication and Key Agreement) procedure• Use of 128-bit keys truncated from generated 256-bit keys• Ciphering Algorithms (AS and NAS):
0 = Null; 1= SNOW 3G; 2 = AES
• Integrity Algorithms (AS, NAS): 1= SNOW 3G; 2 = AES
• Access Stratum (AS), between eNB and UE: Ciphering applicable to both user traffic and RRC-level signaling traffic. Integrity protection applicable only to RRC-level signaling traffic. Integrity information is ciphered. Located at the PDCP sublayer in both eNB and UE
• Non-Access Stratum (NAS), between MME and UE: Ciphering and Integrity of NAS messages, independent of the AS security
• Keys change at every intra-E-UTRAN handover, including intra-eNB handovers.
Rel-8 UE is required tosupport these algorithms
AES Advanced Encryption Standard
Irfan Ali 11Irfan Ali 11
LTE AKA
Generate authenticationvectors AV(1..n)
Store authentication vectors AV(1..n)
Select authentication vector AV
Authentication data request(IMSI, VPLMN, NetworkType = E-UTRAN)
Authentication dataresponse AV
User authentication requestRAND || AUTN
User authentication responseRES
Compre RES and XRES
Verify AUTNCompute RES
HSSMMEUE
Function
SQN K RAND
XRES
AUTN
CK
IK
KDF
SQN
IMSI
VPLMN
Kasme
RAND
AUTN, RAND, XRES, KasmeAV
SQN RAND
RES CK
IK
KDF
SQN
IMSI
VPLMN
Kasme
RAND
USIM K
AUTN
Security ModeCommand Used to
Derive NAS keys fromKasme
AKA Authentication and Key AgreementAUTN Authentication TokeNGUTI Globally Unique Temporary IdentityKSI Key Set Identifier
Irfan Ali 12Irfan Ali 12
User authentication function in the USIM
K
SQN
RAND
f1 f2 f3 f4
f5
XMAC RES CK IK
AK
SQN AK AMF MAC
AUTN
Verify MAC = XMAC
Verify that SQN is in the correct range
AUTN Authentication TokeNAMF Authentication management fieldSQN Sequence NumberAK Anonymity KeyMAC Message Authentication Code
• USIM keeps track of last SQN received, SQNms• USIM only accepts a sequence number from HSS if
|SQN – SQNms | < ∆
Irfan Ali 13Irfan Ali 13
Overview of NAS and AS Security negotiationsHSSMME-1eNBUE
EPS-AKA EPS-AKA
Partial EPSnative Context.
NAS- Security Mode Command (SMC)NAS Security Algorithms decided here
Partial EPSnative
Context
Full EPSnative
Context
Full EPSnative
Context
Kasme, KSImmeCurrent eKSI Kasme Current
AS-SMCAS Security Algorithms decided here
AS Keys AS Keys
UE’s security Capability
ASME Access Security Management Entity (MME)KSI Key Set Identifier
Irfan Ali 14Irfan Ali 14
Negotiation of NAS/AS Enc & Inc Algorithm
ME provides support of different EPS encryption (EEA) and integrityprotection (EIA) algorithm support as part of “UE Network Capability”IE.
• The same set of ciphering and integrity algorithms shall be supported bythe UE both for AS and NAS level
The eNB and MME are configured with a prioritized list of EEA andEIA algorithms to use. Eg
• Priority-0 EIA2• Priority-1: EIA1
eNB/MME selects first intersection of configured algorithm with UE’scapability.
NAS and AS security algorithms can be different.
Irfan Ali 15Irfan Ali 15
Power-off/Power-on issue
• Power-off The objective is to store a fully valid native EPS security
context, preferably in USIM otherwise in non-volatilememory of the ME.
• Power-on Retrieve a “valid” EPS security context either from (a)
USIM, or (b) if-not from ME non-volatile memory. Thisbecomes the current EPS security context.
If no valid EPS security context can be retrieved, UEsignals to MME in attach that it has “no valid keys”.
Irfan Ali 16Irfan Ali 16
UE Performs attach – Part 1 of 3
DL-SCH: Common CC
1. Random Access PreambleRACH
2. Random AccessPreamble
UL-SCH: SRB0
3. RRC ConnectionRequest
DL-SCH: Common CC4. RRC Connection Setup
UL-SCH: SRB1
5. RRC Connection CompleteNAS Msg: AttachRequest IMSI
SGWPGWeNBUE
InternetMME
Random AccessProcedure
RRC SetupProcedure
NAS Msg PDNConnect Req
Irfan Ali 17Irfan Ali 17
6. Initial UE Message
S1-MME
NAS MSG: AttachRequest, IMSI, UENetwork Capability
NAS MSG: AttachRequest, IMSI, UENetwork Capability
UE Performs Attach – Part 2 of 3SGW
HSSeNBUE
PGW
MME
InterneteNB selects
MME
Encryption+ IntegrityProtection Algorithmsupport
S6a7. Auth Info RequestIMSI, VPLMN,Net=EUTRAN
8. Auth Info AnswerKasme, AUTN, RAND,XRES
9. DL NAS XportAuthn Request
UL-SCH: SRB1
10. DL Info XferAuthn Request:AUTN, RAND, eKSI
11. UL Info Transport 12. UL NAS XportAuthn Response
MME ComparesRES with XRES.If same, AKAsuccessful
DL-SCH:CCH SRB1
13. DL NAS Xport
UL-SCH: SRB1
14. DL Info Transport
Security ModeComplete
15. UL Info Transport 16. UL NAS XportSMC Complete
DL-SCH:CCH SRB1
SMC: eKSI, NAS Algo,UE Security Capability
NAS Security
Authn Response:RES
Security Mode Command
17. Location Update RequestIMSI, …
18. Location Update ResponseSubscription Data
MMEauthorizes UE
UserAuthenticationProcedure
NAS Security SetupProcedure
Authorization
NAS Msg PDNConnect Req
Irfan Ali 18Irfan Ali 18
S1-MME
UE Performs Attach – Part 3 of 3SGW
HSSeNBUE PGWMME InternetNAS Security GTPC
22. Create SessionResponse(IMSI, TEIDs)
19. Create SessionRequest ((IMSI, TEIDs,PGW IP,…)
GTPC-220. Create SessionRequest (IMSI, TEIDs, )
21. Create SessionResponse(IMSI, TEIDs)
23. Initial Context Setup Request(UE Context Info: UE SecurityCapability, KeNB
DL-SCH:CCH SRB124. RRC Security ModeCommand, AS Algorithm
UL-SCH: SRB1
25. RRC Security ModeComplete
31. UL NAS Xport
AS Security
Data Radio Bearer-10 GTP-U-10 TunnelGTPU-10 TunnelGTPC Tunnel GTPC-1 TunnelS1-MME
NAS: Attach AcceptNAS: Activatedefault bearer req
DL-SCH:CCH SRB2
27. RRC ConnectionReconfiguration
UL-SCH: SRB2
30. UL Information Transfer
NAS1NAS2
SRB-2SRB-1SRB-0
26. Obtain UE’s RadioCapability
GTPC
33. Modify Bearer Resp(IMSI, S1U TEID)
32. Modify BearerReq. (IMSI, TEIDs…)
AS Security SetupProcedure
SRB-2
NAS1 NAS2 NAS: Attach CompleteNAS: Activatedefault bearer acpt
29. Initial Context SetupComplete (S1U TEIDs)
28. RRC Reconfig Complete
Irfan Ali 19Irfan Ali 19
Kenb Key Derivation at S1 Handover
PCI: Physical Cell IdentityEARFCN-DL: E-UTRAN Absolute Frequency Channel –DLNH Next Hop ParameterNCC NH Chaining Counter
KeNB_1
Kasme
KeNB_1Kasme
KeNB_1
NH_1, NCC=1
NH_1, NCC=1
f1
NH_2 NCC=2PCIEARFCN-DL
Kenb_2
KeNB_2
KeNB_2
NCC=2
NH_2, NCC=2
KasmeNH_2, NCC=2
Kasme
NH_2, NCC=2
2
4
3 eNB computes Kenb_2 using funciton f1
5UE checks NCC value to be correctUE computes NH_2 using function f2.UE computes Kenb_2 using funciton f1
f2
{NH_2, NCC=2}
KasmeNH_1 NCC++MME
eNB_1 eNB_2
0Handover Required
1 MME creates NH_2 and NCC=2
Irfan Ali 20Irfan Ali 20
Specifications
TS 33.401 – LTE Security TS 33.102 – 3G Security