3GPP LTE

Security Aspects
Dionisio Zumerle
Technical Officer, 3GPP
ETSI

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

1
1

Contents
LTE security architecture
Security algorithms
Lawful Interception
Backhaul Security
Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

2
2

LTE Security Architecture

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

3
3

LTE Security:
UMTS Security and LTE Architectural impact
UMTS security enhancements:

Mutual authentication
Integrity keys
Public algorithms
Deeper encryption
Longer key length

LTE Architecture:
Flat architecture
Separation of control plane and
user plane
eNodeB instead of NodeB/RNC
All-IP network
Interworking with legacy
and non-3GPP networks
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

Characteristics of LTE Security

Re-use of UMTS Authentication
and Key Agreement (AKA)
Use of USIM required
(GSM SIM excluded)
Extended key hierarchy
Possibility for longer keys
Greater protection for backhaul
Integrated interworking security
for legacy and non-3GPP
networks

4
4

AKA and signalling protection

UTRAN
SGSN
HSS

GERAN
S3
S1-MME

S6a
MME
S11
S10

LTE-Uu
UE

S12
S4
Serving
Gateway

E-UTRAN

S5

S1-U

Confidentiality and integrity for signalling and confidentiality for user plane (RRC & NAS)
Confidentiality and integrity for signalling only (NAS)
Optional user plane protection (IPsec)

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

5
5

Authentication and Key Agreement

UE

eNB

MME

AuC

NAS attach request (IMSI)

AUTH data request
(IMSI, SN_id)
AUTH data response
(AV={AUTN, XRES, RAND, Kasme})
NAS auth request (AUTN, RAND, KSIasme)
NAS auth response (RES)
NAS SMC (confidentiality and integrity algo)
NAS Security Mode Complete
S1AP Initial Context Setup
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

6
6

Security Algorithms

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

7
7

LTE Security Algorithms

Currently two separate algorithms specified
In addition to one NULL algorithm

Current keylength 128 bits

Possibility to extend to 256 in the future

Confidentiality protection of NAS/AS signalling recommended

Integrity protection of NAS/AS signalling mandatory
User data confidentiality protection recommended
Ciphering/Deciphering applied on PDCP and NAS

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

8
8

LTE Ciphering and Integrity

mechanisms
COUNT

DIRECTION
BEARER

COUNT

LENGTH

BEARER

EEA

KEY

PLAINTEXT
BLOCK
Receiver

Sender

COUNT

DIRECTION

MESSAGE

Sender

COUNT

BEARER

EIA

KEY

3GPP 2011

ciphering

KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK

integrity

LENGTH

EEA

KEY

KEYSTREAM
BLOCK
PLAINTEXT
BLOCK

DIRECTION

MAC-I/NAS-MAC

3GPP Workshop, Bangalore, 30 May 2011

DIRECTION

MESSAGE

KEY

BEARER

EIA
XMAC -I/XNAS-MAC

Receiver

9
9

128-EEA1/EIA1
Based on SNOW 3G
stream cipher
keystream produced by Linear Feedback Shift Register
(LFSR) and a Finite State Machine (FSM)

Different from KASUMI as possible

selected during UMTS security design

Allows for:
low power consumption
low gate count implementation in hardware

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

10
10

128-EEA2/EIA2
AES block cipher
Counter (CTM) Mode for ciphering
CMAC Mode for MAC-I creation (integrity)

Different from SNOW 3G as possible

Cracking one would not affect the other

Reasons why KASUMI was not re-used:

eNB already supports AES
needs to support AES for NDS/IP

Similarity with other non-3GPP accesses (e.g. 802.11i)

Other
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

11
11

128-EEA3/EIA3
Based on Chinese ZUC
stream cipher

Three-phase evaluation ongoing

Public evaluation ongoing! http://zucalg.forumotion.net/
2nd International Workshop on ZUC: June 5-6 in Beijing
http://www.3gpp.org/Call-for-Papers-Beijing-ZUC

Network-mandatory/network-optional to be decided

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

12
12

Deeper Key hierarchy in LTE

USIM / AuC

K
CK, IK

UE / HSS
KASME

UE / ASME
KNASenc

KNASint

KeNB

UE / MME
KUPint

KUPenc

KRRCint

KRRCenc

UE / eNB

Faster handovers and key changes, independent of AKA

Added complexity in handling of security contexts
Security breaches local
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

13
13

Key Derivation
HSS

MME

CK,IK

KeNB

256
SN id, SQN
AK

NH

KDF

K
D
F

256

KeNB*

KeNB

256

eNB

KDF

NH

eNB

Physical cell ID, EARFCN-DL

256

256

256

K
D
F

KASME
256

NAS UPLINK COUNT

NAS-enc-alg,
Alg-ID

NAS-int-alg,
Alg-ID

KDF
256

KDF

KeNB

RRC-enc-alg, Alg-ID
RRC-int-alg, Alg-ID
UP-enc-alg, Alg-ID
UP-int-alg, Alg-ID

KDF

KDF

KNASenc

KNASint

256

256

128

KNASenc

KDF

KDF

256
256

Trunc

256

Trunc

KUPint
256

Trunc
128

128

KNASint

KUPint

256

256

KUPenc

KRRCint

256

256

Trunc

256

KRRCe
nc

Trunc

128

128

KUPenc

KRRCint

256

Trunc
128

KRRCenc

Key distribution and key derivation scheme for EPS (network side), found in 33.401
Key Derivation Function (KDF) specification can be found in 33.220
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

14
14

Lawful Interception

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

15
15

Lawful Interception in 3GPP

Cost

Political

Interception

Business

Retrieval

Handover

Analysis

Legal

process

Relations
Storage

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

16
16

Lawful Interception in EPS

Context and mechanisms similar to case of UMTS PS
Different core entities (ICE, Intercepting Control Elements)
ADMF handles requests from Law Enforcement Authorities
target identity: IMSI, MSISDN and IMEI

X1 interface provisions ICEs and Delivery Functions

X2 delivers IRI (Intercept Related Information)
X3 delivers CC (Content of Communication)
HI1,2,3: Handover Interfaces with law enforcement
Convey requests for interception of targets (HI1)
Deliver IRI (HI2) and CC (HI3) to LEAs

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

17
17

EPS LI Architecture
UTRAN
SGSN
HSS

GERAN
S3
S1-MME

S6a

X2

MME
S11

UE

Serving
Gateway

E-UTRAN
S1-U

X1_1

X1_2

SGi

Operator's IP
Services
(e.g. IMS, PSS etc.)

X3
Delivery
Function 3

ADMF

Mediation
Function

PDN
Gateway

X2

X1_3

Rx

Gx

S4

S10

LTE-Uu

PCRF
S12

Delivery
Function 2
Mediation
Function

HI2

HI1

Mediation
Function

HI3

LEMF
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

18
18

Backhaul Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

19
19

Backhaul Security
Base stations becoming more powerful
LTE eNode B includes functions of NodeB and RNC

Coverage needs grow constantly

Infrastructure sharing

Not always possible to trust physical security of eNB

Greater backhaul link protection necessary

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

20
20

Certificate Enrollment
for Base Stations

RA/CA

Vendor root certificate

pre-installed.

SEG

CMPv2

base station obtains operator-signed

certificate on its own public key from RA/CA
using CMPv2.

IPsec

base station

Operator root certificate

pre-installed.

Enrolled base station

certificate is used in IKE/IPsec.

Vendor-signed certificate
of base station public key
pre-installed.

Picture from 3GPP TS 33.310

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

21
21

Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

22
22

Relay Node Authentication

Mutual authentication between Relay Node and network
AKA used (RN attach)
credentials stored on UICC

Binding of Relay Node and USIM:

Based on symmetric pre-shared keys, or
Based on certificates

Radio
UE

3GPP 2011

Radio
Relay

3GPP Workshop, Bangalore, 30 May 2011

Donor
eNB

Backhaul

Core

NW

23
23

Relay Node Security

Control plane traffic integrity protected
User plane traffic optionally integrity protected
Relay Node and network connection confidentiality protected
Device integrity check
Secure environment for storing and processing sensitive data

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

24
24

Conclusions
LTE Security: building on GSM and UMTS Security
Newer security algorithms, longer keys
Extended key hierarchy
New features, addressing new scenarios
Backhaul Security
Relay Node Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

25
25

Thank You!
dionisio.zumerle@etsi.org

More
Information
about 3GPP:

www.3gpp.org
contact@3gpp.org
3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

26
26

Backup:
Selection of 3GPP Security Standards
LTE Security:
33.401 System Architecture Evolution (SAE); Security architecture
33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP
Lawful Interception:
33.106 Lawful interception requirements
33.107 Lawful interception architecture and functions
33.108 Handover interface for Lawful Interception
Key Derivation Function:
33.220 GAA: Generic Bootstrapping Architecture (GBA)
Backhaul Security:
33.310 Network Domain Security (NDS); Authentication Framework (AF)
Relay Node Security
33.816 Feasibility study on LTE relay node security (also 33.401)
Home (e) Node B Security:
33.320 Home (evolved) Node B Security

3GPP 2011

3GPP Workshop, Bangalore, 30 May 2011

27
27