LTE Security - Klaas' home on the webLTE安全-克拉斯家网站上

1、LTE SecurityAgenda Intro Intro The LTE SystemRadio Side (LTE Long Term Evolution/Evolved UTRAN - EUTRAN) Improvements in spectral efficiency, user throughput, latency Simplification of the radio network Efficient support of packet based services: Multicast, VoIP, etc.Network Side (SAE System Archite

2、cture Evolution/Evolved Packet Core - EPC) Improvement in latency, capacity, throughput, idle to active transitions Simplification of the core network Optimization for IP traffic and services Simplified support and handover to non-3GPP access technologiesOverview of 3GPP LTE/SAE SystemUEeNodeBeNodeB

3、MMES-GWEvolved UTRAN(E-UTRAN)Evolved Packet Core (EPC)HSSPCRFPDN-GWS1-US5S1-MMEX2 UE = User Equipment MME = Mobility Management Entity, termination point in network for ciphering/integrity protection for NAS signaling, handles the security key management, authenticating users S-GW = Serving Gateway

4、PDN-GW = PDN Gateway PCRF = Policy Charging Rule FunctionEvolved Packet Core GW CapabilitiesServing GW functions include:Local Mobility Anchor point for inter-eNodeB handover (i.e. GTP termination)PMIP or GTP support towards PDN GatewayPer flow QoS Policy EnforcementLawful InterceptionTraffic Accoun

5、tingPDN GW functions include:Policy Enforcement (QoS, charging, mobility)Per-user based packet filtering Mobility anchoring for intra- and inter-3GPP mobility (requires GTP and MIP HA)Charging SupportLawful InterceptionBoth can be combined if there is a full mesh between base stations and GWsIP Tunn

6、elIP TunnelServing GWPDN GWMACSecurityLayer 3OFDMAEvolving Security ArchitectureRadio ControllerCore NetworkGSMHandset AuthenticationCipheringGPRSHandset Authentication + Ciphering3GMutual AuthenticationCiphering + Signalling integritySAE/LTEMutual AuthenticationCiphering + Radio signalling integrit

7、yCore Signalling integrityOptional IPSecSAE/LTE Security Security implications: Flat architecture Interworking with legacy and non-3GPP networks eNB placement in untrusted locations Keep security breaches local Result: Extended Authentication and Key Agreement More complex key hierarchy More complex

8、 interworking security Additional security for (home)eNBLTE/SAE architecture(I) Network access security: secure access to services, protect against attacks on (radio) access links(II) Network domain security: enable nodes to securely exchange signaling data & user data (between AN/SN and within

9、AN, protect against attacks wireline network(III) User domain security: secure access to mobile stations(IV) Application domain security: enable applications in the user and in the provider domain to securely exchange messagesME = Mobile EquipmentUSIM = Universal Subscriber Identity ModuleAN = Acces

10、s NetworkHE = Home EnvironmentSN = Serving NetworkNon-3GPP Access (I) Network access security (II) Network domain security (III) Non-3GPP domain security (IV) Application domain security (V) User domain securityME = Mobile EquipmentUSIM = Universal Subscriber Identity ModuleAN = Access NetworkHE = H

11、ome EnvironmentSN = Serving NetworkNetwork access security User identity (and location) confidentiality Entity authentication Confidentiality Data integrity Mobile equipment identification The use of a SIM Subscription Identification Module SIM holds secret key Ki, Home network holds another Used as

12、 Identity & Security key IMSI is used as user identity Benefits Easy to get authentication from home network while in visited network without having to handle KiSource: ETRINetwork Access Protection Authentication and key agreement UMTS AKA re-used for SAE SIM access to LTE explicitly excluded S

13、ignaling protection For core network (NAS) signaling, integrity and confidentiality protection terminates in MME (Mobile Management Entity) For radio network (RRC) signaling, integrity and confidentiality protection terminates in eNodeB User plane protection Encryption terminates in eNodeB Network d

14、omain security for network internal interfacesAuthentication and Key Agreement HSS generates authN data and provides it to MME Challenge-response authN and key agreement between MME and UEConfidentiality and Integrity of Signaling RRC signaling between UE and E-UTRAN NAS signaling between UE and MME

15、 S1 interface signaling (optional) protection not UE-specificUser Plane Confidentiality S1-U (optional) protection not UE-specific, based on IPsec Integrity not protectedKey Hierarchy in LTE/SAE Cryptographic network separation Authentication vectors specific to serving networkHandovers without MME

16、Handovers possible between eNBs (performance) If keys are passed unmodified, compromised eNB compromises other eNB One-way function before passing over MME is involved after HO for further key passingHome eNodeB security threats Compromise HeNB credentials Physical attack HeNB Configuration attack M

17、itM attacks etc. DoS attacks etc. User data and privacy attacks Radio Resources and management attacksHome ENodeB security measures Mutual AuthN HeNB and home network Secure tunnel for backhaul Trusted environment inside HeNB Access Control OAM security mechanisms Hosting Party authentication (Hosti

18、ng party Module)Network Domain Security Enable nodes to securely exchange signaling data & user data between Access Network and Serving Network and within Access Network Protect against attacks on wireline network No security in 2G core network Now security is needed: IP used for signaling and u

19、ser traffic Open and easily accessible protocols New service providers (content, data service, HLR) Network elements can be remote (eNB)Security Domains Managed by single administrative authority Border between security domains protected by Security Gateway (SEG)Security Gateway Handle communication

20、 over Za interface (SEG-SEG) AuthN/integrity mandatory, encryption recommended using IKEv1 or IKEv2 for negotiating, establishing and maintaining secure ESP tunnel Handle communication over (optional) Zb interface (SEG- NE or NE-NE) Implement ESP tunnel and IKEv1 or IKEv2 ESP with AuthN, integrity,

21、optional encryption All traffic flows through SEG before leaving or entering security domain Secure storage of long-term keys used for IKEv1 and IKEv2 Hop-by-hop security (chained tunnels or hub-and-spoke)Security for Network Elements Services Data integrity Data origin authentication Anti-replay Co

22、nfidentiality (optional) Using IPsec ESP (Encapsulation Security Payload) Between SEGs: tunnel mode Key management: IKEv1 or IKEv2 Security associations from NE only to SEG or NEs in own domainTrust validation with IPsecTrust validation for TLSUser domain security Secure access to mobile stations Fe

23、w slidesApplication domain security The set of security features that enable applications in the user and in the provider domain to securely exchange messages. Secure messaging between the USIM and the network (TS 22.048) Slides about IMS, SIPIMS Security Security/AuthN mechnism Mutual AuthN using U

24、MTS AKA Typically implemented on UICC (ISIM application) UMTS AKA integrated into HTTP digest (RFC3310) NASS-IMS bundled AuthN SIP Digest based AuthN Access security with TLSInterworking with legacy network Few slides about CDMA-3GPP interworkingReferences Principles, objectives and requirements TS

25、33.120 Security principles and objectives TS 21.133 Security threats and requirements Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 35.20 x Access network algorithm specifications ReferencesT

26、S 33.210 v8.3.0: Network Domain Security: IP-layer(/ftp/Specs/archive/33_series/33.210/)TS 33.310 V9.0.0: Network Domain Security: Authentication Framework/ftp/Specs/archive/33_series/33.310/TS 33.401 V9.0.0: SAE security architecture/ftp/Specs/archive/3