Академический Документы
Профессиональный Документы
Культура Документы
AGENDA
Some GSM/UMTS security and history (if needed, see outtakes) Layered Security Approach in eUTRAN Reuse of UMTS AKA for authentication Security context/key derivation in eUTRAN is based on UMTS AKA AKA run and key change/derivation Key refresh On intra-MME HO On inter-MME HO What is wrong with that? Poisoned key chain Inband key material transfer How do we fix that? Key material transfer out of band 3 solutions
Wx* Wx*
PCRF S7 Rx+ SGi PDN SAE Gateway S6c S2b Wm* Operator Operators IP Services (e.g. IMS, PSS etc.)
2G/3G SGSN
S4 S3 MME S11
S6a
S5
S2a
ePDG
Wn* Wn*
Untrusted NonNon-3GPP IP Access Wa* Wa*
UE
Ta*
S 1-C S 1 -U
MME SAE GW
X2
S 1-C S 1 -U
Evolved Packet Core ( EPC )
E - UTRAN
ePS has two layers of protection instead of one layer perimeter security like in UMTS. First layer is the Evolved UTRAN (eUTRAN) network (RRC security and UP protection) and second layer is the Evolved Packet Core (ePC) network (NAS signalling security).
CK, IK
UE / HSS
KASME
K_eNB key is transported to the eNB from the EPC when the UE transitions to LTE_ACTIVE eNB derives the UP and RRC keys from K_eNB
KeNB-RRC-enc
UE / ASME UE/ASME
KNAS enc KNAS int KeNB
UE / MME
KeNB-UP-enc KeNB-RRC- int
UE / eNB
When the UE goes into LTE_IDLE or LTE_DETACHED, the K_eNB, UP and RRC keys are deleted from the eNB. * An Access Security Management Entity (ASME) is an entity which receives the top-level keys in an access network from the HSS. Kasme is bound to the serving network.
Target eNB
EPC
1. Derive KeNB* from KeNB. 2. Derive new KeNB from KeNB* and C-RNTI. 3. Derive RRC/UP keys from new KeNB 5. HO confirm
2. Derive new KeNB from KeNB*, and C-RNTI 3. Derive RRC/UP keys from new KeNB
6. HO complete
7. UE location update
On intra MME handover the source eNB sends a handover request to the target eNB. The target eNB replies with a handover response. The handover response includes information required by UE (e.g., the C-RNTI). The source eNB includes this information in the handover command it sends to UE. * C-RNTI Cell Radio Network Temporary Identity
Target eNB
Source MME
Target MME
2. Derive new KeNB from KeNB*, and C-RNTI 3. Derive RRC/UP keys from new KeNB 6. HO response (C-RNTI) 7. HO command (C-RNTI) 1. Derive KeNB* from KeNB. 2. Derive new KeNB from KeNB* and C-RNTI. 3. Derive RRC/UP keys from new KeNB 8. HO confirm 9. HO complete
On inter-MME handover as on intra-MME handover, the fresh KeNB* is transferred to the target eNB. A new KeNB is derived from the KeNB* and C-RNTI, and K-RRCenc, K-RRCint, K-UPenc are refreshed with the help of this new KeNB.
Key material for the key in the Step N+1 is available using the key from the Step N; The adversary needs to physically break into the first node to obtain the Key#1; Poisoned key chain Inband key material transfer All of the subsequent nodes will be transparent to the adversary without physical breaking in;
UE
Source eNB
Target eNB
MME
1. Pick a random MMEeNB_key
2.Forward MME-eNB_key
3.UE location update (List of potential target (i.e. neighbour) eNB) 3A. Pick a random H_key; and 3B. KeNBeNB_ID = AESH_KEY(eNB_ID), 3C. Encrypt KeNBBS_ID with respective MME-
eNB_key = {KeNBBS_ID}MME-eNB_key[BS_ID].
6a.HO decision
7. HO request ({KeNBTarget eNB_ID}MME-eNB_key[Target eNB_ID] )
7A. Recover KeNB using MME-eNB_key[BS_ID]
BS_ID decrypt
10. HO confirm 11. HO complete 12. UE location update (List of potential target (i.e. neighbour) eNB)
13. {KeNBBS_ID}MME-eNB_key[BS_ID] for each potential target eNB.)
UE
Source eNB
Target eNB
MME
1. Pick a random H_nonce
2. Forwards H_nonce 3. Forwards H_nonce, protected by NAS security 4. Measurement report 4A. HO decision 4B. Derive KeNB* from KeNB
6A Derive new
10
Target MME
KeNB from KeNB*, H_nonce, Target eNB_ID KeNB 11. HO confirm 12. HO complete
11
Handover
13
Need to compete with other 3.9-4G technologies (WiMax, UMB, etc.) in terms of features and delivery time; Panic fear of the NYT attack; Different geo-political understanding of security, privacy, etc. needs competing requirements;
Controversy equalizes fools and wise men - and the fools know it. Oliver Wendell Holmes, 1809-1894
14
LTE
Cellular Wireless Key Management
SAE SAE/LTE
15
Are you insinuating that I am a purveyor of terminological inexactitudes? - Winston Churchill, responding to a journalist
3GPP2 side CDMA-1, CDMA-2000-1XRTT, EVDO, EVDV 3GPP side GSM, EDGE, GPRS, UMTS, LTE
16
Security in GSM
Functions: Authentication yes (GSM AKA) Integrity no Confidentiality yes
17
GSM AKA
MS Register IMSI
VLR
HLR
triplets Cellular Wireless Key Management (RAND, XRES, Kc) RAND Compute RES and Kc RES RES = A3(RAND, Ki) Kc = A8(RAND, Ki) HLR Home location Register IMSI International Mobile Subscriber Identity MS Mobile station RAND Random challenge RES Response to an authentication challenge VLR Visited Location Register XRES eXpected Response Validate RES = XRES
18
Security in UMTS
Functions: Authentication yes (UMTS AKA) Integrity yes (IK from AKA) Confidentiality yes
20
Assure user and network that CK/IK have not been used before (replay attack) Authenticated management field HE USIM
authentication key and algorithm identifiers limit CK/IK usage before USIM triggers a new AKA
22
UMTS AKA
USIM
MS Register IMSI
VLR
HLR/AuC
Compute quintuplets
RES
AuC Authentication Center AUTH Authentication vector (quintuplet) AUTN Authentication Token CK Ciphering Key HLR Home location Register IK Integrity Key
IMSI International Mobile Subscriber Identity MS Mobile station RAND Random challenge RES Response to an authentication challenge VLR Visited Location Register XRES eXpected Response
23
Authentication Center (AuC) and USIM share: user specific secret key K (128 bit key) message authentication functions f1, f1*, f2 key generating functions f3, f4, f5 AuC has a random number generator AuC has scheme to generate fresh sequence numbers USIM has a scheme to verify freshness of received sequence numbers
AUTN = SQNAK || AMF || MAC = network authentication token, concealment of SQN with optional AK Quintet = (RAND, XRES, CK, IK, AUTN)
25
16 64
26