The Long Term Evolution (LTE) is the latest step in an advancing series of mobile telecommunications systems. In this paper, authors show interest on the security features and the cryptographic algorithms used to ensure confidentiality and integrity of the transmitted data. A closer look is taken upon EPS confidentiality and integrity algorithms. The authors also defined AKA, AS and NAS security and key derivations during normal Attach process and Handover also.
4G-LTE Paging is made simple and easy. How is paging handled in NAS, RRC and Physical layer. With DRX cycle, how will UE NOT miss any paging and synchronised? How to implement paging in RRC?
4G-LTE Paging is made simple and easy. How is paging handled in NAS, RRC and Physical layer. With DRX cycle, how will UE NOT miss any paging and synchronised? How to implement paging in RRC?
LTE specifications support the use of multiple antennas at both transmitter (tx) and receiver (rx). MIMO (Multiple Input Multiple
Output) uses this antenna configuration.
LTE specifications support up to 4 antennas at the tx side and up to 4 antennas at the rx side (here referred to as 4x4 MIMO
configuration).
In the first release of LTE it is likely that the UE only has 1 tx antenna, even if it uses 2 rx antennas. This leads to that so called
Single User MIMO (SU-MIMO) will be supported only in DL (and maximum 2x2 configuration).
It is a handbook of UMTS/LTE/EPC CSFB call flows.
This document is originally edited by Justin MA and it is free to share to everyone who are interested.
All reference/resource are from internet. If there is any copy-right issue, please kindly inform Justin by majachang@gmail.com.
Thanks for your reading!
LTE Location Management and Mobility Managementaliirfan04
Provides an overview of power management (connected and idle mode) and mobility management (both idle-mode mobility (cell selection and re-selection) and active mode (handovers).
LTE Measurement: How to test a device
This course provides an overview with practical examples and exercises on how to test a LTE-capable device while performing standardized RF measurements such as power, signal quality, spectrum and receier sensitivity, and how to automate these measurements in a simple and cost-effective way. We will present testing of LTE handsets in terms of protocol signaling scenarios and handover to other radio technologies for interoperability. This course will demonstrate end-to-end (E2E), throughput and application testing using the Rohde & Schwarz R&S®CMW500 Wideband Radio Communication Tester. Examles of application tests are voice over LTE, (VoLTE) or Video over LTE.
This tutorial has been designed for audiences with a need to understand the LTE technology basics in very simple terms. This tutorial will give you enough understanding on LTE technology from where you can take yourself at higher level of expertise.
LTE is designed with strong cryptographic techniques, mutual authentication between LTE network elements with security mechanisms built into its architecture.
With the emergence of the open, all IP based, distributed architecture of LTE, attackers can target mobile devices and networks with spam, eavesdropping, malware, IP-spoofing, data and service theft, DDoS attacks and numerous other variants of cyber-attacks and crimes.
LTE specifications support the use of multiple antennas at both transmitter (tx) and receiver (rx). MIMO (Multiple Input Multiple
Output) uses this antenna configuration.
LTE specifications support up to 4 antennas at the tx side and up to 4 antennas at the rx side (here referred to as 4x4 MIMO
configuration).
In the first release of LTE it is likely that the UE only has 1 tx antenna, even if it uses 2 rx antennas. This leads to that so called
Single User MIMO (SU-MIMO) will be supported only in DL (and maximum 2x2 configuration).
It is a handbook of UMTS/LTE/EPC CSFB call flows.
This document is originally edited by Justin MA and it is free to share to everyone who are interested.
All reference/resource are from internet. If there is any copy-right issue, please kindly inform Justin by majachang@gmail.com.
Thanks for your reading!
LTE Location Management and Mobility Managementaliirfan04
Provides an overview of power management (connected and idle mode) and mobility management (both idle-mode mobility (cell selection and re-selection) and active mode (handovers).
LTE Measurement: How to test a device
This course provides an overview with practical examples and exercises on how to test a LTE-capable device while performing standardized RF measurements such as power, signal quality, spectrum and receier sensitivity, and how to automate these measurements in a simple and cost-effective way. We will present testing of LTE handsets in terms of protocol signaling scenarios and handover to other radio technologies for interoperability. This course will demonstrate end-to-end (E2E), throughput and application testing using the Rohde & Schwarz R&S®CMW500 Wideband Radio Communication Tester. Examles of application tests are voice over LTE, (VoLTE) or Video over LTE.
This tutorial has been designed for audiences with a need to understand the LTE technology basics in very simple terms. This tutorial will give you enough understanding on LTE technology from where you can take yourself at higher level of expertise.
LTE is designed with strong cryptographic techniques, mutual authentication between LTE network elements with security mechanisms built into its architecture.
With the emergence of the open, all IP based, distributed architecture of LTE, attackers can target mobile devices and networks with spam, eavesdropping, malware, IP-spoofing, data and service theft, DDoS attacks and numerous other variants of cyber-attacks and crimes.
This paper clarifies the standards defined around LTE network security by standard development organizations including 3GPP, ITU, ETSI, and industry group NGMN. It also examines the different security borders of the mobile network, and delves deeper into the requirements of the Mobile Access Border - the border between the RAN and the core (S1).
Andy sutton - Multi-RAT mobile backhaul for Het-Netshmatthews1
At our 5th Telecoms Evangelist meet up Andy Sutton of EE gave a fantastic presentation reviewing the latest trends and developments in mobile backhaul architecture, strategy and technology. Starting with a review of backhaul capacity, performance requirements and protocol architecture, the presentation initially focused on the macro cell layer before going on to discuss options for evolving towards a true multi-layered heterogeneous network. Take a look!
Authentication and Key Agreement in 3GPP Networks csandit
The huge demand for mobile communications with broad band and usage of new wireless
applications motivated the development of new wireless access technologies. The recent
expansion of wireless technologies, novel applications and the advancement in mobile technology after UMTS-3G has been taken up to the next level by the 3GPP Long Tem
Evolution/System Architecture Evolution (LTE/SAE). It has achieved the realisation of better bandwidth, full interworking with other access/backend systems using all-IP architecture with well-defined interworking with circuit switched system. The system is defined to work across multiple access networks (3GPP and non 3GPP) may be trusted or non-trusted. The security mechanism in wireless area has evolved from original analog systems through GSM and
UMTS. The GSM has focussed the security for radio path whereas UMTS has enhanced it in to network functionalities. The future networks based on IP mechanism demands more security features, since the threats related to IP are also possible.
EVALUATION OF SECURITY ATTACKS ON UMTS AUTHENTICATION MECHANISMIJNSA Journal
In this study security of internet access over the Third Generation (3G) telecommunication systems is considered and Universal Mobile Telecommunications System (UMTS) is selected as the most popular system among 3G systems. The study then focuses on network access security mechanism of UMTS, called Authentication and Key Agreement (AKA). In addition, twenty types of important attacks and threats in UMTS system are presented and classified based on three major security factors; authentication, confidentiality, and data integrity. The evaluations finally show that the authentication factor is more interesting than other factors for hackers. Then, we describe four attacks named; man-inthe-middle, denial of service, identity catching, and redirection as the most significant attacks against authentication mechanism. Furthermore, we provide some solutions and methods to improve AKA
mechanism and prevent these attacks in UMTS system.
The Internet of Things (IoT) offers many industries significant new opportunities, but it also exposes them and their customers to a host of security issues. Securing the IoT requires new ways of thinking that can defend the enterprise and its customers against attackers and privacy abuses.
CERTIFICATELESS SCHEME BASED NTRU CRYPTOSYSTEM FOR AD-HOC UWB-IR NETWORKijwmn
From the radar and military research world’s, the Ultra-WideBand Impulse Radio (UWB-IR) was
adopted in the telecommunications world in the 1990’. Currently, the UWB-IR technology is an
interesting candidate for close range Wireless Sensors Networks (WSNs). It is particularly attractive
for industrial sensor networks due to its resilience to multipath interference, simple transceiver
circuitry, accurate ranging ability, and low transmission power. In order to secure data and communications
in the Ad-Hoc UWB-IR networks, UWB-IR requires suitable encryption protocols. In
this paper, we review and summarize the IEEE 802.15.4 security sub-layer protocol of UWB-IR
based Symmetric Key Cryptography scheme. Then, we highlight the different vulnerabilities and
weaknesses present in this type of scheme. Finally, we prove, after a deep examination of multiple
Public Key Cryptography (PKC) schemes, that the certificateless one is the most suitable for Ad-Hoc
UWB-IR networks characterized by nodes mobility. Indeed, we have also evaluated and analyzed the
different public key cryptosystems (PKCS) and concluded that NTRU is the most optimum public
key cryptosystem to be used with the certificateless scheme in order to secure data and communications
in Ad-Hoc UWB-IR Networks. This is due to the fact that it is the fastest PKCS to provide
different security levels at a high speed with very constrained resources.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
The broadcast nature of radio medium in GSM networks makes them more vulnerable to various attacks. Any attacker can have complete control over the communication channel, listen to phone calls, read email, and spy on whatever data has been sent via GSM mobile communication system. This paper introduces a middleware security system that aims to protect the GSM communication channel and minimize the computational overheads of the provided authentication and cryptographic schemes of the network The proposed scheme supports an end-to-end secured communication between the GSM mobile devices and the GSM base stations; insure compatibility between wireless GSM devices (telephones, PDAs, etc.), and easy to install without any modification of the current systems.
The broadcast nature of radio medium in GSM networks makes them more vulnerable to various attacks.
Any attacker can have complete control over the communication channel, listen to phone calls, read email,
and spy on whatever data has been sent via GSM mobile communication system. This paper introduces a
middleware security system that aims to protect the GSM communication channel and minimize the
computational overheads of the provided authentication and cryptographic schemes of the network The
proposed scheme supports an end-to-end secured communication between the GSM mobile devices and the
GSM base stations; insure compatibility between wireless GSM devices (telephones, PDAs, etc.), and easy
to install without any modification of the current systems
5th generation mobile networks or 5th generation wireless systems is abbreviated as 5G, and proposed next telecommunications standards beyond the current 4G/IMT-Advanced standards. 5G planning aims at higher capacity than current 4G, allowing a higher density of mobile broadband users, and supporting device-to-device, ultra reliable, and massive machine communications. Its research and development also aims at lower latency than 4G equipment and lower battery consumption, for better implementation of the Internet of things.
5G Transport Network Requirement for Indian Telecom By Subrata SenSukhvinder Singh Malik
There are few people whom we meet and connect instantly. Recently, We met Subrata Sen, (Head, Fiber/Transport Planning at Bharti Infratel Ltd) and veteran in telecom industry during a conference. During our conversation, we had long discussion about upcoming technologies and how important the backhaul , specially fiber is for future network.
For example, if we wish to move our telco infrastructure to Cloud, virtualize our network elements, do we have the capability to move all data traffic to centralized cloud? Mr. Sen provided his expert opinion on how the transport network needs to be redesigned and what are important parameters for the same.
Smart poles as a concept is not new but is getting extremely popular with Smart cities and Small cells. Penetration of smart phones and exponential growth of data consumption has pushed operators to deploy more sites to meet both coverage and capacity requirements. Interference and frequency re-use limitation stops operators to deploy more high-power macro sites and hence operators are moving towards low power solutions to cover hotspots.
Trai has recently invited companies for a Pilot Wi-Fi open Network. Trai relates the same with PCOs which were used to do the voice calls and were very popular hotspots before the mobile phones or home landlines became the ultimate mode of communication.
Pilot project called as Wi-Fi Access Network Interface (WANI) is planned to run on a partnership model, wherein to setup Wi-Fi hotspots (or PDOs, Public Data offices) by acquiring bandwidth from multiple Internet Service Providers (ISPs) and re-selling services as data to end customers at a lower rate
To meet the new connectivity requirements of the emerging IoT segment, 3GPP has taken evolutionary steps on both the network side and the device side. A single technology or solution cannot be ideal to all the different potential IoT applications, market situations and spectrum availability. As a result, the 3GPP standardizing several technologies, including Extended Coverage GSM (EC-GSM), LTE-M and NB-IoT.
LTE-M, NB-IoT and EC-GSM are all superior solutions to meet IoT requirements as a family of solutions, and can complement each other based on technology availability, use case requirements and deployment scenarios. The evolution for these technologies is shown in figure #5. Technical studies and normative work for the support of Machine Type Communication (MTC) as part of 3GPP LTE specifications for RAN began in 3GPP Release 12 and are continuing with the goals of developing features optimized for devices with MTC traffic.
As a consequence of the proliferation of smart phones and tablets, data traffic is growing significantly, both on the radio access links and the backhaul infrastructure of mobile operators’ networks. And although LTE and LTE Advanced offer higher data traffic throughput than that of 3G, given to their wider allocated bandwidths, the combined capacities of even these networks is not sufficient to meet projected future capacity demands.
The conventional solution to increasing the capacity of LTE mobile networks includes splitting macro-cells and/or adding more sites. Both of these solutions require high CAPEX and OPEX, so mobile operators are seeking new and cost effective ways of increasing their network capacity. One solution is to deploy small-cell base stations (BSs) within their existing macro-cellular networks, an approach referred to as Heterogeneous Networks.
It is well known that a HetNet not only increases the network capacity, but also provides better coverage and enhances the user’s experience. These benefits are achieved by offloading data traffic dynamically from MCBSs to SCBSs using an algorithm based on several parameters such as the characteristics of the traffic, the required QoS and network
Radio Link Analysis for 4G TD- LTE Technology at 2.3 GHz FrequencySukhvinder Singh Malik
The Long Term Evolution (LTE) is the latest step in an advancing series of mobile telecommunications systems.
In this paper, authors show interest on the link budgeting the information presented here will help readers understand how the budgeting will be done in LTE. This paper provides
dimensioning of LTE for particular city.
This will provides the number of cell count. Here we tell about a GUI MATLAB System for calculation of no. of resources required to provide services in particular area with optimum cost and better quality.
Abstract— Scheduler is the backbone of intelligence in a LTE network. Scheduler will often have clashing needs that can make its design very complex and non-trivial.
The overall system throughput needs to be maintained at the best possible value without sacrificing the cell edge user experience.
In this paper, authors compared different scheduler designs for voice and packet services. They explained the role of configuration parameters through simulations. These parameters control the tradeoff between the sector throughput and the fairness in system through. They explained a possible scheduler implementation.
COMPARISON OF BER AND NUMBER OF ERRORS WITH DIFFERENT MODULATION TECHNIQUES I...Sukhvinder Singh Malik
This paper provides analysis of BER and Number of Errors for MIMO-OFDM wireless communication system by using different modulation techniques. Wireless designers constantly seek to improve the spectrum efficiency/capacity, coverage of wireless networks, and link reliability. So the performances of the wireless communication systems can be enhanced by using multiple transmit and receive antennas, which is generally referred to as the MIMO technique. Here analysis will be carried out for an OFDM wireless communication system using different modulation techniques and considering the effect and the wireless channel like AWGN, fading. Performance results will be evaluated numerically and graphically using the plots of BER versus SNR and plots of number of errors versus SNR.
RF testing has remained hype for most of us. But seriously it is not so. It can be very interesting and one can develop a lot of interest in this if given an opportunity.
In this paper, authors have started with the some basic concepts of radio engineering which we studied in engineering and built upon these concepts to use in practical applications.
We have also described the basic principles of Signal Analyzer and Signal Generator which are the most common test tools used for any radio testing.
In our daily life we see so many antennas everywhere, from simple radio transreceiver to big tower antennas and DTH antennas. Antenna is a magical element in the field of communication. Nobody can dream of wireless communication without the use of antennas. It’s the antenna which creates the magic in the air and makes wireless communication possible.
In this paper authors will discuss about the cellular antennas. They will concentrate mainly on fundamentals of antenna, relationship between frequency, wavelength and dipole wave propagation and parameters of antenna like Gain, VSWR, SFR and FBR etc.
Authors also discuss about types of down tilt, generic requirements of antennas, selection of antennas and beam forming and active antenna systems.
In this paper, we discussed about LTE system throughput calculation for both TDD and FDD system.
3GPP LTE technology support both TDD and FDD multiplexing. The paper describes all the factors which affect the throughput like Bandwidth, Modulation, UE category and mulplexing. It also describes how we get throughput 300Mbps in DL and 75Mbps in UL and what are assumptions taken to calculate the same.
Paper describes the steps and formulae to calculate the throughput for FDD system for TDD Config 1 and Config 2.
The throughput calculations shown in this paper is theoretical and limited by the assumptions taken to calculate for calculations
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
Security In LTE Access Network
1. January 2014
Nisha Malik, Sukhvinder Malik, Preet Rekhi,
Rahul Atri, Mandeep Arora
Security in LTE Access
Network
1. Introduction
The Long Term Evolution (LTE) is the latest step in an advancing series
of mobile telecommunications systems. In this paper, authors show
interest on the security features and the cryptographic algorithms used to
ensure confidentiality and integrity of the transmitted data. A closer look
is taken upon EPS confidentiality and integrity algorithms. The authors
also defined AKA, AS and NAS security and key derivations during
normal Attach process and Handover also.
Contents
MSIN and IMEI should be confidentially protected,
IMEI should be send only after NAS security is activated.
The UE shall provide its equipment identifier IMEI or IMEISV to
the network, if the network asks for it in an integrity-protected
request
USIM is used instead of Normal GSM SIM
When the UE has no IMSI, no valid GUTI, or no valid P-TMSI
during emergency attach, the IMEI is included before the NAS
security has been activated
Introduction
Security Requirements of
LTE system
3GPP Security Architecture
Confidentiality and Integrity
mechanisms in LTE
2. Security Requirements of LTE System
EPS Algorithms
Security Procedures in LTESAE Network
Key Hierarchy in 4 G and
Key Derivation
Key Derivation in During
Handover
Conclusion
References
.
2. Security requirements on eNodeB:
Security requirements on eNB are listed below and supported by the
figure:
eNodeB setup and configuration related
Communication between the remote/local O&M systems and the eNB shall
be mutually authenticated. The eNB shall be able to ensure that
software/data change attempts are authorized. Sensitive parts of the boot-up
process shall be executed with the help of the secure environment.
Confidentiality and Integrity protection of software transfer towards the
eNB shall be ensured.
Requirements for key management inside eNB
The EPS core network provides subscriber specific session keying material
for the eNBs, which also hold long term keys, used for authentication and
security association setup purposes. Protecting all these keys is important.
Keys stored inside eNBs shall never leave a secure environment.
Requirements for handling User plane/Control plane data for the eNB
It is eNB's task to cipher and decipher user/control plane packets between
the Uu reference point and the S1/X2 reference points. User/control plane
data ciphering/deciphering shall take place inside the secure environment
where the related keys are stored. The transport of user data over S1-U/C
and X2-U/C shall be integrity, confidentially and replay-protected from
unauthorized parties.
3. 3. 3GPP Security Architecture
As per 3GPP, five security feature groups are defined. Each of these
feature groups meets certain threats and accomplishes certain security
objectives:
Network access security: The set of security features that provide
users with secure access to services, and which in particular protect
against attacks on the radio link. Primary radio link security features are
like:
Encryption and Integrity Protection of RRC Signalling
Encryption and Integrity Protection of NAS Signalling
Encryption of Data Radio Bearer
Mutual Authentication between UE and Access Network
User domain security: The set of security features that secure
access to mobile Device and SIM. This security domain considers
following security set:
User domain security requires IMSI and IEMI should be
confidentially protected.
User - USIM authentication: Access to the USIM is restricted
until the USIM has authenticated the user with use of PIN. If user
does not know PIN, user is not allowed to use SIM.
USIM – Terminal authentication: Used only for SIM-Locked
Mobiles. When a mobile device is SIM-locked, the device stores
the IMSI of the USIM. If the inserted USIM has a different IMSI,
the ME goes into a Emergency call only mode.
.
4. -
Application domain security: The set of security features that enable
secure messaging between USIM and the Network. This USIM
application toolkit provides capability for Operator to create
applications which are resident on UE SIM
-
Visibility and configurability of security: The set of features that
enables the user to inform himself whether a security feature is in
operation or not and whether the use and provision of services should
depend on the security feature.
-
Indication of access network encryption
Indication of the level of security
Enabling/disabling user-USIM authentication
Accepting/rejecting incoming non-ciphered calls
Accepting/rejecting the use of certain ciphering algorithms
Accepting/rejecting incoming non-ciphered calls
Network domain security: The set of security features that enable
nodes to securely exchange signaling data, user data (between Access
Node and Signaling nodes and within Access Node), and protect
against attacks on the wire line network.
Network domain security mainly performs following:
Key negotiation using Internet Key Exchange (IKE)
Use of Internet Security Association and Key Management
Protocol (ISAKMP) for setting up the security association
between the Security Gateways (SEG)
Tunnel-mode Encapsulation Security Protocol (ESP) to be used
for Encryption, data Integrity and Authentication.
5. 4. Confidentiality and Integrity mechanisms in LTE
eNodeB layer and security Function: In eNB Physical, MAC and RLC
Layers do not perform any security related operation. Only PDCP, RRC and
NAS layer are involved:
3
PDCP layer is responsible for integrity protection of RRC and
Confidentiality of RRC and User Plane (UP).
RRC has the role of AS (RRC and UP) key handling and security
activation in PDCP
NAS performs key handling and integrity and confidentiality of NAS.
Confidentiality and Integrity mechanisms in LTE
To ensure data security during its transmission over the air interface and
through the LTE-SAE system: ciphering of both user plane data and
control plane data in the RRC layer, and integrity protection which is used
for control plane data only. For the NAS network, both ciphering and
integrity are provided.
Ciphering is used in order to protect the data streams from being received
by a third party, Ciphering may be provided to RRC-signaling to prevent
UE tracking based on cell level measurement reports, handover message
mapping, or cell level identity chaining.
User and signaling data Confidentiality
To ensure the data confidentiality Cipher algorithm EEA (EPS Encryption
Algorithm) agreement: To ensure the confidentiality of user and signaling
data in LTE-SAE (Long Term Evolution - Service Architecture
Evolution), 3GPP has maintained the use of the UMTS algorithm UEA2
based on SNOW 3G algorithm and has named it EEA1.
In addition, a new algorithm EEA2, based on AES algorithm used in the
CTR mode (Counter Mode), has been adopted.
Besides, the UE and the EPS can securely negotiate the algorithm to use in
their mutual communication.
Cipher key agreement: the agreement is done between the UE and the
network during the Authentication and Key Agreement procedure;
Encryption/Decryption of user and signaling data;
6. Signaling data Integrity
Data integrity in the EPS network ensures the protection of the signaling data
integrity and allows the authentication of the signaling messages transmitted
between the user and the serving network. User data is not integrity
protected. Integrity protection, and replay protection, shall be provided to all
NAS and RRC-signaling messages.
The following security features are provided to ensure the signaling data
integrity on the LTE and SAE:
Integrity algorithm (EIA) agreement: as for the data confidentiality,
there are actually two variants of the integrity algorithm for LTE:
EIA1 based on SNOW 3G algorithms (named UIA2 in UMTS
network). It was used since 2006 in the UMTS network and was
maintained in the LTE-SAE network and the second algorithm EIA2,
based on AES algorithm.
Integrity key (IK) agreement;
Data integrity feature: the receiving entity (ME or SN) must be able
to check that the signaling data wasn't modified during its transition
over the network access link and to check the expected origin of the
message (SN (Serving Network) or UE).
5. EPS Algorithms
There are nowadays two sets of security algorithms used in the Long Term
Evolution network. The first set is based on the stream cipher algorithm
SNOW 3G, which is inherited for UMTS, the 3rd generation of mobile
telecommunication. The second set is based on the well-known block cipher
algorithm AES. Each algorithm is identified by an identifier.
EEA Algorithm Identification
The EPS Encryption Algorithms (EEA) is algorithms work with internal
128-bit blocks under the control of a 128-bit input key except Null ciphering
algorithm. To each EEA algorithm is assigned a 4-bit identifier.
Currently, the following values have been defined for NAS, RRC and UP
ciphering:
“00002”: EEA0 Null ciphering algorithm. The EEA0 algorithm is
implemented in the way that it has the same effect as if it generates a
key stream of all zeroes.
“00012”: 128-EEA1. The EEA1 is a stream cipher based on another
stream cipher named SNOW 3G
“00102”: 128-EEA2. The EEA2 is a stream cipher based on the
block cipher A.
7. 6. Security Procedures in LTE-SAE Network
User Identity Confidentiality
During network access, the serving Mobility Management Entity (MME) is
required to allocate a Globally Unique Temporary Identity (GUTI) to the
UE, which is used in the EPS to avoid frequent exchange of the UE's
permanent identity (IMSI) over the radio access link. The GUTI consists of
two components: a Globally Unique MME Identity (GUMMEI), which is the
identity of the MME that has allocated the GUTI, and the M-TMSI, which is
the identity of the UE within that MME. The GUMMEI in turn consists of
PLMN ID (MCC, MNC) and MME Identifier (MME Group Id and MME
Code).The MMEC provides a unique identity to an MME within the MME
pool, while the MMEGI is used to distinguish between different MME pools.
The SAE TMSI (S-TMSI) is a shortened form of the GUTI that is used to
identify the UE over the radio path and is included in the RRC connection
request and paging messages. The S-TMSI contains the MMEC and MTMSI components of the MMEI.
However the S-TMSI does not include the MMEGI—that is, the MME pool
component. Thus, because MME pool areas can overlap, care must be taken
to ensure that MMEs serving the overlapping areas are not allocated the
same MMECs. The International Mobile Equipment Identity (IMEI) is sent
upon request from the network using NAS procedures.
Authentication and Key Agreement
EPS AKA is the authentication and key agreement procedure that is used
between UE and EPC Core Network. EPS AKA produces keying material
forming a basis for user plane (UP), RRC, and NAS ciphering keys as well as
RRC and NAS integrity protection keys.
Authentication Data Retrieval
Authentication information is retrieved from the HSS over the S6a interface
upon request by the MME. An authentication data request includes the IMSI,
the serving network identity (MNC and MCC), the network type (EUTRAN), and the number of requested Authentication Vectors (AV) that the
MME is prepared to receive.
8. UE Authentication
Authentication of the UE is initiated by the serving MME through EPS NAS
procedures. An EMM authentication request is sent to the UE with
authentication parameters (RAND, AUTN) and the NAS Key Set Identifier
(eKSI) or KSIASME. The KSIASME is allocated by the MME and uniquely
identifies the KASME. It is stored in the UE and serving MME together with
the GUTI, if one is available, allowing the KASME to be cached and re-used
during subsequent connections without re-authentication. A new
authentication procedure must include a different KSIASME.
The UE responds to the MME with an authentication response, including the
user response (RES) upon successful processing of the authentication
challenge data. The MME then must validate the correctness of RES, and the
intermediate KASME is determined after successful completion of the
current EPS AKA, as agreed upon by the UE and MME.
UE Identification
The UE identification request is initiated by the serving MME using EPS
NAS procedures. An EPS Mobility Management (EMM) identity request
is sent to the UE requesting that the permanent identity—that is, the
IMSI—be sent to the MME. This request is normally made when a GUTI
is not available to provide a unique UE identification. The EMM identity
request can also be used to retrieve the International Mobile Equipment
(IMEI) as part of the Mobile Equipment (ME) identity check procedure,
wherein the returned IMEI is passed on to the Equipment Identity
Register (EIR) via the S13 interface for validation.
.
9. EPS Security Context
An EPS security context is created as the result of the EPS AKA and is
uniquely identified by the evolved Key Set Identifier (eKSI) of Type
KSIASME, allocated by the MME as part of the EPS AKA procedure. An
EPS security context consists of AS and NAS components. The UE and
MME each maintain up to two EPS security contexts simultaneously. For
example, during a re-authentication procedure, both the current and new
EPS security context exist during the period of transition.
An EPS security context can be stored for future system accesses, termed
a "cached security context." A UE transitioning from the EMMDEREGISTERED to EMM-REGISTERED state without an EPS security
context typically requires the Extended Pedestrian A (EPA) AKA
procedure to be run; however, the process is optional if cached security
context is used. An EPS security context can be stored for future system
accesses, termed a "cached security context."
NAS Security
The NAS security context in the EPS can be either set or re-established.
The NAS security context is set using the NAS security mode control
procedure, which is initiated by the MME towards the UE. This procedure
can be used during the initial establishment of security context,
subsequent re-authentications, or context modification.
To initiate the procedure, an integrity-protected NAS security mode
command message is sent with the EIA and key belonging to the security
context to be activated while non-ciphered. The EEA, EIA and eKSI
selected for the new security context are sent in the same message. The
EEA and EIA selections are based on the UE’s security capabilities sent
in initial UE context message.
The system chooses the highest priority EEA and EIA supported by both
The MME and the UE. During MME relocation, the NAS EEA and EIA
may be updated, as source and target MMEs can have varying levels of
support for security algorithms.
The NAS security mode complete message is sent using ciphering and
integrity protection with that of the security context to be activated. After
the security procedures are exchanged, ciphering is applied on all NAS
messages except the EMM attach request, tracking area update request,
and security mode command until the NAS signaling connection is
released and the MME is in the ECM-IDLE state. In transiting from the
ECM-IDLE state to the ECM-CONNECTED state, the system always
sends the NAS initial messages without ciphering but with integrity
protection with the EPS cached security context, if one exists. If not, then
the system sends the EPS AKA, NAS and AS Security Mode Control
procedures to set the new EPS security context for the NAS and AS.
10. When an EPS cached security context is available, the UE sends the eKSI
corresponding to the cached context, and the EPS AKA is optional. If the
cached security context is to be activated, a new KeNB (eNB Key) is
derived for this NAS Signalling connection at the MME and forwarded to
the eNB over the S1-AP interface.
AS security mode control procedures are used to inform the UE of the
eKSI, indicating the current KASME in use. Security keys for the AS are
derived accordingly at both the eNB and the UE. NAS security mode
control procedures are not required in this case. The NAS security context
loop is closed when the MME responds to the UE initiating message by
sending the corresponding NAS procedure. This response is ciphered and
integrity protected with that of the cached security context to be activated.
An exception applies in the case of a TAU procedure in which the active
flag is not set; that is, a signaling-only NAS connection is made that does
not require establishment of DRBs and that releases resources as soon as
the TAU procedure is completed.
A NAS message is ciphered and transferred in the NAS message portion
of a security protected NAS message. After ciphering, integrity protection
is performed on the NAS message and sequence number, after which the
Message Authentication Code (MAC) is computed and filled in. Integrity
validation is performed prior to deciphering of the embedded NAS
message.
AS Security
An EPS AS security context is initialized in the eNB by the MME when the
UE enters the ECM- CONNECTED state and during the preparation for an
intra-LTE handover. At this time the UE’s security capabilities and context,
including the transitional security key material, is transferred from the source
to the target eNB.
11. An RRC security command procedure is used during initial establishment
of the AS security context and is initiated by the eNB towards the UE. The
SRB1 is established at this time; that is, prior to the establishment of the
Signalling Radio Bearer 2 (SRB2) and Data Radio Bearers (DRBs) for user
plane transfer.
An integrity-protected AS security mode command message is sent with the
EIA and key belonging to the security context to be activated while nonciphered. The EEA, EIA and eKSI selected for the new security context are
sent in the same message. The EEA and EIA selections are based on the
security capabilities of the UE. They indicate the supported EEA and EIA
and the locally configured, prioritized support lists in the eNB. The system
chooses the highest priority EEA and EIA supported by both the eNB and
the UE.
The UE security capabilities list is provided by the MME in the S1-AP
procedures during the initial UE context setup request or during the
handover resource preparation phase for the S1- initiated intra-LTE
handover. Such a list is also made available from the source eNB during
preparation for an X2-initiated handover. Depending on the system, the
EEA and EIA for the AS may be updated as part of the intra-LTE handover,
as eNBs can have varying levels of support for security algorithms.
Ciphering and deciphering at the AS in the downlink is started after the
security mode command has been sent by the eNB and received at the UE;
it is not necessary to wait for the security mode complete message. In the
uplink, however, the security mode complete message must be sent by the
UE and received at the eNB before ciphering and deciphering at the AS can
start. The AS security mode complete message is sent ciphered and
integrity- protected with that of the security context to be activated.
An explicit start time for user plane ciphering is not required, since DRBs
are always established after security mode procedures, and these DRBs
share a common EEA with the SRBs. Keys may be updated through
handovers and RRC connection re-establishments.
12. For DRB Packet Data Units (PDUs), ciphering at the Packet Data Control
Plane (PDCP) is performed using post header compression, and
deciphering is performed using pre header decompression. Ciphering and
deciphering is performed on the data part of the SRB or DRB, and
Message Authentication Code (MAC-I) for the SRB. PDCP control PDUs
are not ciphered. Integrity protection and validation for the SRB is
performed on the PDCP PDU header before ciphering on the data parts.
7. Key Hierarchy in 4G and Key Derivations
The keys derived in the 4G AKA procedures are the following: K-NASenc
(encryption key for NAS traffic), KNASint (integrity key for NAS traffic),
KeNB (derived by MME and eNB), KUPenc (encryption key for the userplane data, derived by MME and eNB from KeNB), KRRCint and KRRCenc
(integrity check, respectively encryption key derived by MME and eNB from
KeNB, used for securing the Radio Resource Control traffic).
13. The sections in this figure describe which entities are involved in a particular
key generation process; there are 6 keys derived from the EPS authentication
mechanism. This key generation feature introduced in 4G improves the speed
of the re-authentication procedures and also the refreshing process of the
keys. As the K-ASME may be used a master key in further service requests
authentication, the MME no longer has to download the authentication data
from the HSS and it can also avoid re-synchronization issues.
.
The entire authentication information that is stored in the UICC and its
corresponding associates from the network side is called “security context”; a
security context consists of the NAS and AS security contexts. The AS
security context has the cryptographic keys and chaining information for the
next hop access key derivation, but the entire AS context exist only when the
radio bearers established are cryptographically protected. The NAS context
consists of the K-ASME with the associated key set identifier, the UE
security capabilities and the uplink and downlink NAS count values, used for
each EPS security context. For a security context to be considered full, the
MME should have the K-NASenc and KNASint keys are derived as,
K------>CK, IK----> KASME------>KNASint
K------>CK, IK----> KASME------>KNASenc
LTE RRC Key Derivation at the eNodeB and UE
K------>CK, IK----> KASME------>KeNB----->KRRCint
K------>CK, IK----> KASME-----> KeNB------>KRRCenc
.
LTE User Plane Key Derivation at the eNodeB and UE
K------>CK, IK----> KASME-----> KeNB------> KUPenc
14. 8. Key Derivation During Handover
In Handover to achieve the adequate security forward security mechanism
is used. It means that, without knowledge of KASME, even with the
knowledge of KeNB that is shared by the UE and the current eNB,
computational complexity prevents guessing the future KeNBs which will
be used between the UE and eNBs to which the UE will connect in the
future. Thus, the encryption stays intact.
The Model for Key transmission is shown in below figure during
handover. When the initial AS security context is shared by UE and eNB,
MME and UE must generate the KeNB and Next-Hop (NH) parameter.
KeNB and NH are generated from KASME and there is a KeNB and NH
for each NH chaining counters (NCC). Those respective KeNB are
generated from the NH values for each NCC. In the Initial KeNB is
generated by from KASME and NAS uplink Count, resulting NCC=0 key
Chaining, with the initial values the derived NH values is for a key chain
of NCC=1 or less. KeNB is used as base key for the secure
communication between UE and eNB .For Handover directly between
eNBs, KeNB*, the new key is generated from the active KeNB* or from
the NH value.
There are two methods for key derivation Horizontal key derivation
And Vertical key derivation. The horizontal key derivation method
generated KeNB* from the existing KeNB while the vertical key
derivation method generate the KeNB* from NH. In Handovers, using
vertical key derivation KeNB* is generated from NH with addition input
like DL- EARFCN, and target eNB cell Physical cell Identity while in
horizontal key derivation the KeNB* is generated from the current KeNB
using the target PCI and its DL-EARFCN as additional parameters.
15. As NH can be calculated only by the UE and MME this use of the NH
provides a method that achieves forward security in handover across the
multiple eNBs. In that case the n-hop (where N can be 1 or 2) forward
security at the time of vertical key derivation delivery means that the
future KeNB to be used when UE connects to another eNB after n or more
handovers cannot be guessed because of the computational complexity.
This function can limit the scope of harm even if a Key is leaked, because
feature Key will be generated without current KeNB in case of vertical
key delivery
9. Conclusion
This paper presented the basic 4G security architecture and requirements.
The paper focused on the access-level security issues that may arise at the
eNodeB, UE and MME level. As the connection to the network poses the
most serious issues when talking about User Domain security, this paper
analyzed the authentication process of the UE connecting to 4G networks.
Authors explained about what all EPS algorithms are supported and how
they can be identified. They also explained the NAS security, AS security
and derivation of security key during normal attaché procedure and during
the handovers.
16. Authors
10. References
Nisha Malik
Student M.Tech
3 GPP 33.401 “3 GPP System Architecture Evolution, Security
Architecture”
3GPP standard 36.300 , “Evolved Universal Terrestrial Radio Access
(E-UTRA) and Evolved Universal Terrestriall”
3GPP 33.310, “Network Domain Security; Authentication
Framework”
3GPP 33.220 ” Generic Authentication Architecture; Generic
Bootstrapping, Authentication”
3GPP 33.102, “3G Security Architecture”
LTE, The UMTS long Terms Evolution: From Theory to Practice
Security Analysis of LTE Access Network Cristina-Elena Vintilă,
Victor-Valeriu Patriciu, Ion Bica Computer Science Department
LTE Security Encryption and Integrity Protection in LTE from Event
Helix
Sukhvinder Malik
LTE Test Engineer
Rahul Atri
LTE Test Engineer
Preet Rekhi
LTE Test Engineer
.
Disclaimer:
Authors state that this whitepaper has been compiled meticulously and to the best of their
knowledge as of the date of publication. The information contained herein the white paper
is for information purposes only and is intended only to transfer knowledge about the
respective topic and not to earn any kind of profit.
Mandeep Arora
LTE Test Engineer
Every effort has been made to ensure the information in this paper is accurate. Authors
does not accept any responsibility or liability whatsoever for any error of fact, omission,
interpretation or opinion that may be present, however it may have occurred