Present and future Standards for mobile internet and smart phone information security


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Present and future Standards for mobile internet and smart phone information security

  1. 1. Present and future Standards for mobile internet and smart phone information security Presented by Alain Sultan for MIIT and TMC visit to ETSI - September 2012© ETSI 2012. All rights reserved
  2. 2. Mobile Internet and Smart Phone Mobile Internet security: not addressed by 3GPP • Mobile IP refers to extensions of IP as to be able to address mobility • But the system defined by 3GPP is mobile by nature, so there is no need for these extensions Smart Phone security: not addressed by 3GPP • 3GPP defines Interfaces • The internal design of whatever system component (Mobile, Node B, MSC, etc.) is up to each manufacturer But Security is a major topic of 3GPP specifications, from the first phase of GSM (2G) until the latest phase of LTE (4G) • This is what this set of slides addresses
  3. 3. Standards for 2G/3G security
  4. 4. 2G/3G Security Overview Authentication Encryption
  5. 5. 2G/3G Authentication & Key Agreement (AKA) Authentication Non-encrypted -> -> Non-encrypted data data Encryption
  6. 6. A5 algorithms Contained in mobile devices and base stations Confidentiality between handset and base station • Protect voice and data traffic over radio path Versions of A5 available • A5/0: NULL • A5/1: original strong algorithm from 1986 => broken in 2009! • A5/2: weakened algorithm to be used outside US/Europe • A5/3: KASUMI-based new algorithm => mandatory from 2007 (but taking long to be deployed…) • A5/4: A5/3 with longer key (128-bit)
  7. 7. Standards for LTE security
  8. 8. LTE Security Characteristics of LTE Security • Re-use of UMTS Authentication and Key Agreement (AKA) • Use of USIM required (GSM SIM excluded, but Rel-99 USIM is sufficient) • Extended key hierarchy • Possibility for longer keys • Greater protection for backhaul • Integrated interworking security for legacy and non-3GPP networks
  9. 9. Authentication and key agreement (AKA) UTRAN SGSN GERAN HSS S3 S1-MME S6a MME S12 S11 S4 LTE-Uu S10 Serving S5 UE E-UTRAN Gateway S1-UHSS generates authentication data and provides it to MMEChallenge-response authentication and key agreement procedurebetween MME and UE • SIM access to LTE is explicitly excluded (USIM R99 onwards allowed)
  10. 10. Confidentiality and integrity of signaling UTRAN SGSN GERAN HSS S3 S1-MME S6a MME S12 S11 S4 LTE-Uu S10 Serving S5 UE E-UTRAN Gateway S1-U RRC signaling between UE and E-UTRAN • Encryption on PDCP layer NAS signaling between UE and MME
  11. 11. User plane confidentiality UTRAN SGSN GERAN HSS S3 S1-MME S6a MME S12 S11 S4 LTE-Uu S10 Serving S5 UE E-UTRAN Gateway S1-U S1 protection is not UE-specific • (Enhanced) network domain security mechanisms • based on IPSec • Optional • Integrity protection not available
  12. 12. LTE Authentication and Key Agreement UE eNB MME AuC NAS attach request (IMSI) AUTH data request (IMSI, SN_id) AUTH data response (AV={AUTN, XRES, RAND, Kasme}) NAS auth request (AUTN, RAND, KSIasme) NAS auth response (RES) NAS SMC (confidentiality and integrity algo) NAS Security Mode Complete S1AP Initial Context Setup RRC SMC (confidentiality and integrity algo) RRC Security Mode Complete
  13. 13. Indication of access network encryption Indication of access network encryption • user is informed whether confidentiality of user data is protected on the radio access link • in particular when non-ciphered calls are set-up
  14. 14. Security Algorithms
  15. 15. LTE Security Algorithms (1/2) Three separate algorithms specified • In addition to one NULL algorithm Current keylength 128 bits • Possibility to extend to 256 in the future Confidentiality protection of NAS/AS signalling recommended Integrity protection of NAS/AS signalling mandatory User data confidentiality protection recommended Ciphering/Deciphering applied on PDCP and NAS
  16. 16. LTE Security Algorithms (2/2) 128-EEA1/EIA1 • Based on SNOW 3G: stream cipher; keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM) • Different from KASUMI as possible • Allows for low power consumption 128-EEA2/EIA2 • AES block cipher • Counter (CTM) Mode for ciphering • CMAC Mode for MAC-I creation (integrity) • Different from SNOW 3G as possible, so cracking one would not affect the other • KASUMI not re-used: eNB already supports AES as well as other non-3GPP accesses, e.g. 802.11i 128-EEA3/EIA3 (Rel-11 onwards) • Based on ZUC (Zu Chongzhi): stream cipher • Developed by Data Assurance and Communication Security Research Center of Chinese Academy of Sciences (DACAS)
  17. 17. Lawful Interception
  18. 18. Lawful Interception in 3GPP Cost Political Interception Business Handover Legal Retrieval Analysis process Relations Storage
  19. 19. Lawful Interception in EPS Context and mechanisms similar to case of UMTS PS • Different core entities (ICE, Intercepting Control Elements) • ADMF handles requests from Law Enforcement Authorities • target identity: IMSI, MSISDN and IMEI • X1 interface provisions ICEs and Delivery Functions • X2 delivers IRI (Intercept Related Information) • X3 delivers CC (Content of Communication) • HI1,2,3: Handover Interfaces with law enforcement • Convey requests for interception of targets (HI1) • Deliver IRI (HI2) and CC (HI3) to LEAs
  20. 20. EPS LI Architecture UTRAN SGSN GERAN HSS S3 S1-MME S6a MME X2 PCRF S12 Rx S11 Gx S4 LTE-Uu S10 Serving PDN SGi Operators IP UE E-UTRAN Gateway Gateway Services (e.g. IMS, PSS etc.) S1-U X1_1 X2 X3 X1_3 Delivery ADMF Function 3 X1_2 Delivery Function 2 Mediation Mediation Mediation Function Function Function HI1 HI2 HI3 LEMF
  21. 21. Additional slides for more info More on LTE security • Backhaul Security • Relay Node Security IMS authentication Home (e) Node B security Status of work at 3GPP on Security issues Main 3GPP Security Standards
  22. 22. Conclusions Security is a major point of interest from GSM (2G) up to LTE (4G) GSM/UMTS Security: continues to evolve, recent introduction of A5/3 (planned before attack on old A5/1 succeeded) LTE Security: building on GSM and UMTS Security with newer security algorithms, longer keys, Extended key hierarchy Security aspects taken into consideration each time the system evolves (IMS, HNB, MTC, …)
  23. 23. Thank you! Contact Details: Thank you!23 © ETSI 2012. All rights reserved
  24. 24. Deeper Key hierarchy in LTE USIM / AuC K CK, IK UE / HSS KASME UE / ASME KNASenc KNASint KeNB UE / MME KUPint KUPenc KRRCint KRRCenc UE / eNB Faster handovers and key changes, independent of AKA Added complexity in handling of security contexts Security breaches local
  25. 25. Backhaul Security
  26. 26. Backhaul Security Base stations becoming more powerful • LTE eNode B includes functions of NodeB and RNC Coverage needs grow constantly Infrastructure sharing Not always possible to trust physical security of eNB Greater backhaul link protection necessary
  27. 27. Certificate Enrollmentfor Base Stations Operator root certificate pre-installed. RA/CA SEG Vendor root certificate Enrolled base station IPsec pre-installed. CMPv2 certificate is used in IKE/IPsec. Vendor-signed certificate of base station public keybase station obtains operator-signed base station pre-installed.certificate on its own public key from RA/CAusing CMPv2. Picture from 3GPP TS 33.310
  28. 28. Relay Node Security
  29. 29. Relay Node Authentication Mutual authentication between Relay Node and network • AKA used (RN attach) • credentials stored on UICC Binding of Relay Node and USIM: • Based on symmetric pre-shared keys, or • Based on certificates Radio Radio Donor Backhaul Core UE Relay eNB NW
  30. 30. Relay Node Security Control plane traffic integrity protected User plane traffic optionally integrity protected Relay Node and network connection confidentiality protected Device integrity check Secure environment for storing and processing sensitive data
  31. 31. IP Multimedia Subsystem (IMS) Security
  32. 32. More detailed view of IMS (2/2) Home Subscriber Server Media Resource • Centralized DB Function Controller • HLR successor Application • Pooling of Media servers • User profile Servers Domain • Filter criteria (sent to S- • Push-to-talk Name Server CSCF) • Instant messaging • Which applications • Telephony AS Media Gateway • Which conditions • 3rd party rd and MG Control IP CAN Function SIP Home Interfaces to Access Access DNS DNS AS AS PSTN/PLMN MGCF: MGCF: HSS HSS AS AS AS AS Network RTP ENUM ENUM • SIP  ISUP/BICC •  ISUP/BICC Diameter • controls the MGW (H.248) • the MGW (H.248) RTP SIP SIP MGW: MGW: Backbone • IP transport  e.g. •  e.g. Backbone P- P- SIP I- I- SIP S- S- SIP MRFC MRFC Packet TDM TDM Packet CSCF CSCF CSCF SIP CSCF CSCF CSCF • transcoding e.g. AMR  • Own/Visited Network Network MRF MRF MRF MRF G.711  SIP SIP P P P P G.711 Network SIP •Tones/Announcements •Tones/Announcements SIPCall Session BGCF BGCF MGCF MGCF ISUPControlFunction H.248 SS7 SS7• SIP registration PSTN PSTN RTP TDM MGW MGW• SIP sessionsetup Serving CSCF Proxy CSCF Proxy CSCF • 1 contact point for st st • Register UE • Session control • QoS • Application Interface Interrogating CSCF • Routes to I-CSCF - IMS User • Entry point for incoming calls Breakout Gateway Control Function - Charging Records Authentication • Determines S-CSCF for • Selects network (MGCF or other BGCF) - Lawful Interception - Loads IMS User Subscribers in which PSTN/ PLMN breakout is to - SIP Header Comp Profiles • Hides network topology occur - Service (AS) Control
  33. 33. Flow for IMS Registration UE GGSN P-CSCF I-CSCF S-CSCF AS HSSegister (no Integrity Key (IK), no Confidentiality Key (CK), no RES) 2. Register (“integrity-protected”=no, no RES) (find appropriate S-CSCF) 3. Register (“integrity-protected”=no, no RES) 4. Retrieval of Authentication Vector(s) for that PrivateID 5. RAND, AUTN, IK(HSS), CK (HSS), RES(HSS) 6. 401 non authorized (RAND, AUTN, IK(HSS), CK (HSS)) 7. 401 non authorized (RAND, AUTN) UE computes IK(UE), CK(UE) from AUTN and RES(UE) from RAND 8. Register (IK(UE), CK (UE), RES(UE)) P-CSCF compares IK(UE) and CK(UE) with IK(HSS) and CK(HSS). If identical, then “integrity-protected”=yes 9. Register (“integrity-protected”=yes, RES(UE)) I-CSCF compares RES(UE) with RES(HSS). If not identical, then registration failure 10. Update HSS 11. Update S-CSCF (User Profile: subscribed services, user pref., etc) 12. 200 OK 13. 200 OK
  34. 34. Home (e) Node B security
  35. 35. (out of scope for security)Datamodel cooperation with BBF RAN3 FF Produced stage 1,2,3 1. Influenced the data model Flat list of radio parameters SA5 Based on SA5 requirements 2. Derived info model (semantics) time Based on RAN3, FF input+ Broadband Forum Datamodel SA5 input (late in the process) ref. S5-091892, S5-092661
  36. 36. Threats countermeasures in Technical Report 33.820 3GPP TR 33.820 V8.2.0 (2009-09) Examples Technical Report 3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; Security of H(e)NB; cloning of credentials (Release 8) physical tampering fraudulent software updates man-in-the-middle attacks Denial of service against core network Eavesdropping (identity theft, privacy breaches, …) The present document has been developed within the 3rd Generation Partnership Project (3GPP TM ) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented. This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification. Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners Publications Offices.
  37. 37. Home (e)NB Security architecture (1/2) Operator’s AAA core Server/HSS network UE H(e)NB unsecure SeGW link H(e)NB GW H(e)MS H(e)MS Security Gateway (SeGW) • element at the edge of the core network terminating security association(s) for backhaul link between H(e)NB and core network H(e)MS – Home (e) NodeB Management System • management server that configures the H(e)NB according to the operator’s policy, instals software updates on the H(e)NB Hosting Party Module (HPM) • physical entity distinct from the H(e)NB physical equipment, dedicated to the identification and authentication of the Hosting Party towards the MNO Trusted Environment (TrE) • logical entity which provides a trustworthy environment for the execution of sensitive functions and the storage of sensitive data
  38. 38. Home (e)NB Security architecture (2/2) Operator’s AAA core Server/HSS network UE H(e)NB unsecure SeGW link H(e)NB GW H(e)MS H(e)MS Air interface between UE and H(e)NB backwards compatible with UTRAN H(e)NB access operator’s core network via a Security Gateway (SeGW) • Backhaul between H(e)NB and SeGW may be unsecure Security tunnel established between H(e)NB and SeGW • to protect information transmitted in backhaul link
  39. 39. H(e)NB Authentication Two separate concepts of authentication: Mutual authentication of H(e)NB and operator (SeGW) (mandatory) • Certificate based • Credentials stored in TrE in H(e)NB Authentication of hosting party by operator’s network (optional) • EAP-AKA based • credentials contained in separate Hosting Party Module (HPM) in H(e)NB • bundled with the device authentication (one step) Backhaul link protection • IPSec, IKEv2, based on H(e)NB/SeGW authentication
  40. 40. Other security mechanisms for H(e)NB Device Integrity Check • AV, SAV, Hybrid, … Location Locking • IP address based • Macro-cell/UE reporting based • (A)GPS based • Combination of the above Access Control Mechanism • ACL for Pre-R8 UE accessing HNB • CSG for H(e)NB Clock Synchronization • Based on backhaul link between H(e)NB and SeGW • Based on security protocol of clock synchronization protocol
  41. 41. H(e)NB security in the real world… location locking does NOT seem to work • in current commercial trials • HNBs operating from different countries • No roaming charges algorithm licensing is an issue • customers do not sign any agreement for use of COTS HNBs Lawful Interception • currently would not work in LIPA • would not work between CSG MSs camping on the same HNB rogue HNB roaming
  42. 42. Status of work at 3GPP on Security issues
  43. 43. Recently completed security activities at 3GPP (Rel-11)
  44. 44. Recently completed security activities at 3GPP (Rel-10)
  45. 45. Ongoing security activities at 3GPP
  46. 46. Main 3GPP Security Standards
  47. 47. Main 3GPP Security Standards UMTS Security: • 33.102 Security Architecture. • 33.105. 3GPP Cryptographic Algorithm Requirements. • 35.201. f8 and f9 Specification. • 35.202. KASUMI Specification. IMS Security: • 23.228 IMS Architecture. LTE Security: • 33.401 System Architecture Evolution (SAE); Security architecture • 33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP Lawful Interception: • 33.106 Lawful interception requirements • 33.107 Lawful interception architecture and functions • 33.108 Handover interface for Lawful Interception Key Derivation Function: • 33.220 GAA: Generic Bootstrapping Architecture (GBA) Backhaul Security: • 33.310 Network Domain Security (NDS); Authentication Framework (AF) Relay Node Security • 33.816 Feasibility study on LTE relay node security (also 33.401) Home (e) Node B Security: • 33.320 Home (evolved) Node B Security All documents available for free at: