3GPP LTE Security Aspects Dionisio Zumerle Technical Officer, 3GPP ETSI 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 1
Contents LTE security architecture Security algorithms Lawful Interception Backhaul Security Relay Node Security 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 2
LTE Security Architecture 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 3
LTE Security: UMTS Security and LTE Architectural impact UMTS security enhancements: Mutual authentication Integrity keys Public algorithms Deeper encryption Longer key length LTE Architecture: Flat architecture Separation of control plane and user plane enodeb instead of NodeB/RNC All-IP network Interworking with legacy and non-3gpp networks Characteristics of LTE Security Re-use of UMTS Authentication and Key Agreement (AKA) Use of USIM required (GSM SIM excluded) Extended key hierarchy Possibility for longer keys Greater protection for backhaul Integrated interworking security for legacy and non-3gpp networks 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 4
AKA and signalling protection UTRAN SGSN GERAN S1-MME S3 MME HSS S6a UE LTE-Uu E-UTRAN S1-U S10 S11 S4 Serving Gateway S12 S5 Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS) Confidentiality and integrity for signalling only (NAS) Optional user plane protection (IPsec) 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 5
Authentication and Key Agreement UE enb MME AuC NAS attach request (IMSI) NAS auth request (AUTN, RAND, KSIasme) NAS auth response (RES) NAS SMC (confidentiality and integrity algo) NAS Security Mode Complete RRC SMC (confidentiality and integrity algo) RRC Security Mode Complete S1AP Initial Context Setup AUTH data request (IMSI, SN_id) AUTH data response (AV={AUTN, XRES, RAND, Kasme}) 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 6
Security Algorithms 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 7
LTE Security Algorithms Currently two separate algorithms specified In addition to one NULL algorithm Current keylength 128 bits Possibility to extend to in the future Confidentiality protection of NAS/AS signalling recommended Integrity protection of NAS/AS signalling mandatory User data confidentiality protection recommended Ciphering/Deciphering applied on PDCP and NAS 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 8
COUNT LTE Ciphering and Integrity mechanisms DIRECTION COUNT DIRECTION BEARER LENGTH BEARER LENGTH ciphering KEY EEA KEY EEA KEYSTREAM BLOCK KEYSTREAM BLOCK PLAINTEXT BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Sender Receiver integrity COUNT DIRECTION MESSAGE BEARER COUNT DIRECTION MESSAGE BEARER KEY EIA KEY EIA Sender MAC-I/NAS-MAC XMAC -I/XNAS-MAC Receiver 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 9
128-EEA1/EIA1 Based on SNOW 3G stream cipher keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM) Different from KASUMI as possible selected during UMTS security design Allows for: low power consumption low gate count implementation in hardware 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 10
128-EEA2/EIA2 AES block cipher Counter (CTM) Mode for ciphering CMAC Mode for MAC-I creation (integrity) Different from SNOW 3G as possible Cracking one would not affect the other Reasons why KASUMI was not re-used: enb already supports AES needs to support AES for NDS/IP Similarity with other non-3gpp accesses (e.g. 802.11i) Other 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 11
128-EEA3/EIA3 Based on Chinese ZUC stream cipher Three-phase evaluation ongoing Public evaluation ongoing! http://zucalg.forumotion.net/ 2 nd International Workshop on ZUC: June 5-6 in Beijing http://www.3gpp.org/call-for-papers-beijing-zuc Network-mandatory/network-optional to be decided 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 12
Deeper Key hierarchy in LTE USIM / AuC UE / HSS UE / ASME K CK, IK K ASME K NASenc UE / MME K NASint K enb K UPint K UPenc K RRCint K RRCenc UE / enb Faster handovers and key changes, independent of AKA Added complexity in handling of security contexts Security breaches local 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 13
Key Derivation HSS SN id, SQN AK CK,IK KDF K ASME MME K enb NH K D F K D F K enb * s KDF NH Physical cell ID, EARFCN-DL K enb RRC-enc-alg, Alg-ID RRC-int-alg, Alg-ID K enb enb enb NAS UPLINK COUNT UP-enc-alg, Alg-ID NAS-enc-alg, Alg-ID NAS-int-alg, Alg-ID UP-int-alg, Alg-ID KDF KDF KDF KDF KDF KDF K NASenc K NASint K UPint K UPenc K RRCint K RRCe nc Trunc Trunc 128 128 Trunc 128 Trunc Trunc 128 128 Trunc 128 K NASenc K NASint K UPint K UPenc K RRCint K RRCenc Key distribution and key derivation scheme for EPS (network side), found in 33.401 Key Derivation Function (KDF) specification can be found in 33.220 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 14
Lawful Interception 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 15
Lawful Interception in 3GPP Cost Political Interception Business Retrieval Handover Analysis Legal process Relations Storage 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 16
Lawful Interception in EPS Context and mechanisms similar to case of UMTS PS Different core entities (ICE, Intercepting Control Elements) ADMF handles requests from Law Enforcement Authorities target identity: IMSI, MSISDN and IMEI X1 interface provisions ICEs and Delivery Functions X2 delivers IRI (Intercept Related Information) X3 delivers CC (Content of Communication) HI1,2,3: Handover Interfaces with law enforcement Convey requests for interception of targets (HI1) Deliver IRI (HI2) and CC (HI3) to LEAs 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 17
EPS LI Architecture UTRAN UE LTE-Uu E-UTRAN GERAN S1-MME S1-U ADMF SGSN MME S10 Mediation Function S3 S11 X1_1 X1_3 X1_2 HSS S6a X2 S4 Serving Gateway Delivery Function 2 Mediation Function S12 X2 Gx PDN Gateway PCRF X3 SGi Delivery Function 3 Mediation Function Rx Operator's IP Services (e.g. IMS, PSS etc.) HI1 HI2 HI3 LEMF 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 18
Backhaul Security 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 19
Backhaul Security Base stations becoming more powerful LTE enode B includes functions of NodeB and RNC Coverage needs grow constantly Infrastructure sharing Not always possible to trust physical security of enb Greater backhaul link protection necessary 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 20
Certificate Enrollment for Base Stations RA/CA SEG Operator root certificate pre-installed. Vendor root certificate pre-installed. CMPv2 IPsec Enrolled base station certificate is used in IKE/IPsec. base station obtains operator-signed certificate on its own public key from RA/CA using CMPv2. base station Vendor-signed certificate of base station public key pre-installed. Picture from 3GPP TS 33.310 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 21
Relay Node Security 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 22
Relay Node Authentication Mutual authentication between Relay Node and network AKA used (RN attach) credentials stored on UICC Binding of Relay Node and USIM: Based on symmetric pre-shared keys, or Based on certificates UE Radio Radio Donor Backhaul Relay enb Core NW 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 23
Relay Node Security Control plane traffic integrity protected User plane traffic optionally integrity protected Relay Node and network connection confidentiality protected Device integrity check Secure environment for storing and processing sensitive data 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 24
Conclusions LTE Security: building on GSM and UMTS Security Newer security algorithms, longer keys Extended key hierarchy New features, addressing new scenarios Backhaul Security Relay Node Security 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 25
Thank You! dionisio.zumerle@etsi.org More Information about 3GPP: www.3gpp.org contact@3gpp.org 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 26
Backup: Selection of 3GPP Security Standards LTE Security: 33.401 System Architecture Evolution (SAE); Security architecture 33.402 System Architecture Evolution (SAE); Security aspects of non-3gpp Lawful Interception: 33.106 Lawful interception requirements 33.107 Lawful interception architecture and functions 33.108 Handover interface for Lawful Interception Key Derivation Function: 33.220 GAA: Generic Bootstrapping Architecture (GBA) Backhaul Security: 33.310 Network Domain Security (NDS); Authentication Framework (AF) Relay Node Security 33.816 Feasibility study on LTE relay node security (also 33.401) Home (e) Node B Security: 33.320 Home (evolved) Node B Security 3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 27