Lte security overview


Published on

Overview of LTE Security architecture and key procedures.

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lte security overview

  1. 1. LTE Security Overview Irfan Ali Version: 2 (October 2012)Irfan Ali 1
  2. 2. Overview • Security in LTE  Security Architecture for 3GPP  During Attach • Key Derivation • Mutual Authentication • NAS Security • AS Security  Handovers • Key derivation at target eNBIrfan Ali Irfan Ali 2 2
  3. 3. Key Cryptographic Methods • Two cryptographic Methods:  Symmetric key: uses same key at both ends (shared key) • Encryption algos: Data Encryption Standard (DES), 3DES, International Data Encryption Algorithm (IDEA) • Used in UMTS and LTE  Asymmetric key: uses two different keys (private and public keys) • Another tool used with the above is:  Hash function: One way transformation, used for digital signature generation. LTE uses Symmetric Key CryptographyIrfan Ali Irfan Ali 3 3
  4. 4. Symmetric Key Cryptography: Encryption and Message Authentication Alice Bob m c m A A Communication Medium Ke Kd A Algorithm A (Ke, m) = c Ke Encryption key A (Kd, c) = m Kd Decryption key m message C encrypted message Ke := Kd Alice Bob Alice Bob Secret Key Hello DATA DATA R1 DATA MAC Algorithm R2, Kab( R1 | R2) Secret Key MAC MAC =? Kab( R2 | R1) MAC MAC Algorithm Mutual Authentication with Message Authentication or Integrity Protection with Secret Key Secret KeyIrfan Ali Irfan Ali 4 4
  5. 5. 3GPP Overall Security Architecture Network Domain HPLMN Security Security Domain B HPLMN Internet IMS Internet IMS HSS HSS P-GW P-GW SEG SEG S-GW S-GW S-GW S-GW MME MME eNB eNB eNB eNB eNB VPLMN eNB RRC Connection Security Domain AUser Domain Security Network Access Security NAS ConnectionIrfan Ali Irfan Ali 5 5 SEG Security Gateway
  6. 6. 3GPP Overall Security Architecture • Network Access Security  Primarily radio link security • Encryption and Integrity protection of RRC • Encryption and Integrity protection of NAS • Encryption of Data Radio bearers (optional) • Network Domain Security PLMN-A PLMN-B  Security of the wireline network between IKE/ISAKMP PLMNs • Key negoation using IKE IPSec/ESP • Use of ISAKMP for setting up the security association between the SEG • Tunnel-mode ESP to be used • Encryption triple DES • Data Integrity and Authentication: MD5 and SHA-1 • User Domain Security  User – USIM authentication: • NOTE: Maintaining Security on wired • Access to the USIM is restricted until the links within a security domain (i.e PLMN USIM has authenticated the user. Use of ,eg between eNB and MME) is PIN. If user does not know PIN, user is not responsibility of operator. Only allowed to use SIM. recommendations in 3GPP  USIM – Terminal authentication Specifications. • Used only for SIM-Locked Mobiles. When an ME is SIM-locked (SIM/USIM personalisation  In general, links should be either indicator in the ME to "on“), the ME stores physically secured or through IPSec the IMSI of the USIM. If the inserted USIM (NDS/IP) has a different IMSI, the ME goes into a emergency call only mode. Ref TS 22.022 Section 8. IKE Internet Key Exchange ISAKMP Internet Security Association and Key Management ProtocolIrfan Ali Irfan Ali ESP Encapsulation Security Protocol 6 IPSec 6 IP Security
  7. 7. Key Heirarchy for LTE HSS MME K K S6a Kasme Kasme Kasme KeNB SRB-0 KeNB KeNB SRB-1 S1-MME SRB-2 NAS GTPC-1 CK, IK CK, IK CK, IK CK, IK GTPC-1 Data Radio Bearer-10 GTP-U-10 GTP-U-10 CK CK UE eNB SGW PGW Encrypted Info ASME Access Security Management Entity (MME) CK, IK Ciphering Key, Integrity Protection Key Integrity ProtectedIrfan Ali Irfan Ali Info 7 7
  8. 8. LTE Key Hierarchy USIM / AuC K CK, IK UE / HSS KASME UE / MME • ASME = Access Security KNASenc KNASint Management KeNB / NH Entity, located at the MME UE / eNB KUPenc KRRCint KRRCencIrfan Ali Irfan Ali 8 8
  9. 9. Identity Protection • The two permanent identities of UE are:  IMSI (subscriber identity) • Seldom send over the air (only during attach, if no other valid temporary ID is present in the UE). • Temporary identities used instead (S-TMSI, GUTI)  IMEI (hardware identity) • Only sent to MME (in NAS), not to eNB. • Sent only after NAS security is setup (i.e encrypted and integrity protected).Irfan Ali Irfan Ali S-TMSI GUTI System architecture evolution Temporary Mobile Subscriber Identity 9 9 Globally Unique Temporary Identity
  10. 10. General Security Characteristics • Use of UMTS AKA (Authentication and Key Agreement) procedure • Use of 128-bit keys truncated from generated 256-bit keys • Ciphering Algorithms (AS and NAS):  0 = Null;  1= SNOW 3G;  2 = AES Rel-8 UE is required to • Integrity Algorithms (AS, NAS): support these algorithms  1= SNOW 3G;  2 = AES • Access Stratum (AS), between eNB and UE:  Ciphering applicable to both user traffic and RRC-level signaling traffic.  Integrity protection applicable only to RRC-level signaling traffic. Integrity information is ciphered.  Located at the PDCP sublayer in both eNB and UE • Non-Access Stratum (NAS), between MME and UE:  Ciphering and Integrity of NAS messages, independent of the AS security • Keys change at every intra-E-UTRAN handover, including intra-eNB handovers.Irfan Ali Irfan Ali 10 10 AES Advanced Encryption Standard
  11. 11. LTE AKA SQN AUTN RAND UE MME HSS SQN K RAND Authentication data request (IMSI, VPLMN, Network USIM K Type = E-UTRAN) Function Generate authentication CK vectors AV(1..n) RES XRES IK CK RANDSQN VPLMN Authentication data AUTN IK response AV RAND SQN VPLMN IMSI Store authentication vectors AV(1..n) IMSI KDF Select authentication vector AV KDF Kasme User authentication request RAND || AUTN Kasme Verify AUTN Compute RES AV AUTN, RAND, XRES, Kasme User authentication response RES Compre RES and XRES AKA Authentication and Key Agreement AUTN Authentication TokeN Security Mode GUTI Globally Unique Temporary Identity Command Used to KSI Key Set Identifier Derive NAS keys from KasmeIrfan Ali Irfan Ali 11 11
  12. 12. User authentication function in the USIM RAND AUTN f5 SQN  AK AMF MAC AK  SQN K f1 f2 f3 f4 XMAC RES CK IK Verify MAC = XMAC • USIM keeps track of last SQN received, SQNms • USIM only accepts a sequence number from HSS if |SQN – SQNms | < ∆ Verify that SQN is in the correct range AUTN Authentication TokeN AMF Authentication management field SQN Sequence Number AK Anonymity Key MAC Message Authentication CodeIrfan Ali Irfan Ali 12 12
  13. 13. Overview of NAS and AS Security negotiations UE eNB MME-1 HSS EPS-AKA EPS-AKA Partial EPS Partial EPS native Context. native Context NAS- Security Mode Command (SMC) NAS Security Algorithms decided here Full EPS Full EPS native native Context Context CurrentKasme, KSImme eKSI Kasme Current UE’s security Capability AS-SMC AS Security Algorithms decided here AS Keys AS Keys ASME Access Security Management Entity (MME)Irfan Ali Irfan Ali 13 13 KSI Key Set Identifier
  14. 14. Negotiation of NAS/AS Enc & Inc Algorithm  ME provides support of different EPS encryption (EEA) and integrity protection (EIA) algorithm support as part of “UE Network Capability” IE. • The same set of ciphering and integrity algorithms shall be supported by the UE both for AS and NAS level  The eNB and MME are configured with a prioritized list of EEA and EIA algorithms to use. Eg • Priority-0 EIA2 • Priority-1: EIA1  eNB/MME selects first intersection of configured algorithm with UE’s capability.  NAS and AS security algorithms can be different.Irfan Ali Irfan Ali 14 14
  15. 15. Power-off/Power-on issue • Power-off  The objective is to store a fully valid native EPS security context, preferably in USIM otherwise in non-volatile memory of the ME. • Power-on  Retrieve a “valid” EPS security context either from (a) USIM, or (b) if-not from ME non-volatile memory. This becomes the current EPS security context.  If no valid EPS security context can be retrieved, UE signals to MME in attach that it has “no valid keys”.Irfan Ali Irfan Ali 15 15
  16. 16. UE Performs attach – Part 1 of 3 Internet UE PGW eNB MME SGW RACH 1. Random Access Preamble Random Access Procedure DL-SCH: Common CC 2. Random Access Preamble UL-SCH: SRB0 3. RRC Connection Request RRC Setup DL-SCH: Common CC Procedure 4. RRC Connection Setup UL-SCH: SRB1 5. RRC Connection Complete NAS Msg: Attach Request IMSI NAS Msg PDN Connect ReqIrfan Ali Irfan Ali 16 16
  17. 17. UE Performs Attach – Part 2 of 3 HSS UE eNB MME SGW Encryption PGW + Integrity Interne eNB selects MME Protection Algorithm support NAS MSG: Attach S1-MME Request, IMSI, UE S6a Network Capability 6. Initial UE Message 7. Auth Info Request NAS MSG: Attach IMSI, VPLMN,Net=EUTRAN Request, IMSI, UE Network Capability 8. Auth Info Answer NAS Msg PDN Kasme, AUTN, RAND,XRES DL-SCH:CCH SRB1 Connect Req User Authentication 10. DL Info Xfer 9. DL NAS Xport Procedure Authn Request: Authn Request MME Compares AUTN, RAND, eKSI RES with XRES. If same, AKA 11. UL Info Transport successful 12. UL NAS Xport Authn Response Authn Response: RES UL-SCH: SRB1 DL-SCH:CCH SRB1 13. DL NAS Xport 14. DL Info Transport SMC: eKSI, NAS Algo, NAS Security Setup Security Mode Command UE Security Capability Procedure 15. UL Info Transport 16. UL NAS Xport Security Mode SMC Complete Complete 17. Location Update Request UL-SCH: SRB1 IMSI, … Authorization NAS Security 18. Location Update Response Subscription Data MMEIrfan Ali Irfan Ali 17 UE authorizes17
  18. 18. UE Performs Attach – Part 3 of 3 HSS PGW UE eNB MME SGW Interne NAS Security GTPC 19. Create Session GTPC-2 Request ((IMSI, TEIDs, 20. Create Session PGW IP,…) Request (IMSI, TEIDs, ) S1-MME 21. Create Session DL-SCH:CCH SRB1 22. Create Session 23. Initial Context Setup Request Response 24. RRC Security Mode Response(IMSI, TEIDs) (UE Context Info: UE Security (IMSI, TEIDs) Command, AS Algorithm Capability, KeNB UL-SCH: SRB1 NAS: Attach Accept NAS: Activate 25. RRC Security Mode default bearer req AS Security Setup Complete Procedure SRB-2 AS Security 26. Obtain UE’s Radio Capability DL-SCH:CCH SRB2 27. RRC Connection Reconfiguration NAS1 NAS2 UL-SCH: SRB2 28. RRC Reconfig Complete 29. Initial Context Setup Complete (S1U TEIDs) 30. UL Information Transfer GTPC 31. UL NAS Xport NAS1 NAS2 32. Modify Bearer NAS: Attach Complete Req. (IMSI, TEIDs…) NAS: Activate SRB-0 default bearer acpt 33. Modify Bearer Resp (IMSI, S1U TEID) SRB-1 SRB-2 S1-MME GTPC Tunnel GTPC-1 Tunnel Data Radio Bearer-10 GTPU-10 Tunnel GTP-U-10 TunnelIrfan Ali Irfan Ali 18 18
  19. 19. Kenb Key Derivation at S1 Handover 1 MME creates NH_2 and NCC=2 NH_1 NCC++ MME Kasme NH_1, NCC=1 NH_2, NCC=2 f2 Kasme Kasme {NH_2, NCC=2} KeNB_1 2 NH_2, NCC=2 0 Handover Required 3 eNB computes Kenb_2 using funciton f1 eNB_1 eNB_2 PCI NH_2 NCC=2 K eNB_2 EARFCN-DL KeNB_1 f1 4 NCC=2 Kenb_2 Kasme KeNB_1 KeNB_2 NH_1, NCC=1 UE checks NCC value to be correct Kasme 5 UE computes NH_2 using function f2. NH_2, NCC=2 UE computes Kenb_2 using funciton f1 PCI: Physical Cell Identity EARFCN-DL: E-UTRAN Absolute Frequency Channel –DLIrfan Ali Irfan Ali 19 19 NH NCC Next Hop Parameter NH Chaining Counter
  20. 20. Specifications  TS 33.401 – LTE Security  TS 33.102 – 3G SecurityIrfan Ali Irfan Ali 20 20