3GPP LTE Security Aspects

Dionisio Zumerle
Technical Officer, 3GPP ETSI

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

1 1

Contents
LTE security architecture Security algorithms Lawful Interception Backhaul Security Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

2 2

LTE Security Architecture

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

3 3

LTE Security: UMTS Security and LTE Architectural impact

UMTS security enhancements:
Mutual authentication Integrity keys Public algorithms Deeper encryption Longer key length Characteristics of LTE Security Re-use of UMTS Authentication and Key Agreement (AKA) Use of USIM required (GSM SIM excluded) Extended key hierarchy Possibility for longer keys Greater protection for backhaul Integrated interworking security for legacy and non-3GPP networks

LTE Architecture:
Flat architecture Separation of control plane and user plane eNodeB instead of NodeB/RNC All-IP network Interworking with legacy and non-3GPP networks
3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011

4 4

AKA and signalling protection

UTRAN SGSN GERAN S3 S1-MME S6a MME S11 LTE-Uu UE E-UTRAN S1-U S10 S12 S4 Serving Gateway S5 HSS

Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS) Confidentiality and integrity for signalling only (NAS) Optional user plane protection (IPsec)

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

5 5

Authentication and Key Agreement

UE eNB
NAS attach request (IMSI) AUTH data request (IMSI, SN_id) AUTH data response (AV={AUTN, XRES, RAND, Kasme}) NAS auth request (AUTN, RAND, KSIasme) NAS auth response (RES) NAS SMC (confidentiality and integrity algo) NAS Security Mode Complete S1AP Initial Context Setup RRC SMC (confidentiality and integrity algo) RRC Security Mode Complete

MME

AuC

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

6 6

Security Algorithms

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

7 7

LTE Security Algorithms

Currently two separate algorithms specified
In addition to one NULL algorithm

Current keylength 128 bits

Possibility to extend to 256 in the future

Confidentiality protection of NAS/AS signalling recommended Integrity protection of NAS/AS signalling mandatory User data confidentiality protection recommended Ciphering/Deciphering applied on PDCP and NAS

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

8 8

LTE Ciphering and Integrity mechanisms

COUNT DIRECTION BEARER LENGTH COUNT DIRECTION LENGTH BEARER

ciphering

KEY

EEA
KEYSTREAM BLOCK

KEY

EEA
KEYSTREAM BLOCK

PLAINTEXT BLOCK Sender

CIPHERTEXT BLOCK Receiver

PLAINTEXT BLOCK

integrity
KEY

COUNT

DIRECTION BEARER

COUNT

DIRECTION BEARER

MESSAGE

MESSAGE

EIA
Sender MAC-I/NAS-MAC

KEY

EIA
XMAC -I/XNAS-MAC Receiver

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

9 9

128-EEA1/EIA1
Based on SNOW 3G
stream cipher keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM)

Different from KASUMI as possible

selected during UMTS security design

Allows for:
low power consumption low gate count implementation in hardware

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

10 10

128-EEA2/EIA2
AES block cipher
Counter (CTM) Mode for ciphering CMAC Mode for MAC-I creation (integrity)

Different from SNOW 3G as possible

Cracking one would not affect the other

Reasons why KASUMI was not re-used:

eNB already supports AES
needs to support AES for NDS/IP

Similarity with other non-3GPP accesses (e.g. 802.11i) Other

3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 11 11

128-EEA3/EIA3
Based on Chinese ZUC
stream cipher

Three-phase evaluation ongoing

Public evaluation ongoing! http://zucalg.forumotion.net/ 2nd International Workshop on ZUC: June 5-6 in Beijing http://www.3gpp.org/Call-for-Papers-Beijing-ZUC

Network-mandatory/network-optional to be decided

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

12 12

Deeper Key hierarchy in LTE

USIM / AuC UE / HSS UE / ASME KNASenc KNASint KUPint KASME KeNB KUPenc KRRCint KRRCenc K
CK, IK

UE / MME UE / eNB

Faster handovers and key changes, independent of AKA Added complexity in handling of security contexts Security breaches local
3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 13 13

Key Derivation
HSS
SN id, SQN AK

CK,IK
256

MME

KeNB*
256

KeNB
s

KeNB
NH

KDF
256

K D F K D F

eNB eNB

256

KDF
Physical cell ID, EARFCN-DL 256

NH
256

KeNB

256

KASME
256

RRC-enc-alg, Alg-ID RRC-int-alg, Alg-ID UP-enc-alg, Alg-ID UP-int-alg, Alg-ID

NAS UPLINK COUNT NAS-enc-alg, Alg-ID NAS-int-alg, Alg-ID

KDF
256

KDF
256

KDF
256

KDF
256

KDF
256

KDF
256

KNASenc
256

KNASint
256

KUPint
256

KUPenc
256

KRRCint
256

KRRCe
nc 256

Trunc
128

Trunc
128

Trunc
128

Trunc
128

Trunc
128

Trunc
128

KNASenc

KNASint

KUPint

KUPenc

KRRCint

KRRCenc

Key distribution and key derivation scheme for EPS (network side), found in 33.401 Key Derivation Function (KDF) specification can be found in 33.220
3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 14 14

Lawful Interception

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

15 15

Lawful Interception in 3GPP

Cost Interception

Political

Business

Retrieval

Handover

Analysis

Legal

process

Relations
Storage

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

16 16

Lawful Interception in EPS

Context and mechanisms similar to case of UMTS PS
Different core entities (ICE, Intercepting Control Elements) ADMF handles requests from Law Enforcement Authorities
target identity: IMSI, MSISDN and IMEI

X1 interface provisions ICEs and Delivery Functions X2 delivers IRI (Intercept Related Information) X3 delivers CC (Content of Communication) HI1,2,3: Handover Interfaces with law enforcement
Convey requests for interception of targets (HI1) Deliver IRI (HI2) and CC (HI3) to LEAs

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

17 17

EPS LI Architecture
UTRAN SGSN GERAN S3 S1-MME MME S11 LTE-Uu UE E-UTRAN S1-U S10 HSS S6a PCRF S12 S4 Serving Gateway Gx PDN Gateway SGi Rx Operator's IP Services (e.g. IMS, PSS etc.)

X2

X1_1 X1_3

X2

X3
Delivery Function 3

ADMF

X1_2
Mediation Function

Delivery Function 2 Mediation Function Mediation Function

HI1

HI2

HI3

LEMF
3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 18 18

Backhaul Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

19 19

Backhaul Security
Base stations becoming more powerful
LTE eNode B includes functions of NodeB and RNC

Coverage needs grow constantly Infrastructure sharing

Not always possible to trust physical security of eNB Greater backhaul link protection necessary

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

20 20

Certificate Enrollment for Base Stations

Operator root certificate pre-installed.

RA/CA

SEG

Vendor root certificate pre-installed.

CMPv2

IPsec

Enrolled base station certificate is used in IKE/IPsec.

base station obtains operator-signed certificate on its own public key from RA/CA using CMPv2.

base station

Vendor-signed certificate of base station public key pre-installed.

Picture from 3GPP TS 33.310

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

21 21

Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

22 22

Relay Node Authentication

Mutual authentication between Relay Node and network
AKA used (RN attach) credentials stored on UICC

Binding of Relay Node and USIM:

Based on symmetric pre-shared keys, or Based on certificates

Radio UE Relay

Radio

Donor eNB

Backhaul

Core

NW

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

23 23

Relay Node Security

Control plane traffic integrity protected User plane traffic optionally integrity protected Relay Node and network connection confidentiality protected Device integrity check Secure environment for storing and processing sensitive data

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

24 24

Conclusions
LTE Security: building on GSM and UMTS Security Newer security algorithms, longer keys Extended key hierarchy New features, addressing new scenarios
Backhaul Security Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

25 25

Thank You!
dionisio.zumerle@etsi.org

More Information about 3GPP:

www.3gpp.org
contact@3gpp.org
3GPP 2011 3GPP Workshop, Bangalore, 30 May 2011 26 26

Backup: Selection of 3GPP Security Standards

LTE Security: 33.401 System Architecture Evolution (SAE); Security architecture 33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP Lawful Interception: 33.106 Lawful interception requirements 33.107 Lawful interception architecture and functions 33.108 Handover interface for Lawful Interception Key Derivation Function: 33.220 GAA: Generic Bootstrapping Architecture (GBA) Backhaul Security: 33.310 Network Domain Security (NDS); Authentication Framework (AF) Relay Node Security 33.816 Feasibility study on LTE relay node security (also 33.401) Home (e) Node B Security: 33.320 Home (evolved) Node B Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

27 27