Secure distribution of the device identity in mobile access network. Konstantin Shemyak senior security specialist, Nokia Siemens Networks

Size: px

Start display at page:

Download "Secure distribution of the device identity in mobile access network. Konstantin Shemyak senior security specialist, Nokia Siemens Networks"

Naomi O’Brien’
8 years ago
Views:

1 Secure distribution of the device identity in mobile access network Konstantin Shemyak senior security specialist, Nokia Siemens Networks 1 MobiSec-2010 Secure distribution of the device identity in mobile access network / KSh / May 2010

2 Telecommunication network: an overview User equipment Radio access network Transport network ( Non-access stratum ) Core network Internet Radical changes in radio access network do not seem to notably affect the security situation (standardization!) Security of the core network is still in tight hands of operators Security of the transport network raises issues 2 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

3 Telecommunication network Internet Originated and evolved as commercial network Links physically owned Access in most cases controlled, in most cases paid Users always identified Originated as military university network Links owned by side providers Access often anonymous, often free Difference in the acceptance level and expectations from users: A home appliance, same availability and reliability expected Gift from the heaven great if it works Viruses / malware / spyware Call technical support Reinstall Windows 3 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

New threats to telco networks Remote attacks against base stations, core nodes network is in general more easily accessible Local physical attacks to the equipment equipment is smarter and uses more

4 New threats to telco networks Remote attacks against base stations, core nodes network is in general more easily accessible Local physical attacks to the equipment equipment is smarter and uses more open components Node IP network (Internet) Malicious or captured host(s) MME S-GW UPE 76 7 Attack examples 1. Tamper with 2. Rogue nodes 3. Tamper with nw node 4. Disturb transmission 5. Jam radio (~DoS) 6. Tamper with core nodes 7. Tamper with terminal Outdoor site 6 Some potential attacks Threats: lost of confidentiality/privacy, data theft, DoS, unauthorized services 4 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

5 Telecom IP network security: should it be difficult? Internet security: somewhere good (banks?), somewhere very poor (botnets, malware, spying/tracking, privacy breaches) Cost the only question Generally, when it was standardized it was done radio access security, user security (SIM) starting from GSM otherwise sometimes yes, often not privacy, access control Technically all means are there and have already been for quite a while IPSec, TLS, user authentication with cryptographic credentials or host authentication 5 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

6 Authentication of IP hosts 1. pre-shared secrets 2. RSA keys 3. PGP keys 4. X.509 certificates. Standardization status GSM, WCDMA: Non-access stratum (transport) network protection is considered operator s internal business and not covered LTE: 3GPP , sec.11 mandates support (not necessarily usage) or IPSec/IKE and X.509 certificates. 6 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

7 Telecom-specific problems: initial identity distribution Base station become cheaper (questionably ), smaller, often located in places, which are more difficult (=expensive) to access than regular controlled premises Plug-and-play base stations and selforganizing networks are the buzz Logistics (of many our customers at least) does not leave a convenient place/time for maintenance by the operator operators are not willing at all to do any maintenance of their equipment Without initial trusted identity, transport network is as secure as the Internet is At the moment, there is no generic way for connecting PKIs of two organizations: buying certificates certifying by common party crosscertifying out-of-band delivery 7 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

8 The Secure Identity Distribution solution 1. Base stations are issued vendor certificate at the factory. Hardware information (serial number) is in the subject field No customer-specific or area-specific data it is normally not known at the manufacturing phase would increase logistics complexity and manufacturing costs 2. An identity management server is delivered to the operator. Has built-in trust to the operator s certificate One server per customer, no critical high-availability requirements Either acts as stand-alone (root) operator s certificate authority (CA), or as a RA connected to the operator s CA 3. Identity management server recognizes the vendor certificate, authenticates the base station in the operator s network, and issues the operator s certificate. Starting from that moment, operator has sole control over the identity of the network element Certificate 1 Name xxx Public Key 1 Validity IDM server Certificate 1 Name xxx Public Key 1 Validity 8 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

9 Device identity enrollment 1/ 2 : up to delivery 7. Deliver 1. Manufacture 2. Create keypair Operator HW DB Factory RA IDM Certificate 1 Name xxx Public Key 1 Validity 5. Deliver shipment data 4. Return the certificate 3. Request certificate 9 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

10 Device identity enrollment 2 / 2 after installation 8. Connect new NE Certificate 1 Name xxx Public Key 1 Validity 10. IPSec connection establishment (IKE) 9. Request operator s certificate Certificate 1 Name xxx Public Key 1 Validity IDM server HW DB 11. Start secure communications Peer node e.g., controller, gateway 10 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

Summary of SID messaging IDM Vendor HW DB server Station on site NE is manufactured and preconfigured with own certificate with serial # (or any other HW ID) in the subject field NE is shipped to

11 Summary of SID messaging IDM Vendor HW DB server Station on site NE is manufactured and preconfigured with own certificate with serial # (or any other HW ID) in the subject field NE is shipped to operator Share shipment data Serial # check Request a certificate Identity proof: Own serialbased cert signed by vendor. Operator s IDM has trust to it. NE connected and powered on untrusted, identity proof is required operator s certificate IKE established with peered NE secure communication with peer nodes (e.g. or controller) can be started 11 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

12 Summary Mobile network operators would (probably) like to have their network secure but not at any price! the security solution will not fly if it is too expensive (in sense of either initial investment or lifetime maintenance) For rapidly evolving networks, distribution of the initial trust is an expensive and sensitive procedure A cost-efficient method, especially well suited for base stations, is described optimized for existing business relationships between equipment vendor and network operator works already now (no waiting for standardization, vendor/operator PKI integration), but is completely future-proof. 12 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

13 Thank you! 13 MobiSec-2010 Secure distribution of the device identity in mobile access network / KSh / May 2010

14 Standard security components: IPSec/IKE, TLS IPSec and TLS are the standardized means to encrypt and authenticate the IP traffic. Data can not be eavesdropped or modified (without receiver noticing this). Note: SSL is a predecessor of TLS, now obsolete. Do not use this abbreviation. In order to encrypt/authenticate anything, keys are needed. IKE is a protocol used with IPSec for key negotiation. Normally IKE and IPSec are used together. TLS itself contains key negotiation. Both solutions first exchange some control information including key agreement Note: this can be done without ever sending key over the network. What s the difference? Usually implemented in Application Operating system Operating system HW/drivers Protocol stack App Transport IP MAC/Phys Security solution TLS Equally strong cryptographically IPSec IPSec is usually implemented and managed inside the OS. TLS is an OS service which is normally available directly to the applications. In most cases, one is easier to manage than the other. Typically, IPSec is more suitable for host-wide configuration, and TLS for application-wide. Examples: VPN client / Web browser 14 MobiSec-2010 Secure distribution of device identity in mobile access network / Konstantin Shemyak / May 2010

How to secure an LTE-network: Just applying the 3GPP security standards and that's it?

How to secure an LTE-network: Just applying the 3GPP security standards and that's it? Telco Security Day @ Troopers 2012 Peter Schneider Nokia Siemens Networks Research 1 Nokia Siemens Networks 2012 Intro