Security in Mobile Cellular

Networks

@3g4gUK
 3GPP Security Architecture
• 3GPP TS 33.102: 3G Security; Security architecture
• 3GPP TS 33.401: 3GPP System Architecture Evolution
(SAE); Security architecture
©3G4G
Five security feature groups are defined. Each of these feature
groups meets certain threats and accomplishes certain
security objectives:
o Network access security (I): the set of security features that
provide users with secure access to services, and which in
particular protect against attacks on the (radio) access link.
o Network domain security (II): the set of security features that
enable nodes to securely exchange signalling data, user data
(between AN and SN and within AN), and protect against attacks
on the wireline network.
o User domain security (III): the set of security features that secure
access to mobile stations.
o Application domain security (IV): the set of security features that
enable applications in the user and in the provider domain to
securely exchange messages.
o Visibility and configurability of security (V): the set of features
that enables the user to inform himself whether a security feature
is in operation or not and whether the use and provision of
services should depend on the security feature.
 Evolution of 3GPP Security (I)

Source: 3GPP - Bengt Sahlin

©3G4G
 Evolution of 3GPP Security (II)

Source: 3GPP - Bengt Sahlin

©3G4G
Evolution of 3GPP Security in 5G

Source: Huawei 5G Security Architecture White Paper

©3G4G
 Scope of this Presentation
• User Identity Confidentiality
• Authentication
• Ciphering (Confidentiality)
• Integrity Protection
• Signalling examples
• Sample messages (where available)
• Simple examples of hacking of the mobile network

©3G4G
 Identities
• Each Mobile device contain IMEI (International
Mobile Equipment Identity)

• The SIM card contains IMSI (International Mobile

Subscriber Identity)
• During the operation, IMSI has to be hidden with
help of temporary identities in order to provide:
• user identity confidentiality
• user location confidentiality
• user untraceability
©3G4G
 Temporary Identities
• In 2G/3G:
• TMSI (Temporary Mobile Subscriber Identity)
• P-TMSI (Packet TMSI)

• In 4G/LTE:
• GUTI (Globally Unique Temporary UE Identity)
GUMMEI - Globally Unique MME Identifier
MMEGI - MME Group ID
MMEC - MME Code
S-TMSI = SAE Temporary Mobile Subscriber Identity
M-TMSI = MME Temporary Mobile Subscriber Identity

More details: 3GPP TS 23.003

©3G4G
 What is Authentication?
• Authentication is to verify everyone
is who they claim to be Hello, I am James Bond

Hello, I am the Queen

• Authentication is performed via AKA or Authentication and Key

Agreement Procedure

• In 2G, we only had Handset Authentication whereas in 3G & 4G, we

perform Mutual Authentication to verify the handset as well as the
base station.

©3G4G
2G, 3G, 4G Simple Network Architecture
Data (IP) Voice (PSTN)
Network Network

P-GW
EPC
Core
Network GGSN SGSN MSC

S-GW MME

RNC BSC

Access RNS BSS

Network

eNodeB Node B BTS

Air
Interface 2G 2.5G
UE UE MS
3G 4G

©3G4G
 HLR, HSS & AuC
HLR/HSS/AuC

DATA

Logic

4G PS Core 2G/3G PS 2G/3G CS

Network Core Network Core Network

• HLR – Home Location Register

• HSS – Home Subscriber Server
• AuC – Authentication Center
Further Reading: 3G4G Blog

©3G4G
UICC & SIM
2G SIM UMTS SIM (USIM)

IMSI MSISDN MSISDN

IMSI MSISDN
MSISDN
Address Book
Ki Multimedia
Authentication
SMS Data Messaging
Data and Keys
Config Data
IMS SIM (ISIM)

Home Network Domain

Security Keys
Name (URI)

Private User Identity

y
Public User Identity
Access Rule Reference

Address of P-CSCF Administrative Data

©3G4G
The Attach Procedure Signalling
Access Network (AN) Core Network (CN)

UE AN CS CN PS CN

PS CN broadcast information
CS CN broadcast information
System information messages

Hello, I am UE 1

Hello UE1, please use this channel <…>

Thanks, I am all setup.

Hello, I am UE 1. Want to Attach and let you know that I am now active
Hello UE 1, please authenticate yourself against this vector <…>
No problems, here is my authentication response <…>

©3G4G
The Attach Procedure Signalling
Access Network (AN) Core Network (CN)

UE AN CS CN PS CN

I trust UE1, please establish security with it

Establish Security using <…>

Thanks, all done.

Security Established

Attach Accept. Please use this new temporary identity for now

Attach Complete.

UE1 is now connected to us

©3G4G
 What is Ciphering?
• Ciphering is the process of Encryption &
Decryption
• Its got nothing to do with compression /
decompression
• Example of 2G Ciphering

©3G4G
 Actual Security Procedure in GSM
Access Network (AN) Core Network (CN)

UE BTS BSC MSC/VLR

Authentication Request (CKSN, RAND)
Authentication Request (CKSN, RAND)
Authentication Request (CKSN, RAND) CKSN – Cipher Key Sequence Number
RAND – Random Number (128 bits)
SRES – Signed Response (32 bits)
Authentication Response (SRES) XRES – Expected Response (32 bits)
Kc – Ciphering Key (64 bit)
Authentication Response (SRES) A5 – Encryption Algorithm (A5/0 to A5/7)
Authentication Response (SRES)
Cipher Mode Command (Kc, A5x)
Cipher Mode Command (Kc, A5x)
Cipher Mode Command (A5x)

Cipher Mode Complete

Cipher Mode Complete
Cipher Mode Complete

©3G4G
 Actual Security Procedure in GPRS
Access Network (AN) Core Network (CN)

UE BTS BSC SGSN

Authentication and Ciphering Request (RAND)

Authentication and Ciphering Request (RAND) CKSN – Cipher Key Sequence Number
RAND – Random Number (128 bits)
Authentication and Ciphering Request (RAND) SRES – Signed Response (32 bits)
XRES – Expected Response (32 bits)
Kc – Ciphering Key (64 bit)
Authentication and Ciphering Response (SRES) A5 – Encryption Algorithm (A5/0 to A5/7)
Authentication and Ciphering Response (SRES)
Authentication and Ciphering Response (SRES)

©3G4G
 Security Architecture Evolution
AN – Access Network
AS – Access Stratum
RRC – Radio Resource Control
NAS – Non-Access Stratum Core
CP – Control Plane
UP – User Plane Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC

Handset Authentication
GSM Ciphering (AN CP, UP)

Handset Authentication + Ciphering (AN CP, UP)

GPRS

©3G4G
Fake Cell Towers on Planes to Gather Data From
Phones

Source: MacRumors

©3G4G
 What is Integrity Protection?
• A 32 bit (4 octet) number is added to certain signalling messages in 3G &
4G to authenticate individual messages
• In 3G, Integrity protection is done at RRC layer
• In 4G, a Integrity protection happens at PDCP and in NAS.

©3G4G
 Example of MAC-I in 3G / UMTS
• Message Authentication Code MAC-I

©3G4G
Example of MAC-I in 4G / LTE

©3G4G
 UMTS Security Overview

Further Reading & References: UMTS Security: A Primer

©3G4G
UMTS Security Overview
Access Network (AN) Core Network (CN)

UE NodeB RNC VLR / SGSN

RRC Connection Setup Procedure

(Start Value, HFNs and the Security Capability is stored in RNC )
Initial L3 Message (user identity, KSI, etc)

Authentication & Key Agreement (AKA) Procedure

UIA, UEA
decision
Security Mode Command (UIAs, IK, UEAs, CK, etc)

Select UIA, UEA

Generate FRESH
Start Integrity

©3G4G
UMTS Security Overview
Access Network (AN) Core Network (CN)

UE NodeB RNC VLR / SGSN

Security Mode Command (CN domain, UIA, UEA, FRESH, Security Capability, etc)

Start Integrity

Security Mode Complete

Verify received
message

Security Mode Complete (selected UIA, UEA)

©3G4G
 Key things to remember in UMTS Security
• Integrity protection is mandatory and Ciphering optional
• The user plane (UP) for each domain is protected by its own Ciphering Key
while the control plane (CP) is protected by Ciphering & Integrity Keys from
the last domain
• Ciphering for CS domain happens in MAC as RLC is in transparent mode
(TM)
• Ciphering for PS domain happens in RLC for acknowledged mode (AM) or
unacknowledged mode (UM)
• For the first domain
• Authentication messages are not Integrity Protected or Ciphered
• Security Mode Command is the first Integrity protected message
©3G4G
 Key things to remember in UMTS Security
• For the second domain
• Authentication messages are Integrity Protected and optionally
ciphered with the first domain keys
• Security Mode Command requests modification of Integrity protection
and Ciphering for the CP
• The new integrity protection and ciphering takes place after the
Security Procedure is complete
• It is possible that ciphering is enabled for one domain and disabled for
another

©3G4G
Actual Security Procedure in UMTS – PS
Access Network (AN) Core Network (CN)

UE Node B RNC SGSN

Authentication and Ciphering Request
Authentication and Ciphering Request
Authentication and Ciphering Request

Authentication and Ciphering Response (SRES)

Authentication and Ciphering Response (SRES)
Authentication and Ciphering Response (SRES)
Security Mode Command
Security Mode Command
Security Mode Command

Security Mode Complete

Security Mode Complete
Security Mode Complete

©3G4G
 UMTS Security for PS Domain - Authentication
DL-DCCH-Message
-----> downlinkDirectTransfer
DL-DCCH-Message =
message = downlinkDirectTransfer = r3 = UL-DCCH-Message
downlinkDirectTransfer-r3 = <----- uplinkDirectTransfer
rrc-TransactionIdentifier = 0 UL-DCCH-Message =
cn-DomainIdentity = ps-domain message = uplinkDirectTransfer =
nas-Message = 0812013021D5770C6D363E30C364A4078F1BF8ED3A8028106E323B36C46C5555D5760E6E323B6391 cn-DomainIdentity = ps-domain
nas-Message = 08130322D5760E6E290C323B36C46CAD0D8417F5E335
Authentication and Ciphering Request
-----> Authentication and Ciphering Request PDU: Authentication and Ciphering Response
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] <----- Authentication and Ciphering Response PDU:
Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ]
Message Type [8 bits] = 0x12 - Authentication and Ciphering Request [ 18 ] Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ]
IMEISV Request Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ]
Spare Bits [1 bit] = 0x0 [ 0 ] Message Type [8 bits] = 0x13 - Authentication and Ciphering Response [ 19 ]
value [3 bits] = 0x0 - IMEISV Not Requested [ 0 ] Spare Half Octet [4 bits] = 0x0 [ 0 ]
Ciphering Algorithm A & C Reference Number
Spare Bits [1 bit] = 0x0 [ 0 ] value [4 bits] = 0x3 [ 3 ]
Type of Algorithm [3 bits] = 0x1 [ 1 ] Authentication Response Signature
A & C Reference Number IE Identifier [8 bits] = 0x22 [ 34 ]
value [4 bits] = 0x3 [ 3 ] Value = 0xD5760E6E [ 3581283950 ]
Force Standby Authentication Response Parameter
Spare Bits [1 bit] = 0x0 [ 0 ] IE Identifier [8 bits] = 0x29 [ 41 ]
value [3 bits] = 0x0 - Force to Standby Not Indicated [ 0 ] IE Length [8 bits] = 0xC [ 12 ]
Authentication Parameter Rand value = 0x323B36C46CAD0D8417F5E335
IE Identifier [8 bits] = 0x21 [ 33 ]
Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3A
Ciphering Key Sequence Number
IE Identifier [4 bits] = 0x8 [ 8 ]
Spare Bits [1 bit] = 0x0 [ 0 ]
Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ]
Authentication Parameter AUTN
IE Identifier [8 bits] = 0x28 [ 40 ]
Source: 3GPP Conformance Test 8.1.7.1c
IE Length [8 bits] = 0x10 [ 16 ]
value = 0x6E323B36C46C5555D5760E6E323B6391
©3G4G
 UMTS Security for PS Domain - Security
DL-DCCH-Message
-----> securityModeCommand
DL-DCCH-Message =
integrityCheckInfo = UL-DCCH-Message
messageAuthenticationCode = 01000111111001000001111101101001 <----- securityModeComplete
rrc-MessageSequenceNumber = 0 UL-DCCH-Message =
message = securityModeCommand = r3 = integrityCheckInfo =
securityModeCommand-r3 = messageAuthenticationCode = 10000000110110110111011001011001
rrc-TransactionIdentifier = 0 rrc-MessageSequenceNumber = 1
securityCapability = message = securityModeComplete =
cipheringAlgorithmCap = 0000000000000011 rrc-TransactionIdentifier = 0
integrityProtectionAlgorithmCap = 0000000000000010 ul-IntegProtActivationInfo =
cipheringModeInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber
cipheringModeCommand = startRestart = uea1 RRC-MessageSequenceNumber(1) = 0
rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RRC-MessageSequenceNumber(2) = 0
RB-ActivationTimeInfo(1) = RRC-MessageSequenceNumber(3) = 0
rb-Identity = 1 RRC-MessageSequenceNumber(4) = 0
rlc-SequenceNumber = 0 RRC-MessageSequenceNumber(5) = 0
RB-ActivationTimeInfo(2) = rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo
rb-Identity = 2 RB-ActivationTimeInfo(1) =
rlc-SequenceNumber = 2 rb-Identity = 1
RB-ActivationTimeInfo(3) = rlc-SequenceNumber = 0
rb-Identity = 3 RB-ActivationTimeInfo(2) =
rlc-SequenceNumber = 3 rb-Identity = 2
RB-ActivationTimeInfo(4) = rlc-SequenceNumber = 8
rb-Identity = 4 RB-ActivationTimeInfo(3) =
rlc-SequenceNumber = 0 rb-Identity = 3
integrityProtectionModeInfo = rlc-SequenceNumber = 5
integrityProtectionModeCommand = startIntegrityProtection = RB-ActivationTimeInfo(4) =
integrityProtInitNumber = 00000000000000000000000000000000 rb-Identity = 4
integrityProtectionAlgorithm = uia1 rlc-SequenceNumber = 0
cn-DomainIdentity = ps-domain
ue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability
InterRAT-UE-SecurityCapability(1) = gsm =
gsmSecurityCapability = 0000011
Source: 3GPP Conformance Test 8.1.7.1c

©3G4G
Actual Security Procedure in UMTS - CS
Access Network (AN) Core Network (CN)

UE Node B RNC MSC/VLR

Authentication Request
Authentication Request
Authentication Request

Authentication Response (SRES)

Authentication Response (SRES)
Authentication Response (SRES)
Security Mode Command
Security Mode Command
Security Mode Command

Security Mode Complete

Security Mode Complete
Security Mode Complete

©3G4G
 UMTS Security for CS Domain on top of PS
domain - Authentication
DL-DCCH-Message
-----> downlinkDirectTransfer
DL-DCCH-Message = UL-DCCH-Message
integrityCheckInfo = <----- uplinkDirectTransfer
messageAuthenticationCode = 10001011101111001101101110110000 UL-DCCH-Message =
rrc-MessageSequenceNumber = 1 integrityCheckInfo =
message = downlinkDirectTransfer = r3 = messageAuthenticationCode = 00101110010111100100100101111011
downlinkDirectTransfer-r3 = rrc-MessageSequenceNumber = 3
rrc-TransactionIdentifier = 0 message = uplinkDirectTransfer =
cn-DomainIdentity = cs-domain cn-DomainIdentity = cs-domain
nas-Message = 051200D5770C6D363E30C364A4078F1BF8ED3A20106E323B36C46C5555D5760E6E323B6391 nas-Message = 0514D5760E6E210C323B36C46CAD0D8417F5E335

Authentication Request Authentication Response

-----> Authentication Request PDU: <----- Authentication Response PDU:
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ]
Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ]
Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ]
Message Type [8 bits] = 0x12 - Authentication Request [ 18 ]
Spare Half Octet [4 bits] = 0x0 [ 0 ] Message Type [8 bits] = 0x14 - Authentication Response [ 20 ]
Ciphering Key Sequence Number Authentication Response Signature
Spare Bits [1 bit] = 0x0 [ 0 ] Value = 0xD5760E6E [ 3581283950 ]
Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ] Authentication Response Parameter
Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3A IE Identifier [8 bits] = 0x21 [ 33 ]
Authentication Parameter AUTN IE Length [8 bits] = 0xC [ 12 ]
IE Identifier [8 bits] = 0x20 [ 32 ] value = 0x323B36C46CAD0D8417F5E335
IE Length [8 bits] = 0x10 [ 16 ]
value = 0x6E323B36C46C5555D5760E6E323B6391

Source: 3GPP Conformance Test 8.1.7.1c

©3G4G
 UMTS Security for CS Domain on top of PS
domain - Security
DL-DCCH-Message
-----> securityModeCommand
UL-DCCH-Message
DL-DCCH-Message =
integrityCheckInfo = <----- securityModeComplete
messageAuthenticationCode = 11000100010100111100000101111100 UL-DCCH-Message =
rrc-MessageSequenceNumber = 3 integrityCheckInfo =
message = securityModeCommand = r3 = messageAuthenticationCode = 01011001010010101011010110101100
securityModeCommand-r3 = rrc-MessageSequenceNumber = 3
rrc-TransactionIdentifier = 0 message = securityModeComplete =
securityCapability = rrc-TransactionIdentifier = 0
cipheringAlgorithmCap = 0000000000000011 ul-IntegProtActivationInfo =
integrityProtectionAlgorithmCap = 0000000000000010
rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber
cipheringModeInfo =
cipheringModeCommand = startRestart = uea1 RRC-MessageSequenceNumber(1) = 5
rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RRC-MessageSequenceNumber(2) = 1
RB-ActivationTimeInfo(1) = RRC-MessageSequenceNumber(3) = 3
rb-Identity = 1 RRC-MessageSequenceNumber(4) = 4
rlc-SequenceNumber = 0 RRC-MessageSequenceNumber(5) = 1
RB-ActivationTimeInfo(2) = rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo
rb-Identity = 2 RB-ActivationTimeInfo(1) =
rlc-SequenceNumber = 11 rb-Identity = 1
RB-ActivationTimeInfo(3) =
rlc-SequenceNumber = 0
rb-Identity = 3
rlc-SequenceNumber = 8 RB-ActivationTimeInfo(2) =
RB-ActivationTimeInfo(4) = rb-Identity = 2
rb-Identity = 4 rlc-SequenceNumber = 11
rlc-SequenceNumber = 0 RB-ActivationTimeInfo(3) =
integrityProtectionModeInfo = rb-Identity = 3
integrityProtectionModeCommand = modify = rlc-SequenceNumber = 11
dl-IntegrityProtActivationInfo = RB-ActivationTimeInfo(4) =
rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber rb-Identity = 4
RRC-MessageSequenceNumber(1) = 0
rlc-SequenceNumber = 0
RRC-MessageSequenceNumber(2) = 0
RRC-MessageSequenceNumber(3) = 3
RRC-MessageSequenceNumber(4) = 2
RRC-MessageSequenceNumber(5) = 0
integrityProtectionAlgorithm = uia1 Source: 3GPP Conformance Test 8.1.7.1c
cn-DomainIdentity = cs-domain
ue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability
InterRAT-UE-SecurityCapability(1) = gsm =
gsmSecurityCapability = 0000011 ©3G4G
 UMTS Security for CS Domain on top of PS
domain – Voice Radio Bearers Setup
DL-DCCH-Message
-----> radioBearerSetup
DL-DCCH-Message = UL-DCCH-Message
integrityCheckInfo = <----- radioBearerSetupComplete
messageAuthenticationCode = 10100011001100001001101011010110 UL-DCCH-Message =
rrc-MessageSequenceNumber = 4 integrityCheckInfo =
message = radioBearerSetup = r3 = messageAuthenticationCode = 10101010000100111100011111001010
radioBearerSetup-r3 = rrc-MessageSequenceNumber = 4
rrc-TransactionIdentifier = 0 message = radioBearerSetupComplete =
activationTime = 184 rrc-TransactionIdentifier = 0
rrc-StateIndicator = cell-DCH start-Value = 00000000000000000010
rab-InformationSetupList = SEQUENCE OF RAB-InformationSetup count-C-ActivationTime = 168
RAB-InformationSetup(1) =
rab-Info =
rab-Identity = gsm-MAP-RAB-Identity = 00000001
cn-DomainIdentity = cs-domain
re-EstablishmentTimer = useT314
rb-InformationSetupList = SEQUENCE OF RB-InformationSetup
RB-InformationSetup(1) =
rb-Identity = 10
rlc-InfoChoice = rlc-Info =
ul-RLC-Mode = ul-TM-RLC-Mode =
segmentationIndication = FALSE
dl-RLC-Mode = dl-TM-RLC-Mode =
segmentationIndication = FALSE
rb-MappingInfo = SEQUENCE OF RB-MappingOption
RB-MappingOption(1) =
ul-LogicalChannelMappings = oneLogicalChannel =
ul-TransportChannelType = dch = 1
rlc-SizeList = configured = NULL
mac-LogicalChannelPriority = 6
dl-LogicalChannelMappingList = SEQUENCE OF DL-LogicalChannelMapping
DL-LogicalChannelMapping(1) = Source: 3GPP Conformance Test 8.1.7.1c
dl-TransportChannelType = dch = 6
RB-InformationSetup(2) =
rb-Identity = 11
… ©3G4G
 Security Architecture Evolution
AN – Access Network
AS – Access Stratum
RRC – Radio Resource Control
NAS – Non-Access Stratum Core
CP – Control Plane
UP – User Plane Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC

Handset Authentication
GSM Ciphering (AN CP, UP)

Handset Authentication + Ciphering (AN CP, UP)

GPRS
Mutual Authentication
UMTS Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) IPSec (Optional)

©3G4G
 Hacking The Femtocells - UMTS

More Info: Femto Hacking in UMTS and LTE

©3G4G
 Hacking The Femtocells - LTE

More Info: Femto Hacking in UMTS and LTE

©3G4G
 Key Hierarchy in LTE / E-UTRAN

K - Master key
CK - Cipher Key
IK - Integrity Key
KASME - Key-Access Security Management Entity
KNASenc - Key-NAS encryption
KNASint - Key-NAS integrity
KeNB - Key-eNodeB
NH - Next Hop
KUPint - Key-User Plane integrity
KUPenc - Key-User Plane encryption
KRRCint - Key-Radio Resource Control integrity
KRRCenc - Key-Radio Resource Control encryption

Picture Source: RedYoda 3GPP Spec Reference: TS 33.401

©3G4G
 EPS Authentication and Key Agreement (EPS-AKA)
procedure

AUTN - Authentication Token

RAND - A 128 bit random number
SQN - 48 bit sequence number
RES - Response
XRES - Expected Response
KDF - Key Derivation Function
KSI - Key Set Identifier
SN Id - Serving Network Id
K - Master key
CK - Cipher Key
IK - Integrity Key
KASME - Key-Access Security Management Entity

Picture Source: RedYoda 3GPP Spec Reference: TS 33.401

©3G4G
Actual Security Procedure in LTE
Access Network (AN) Core Network (CN)

UE eNodeB MME
Authentication Request
Authentication Request
Authentication Response (SRES)
Authentication Response (SRES)

Security Mode Command

NAS: Security Mode Command

NAS: Security Mode Complete

Security Mode Complete
RRC: Security Mode Command

RRC: Security Mode Complete

©3G4G
 LTE Security Signaling - Authentication
Authentication Request PDU
Security header type [4 bits] = 0x0 [ 0 ]
Protocol Discriminator [4 bits] = 0x7 [ 7 ]
Message Type [8 bits] = 0x52 - Authentication Request [ 82 ]
Spare Half Octet [4 bits] = 0x0 [ 0 ]
UL-DCCH-Message
NAS key set identifierASME
ulInformationTransfer
Type of security context flag [1 bit] = 0x0 [ 0 ]
UL-DCCH-Message =
ksi [3 bits] = 0x0 [ 0 ]
message = c1 = ulInformationTransfer =
Authentication Parameter Rand
criticalExtensions = c1 = ulInformationTransfer-r8 =
Authentication Parameter Rand = 0xA3DE0C6D363E30C364A4078F1BF8D577
dedicatedInformationType = dedicatedInfoNAS = 075308A3DF0E6E323B36C4
Authentication Parameter AUTN
480160EA61147BE1CDC64766D880
IE Length [8 bits] = 0x10 [ 16 ]
value = 0x6E323B36C46C5555A3DF0E6E323B6391
Authentication Response
075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391
Authentication Response PDU
DL-DCCH-Message
Security header type [4 bits] = 0x0 [ 0 ]
dlInformationTransfer
Protocol Discriminator [4 bits] = 0x7 [ 7 ]
DL-DCCH-Message =
Message Type [8 bits] = 0x53 - Authentication Response [ 83 ]
message = c1 = dlInformationTransfer =
Authentication response parameter
rrc-TransactionIdentifier = 0
IE Length [8 bits] = 0x8 [ 8 ]
criticalExtensions = c1 = dlInformationTransfer-r8 =
Authentication response parameter information = 0xA3DF0E6E323B36C4
dedicatedInfoType = dedicatedInfoNAS =
075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391
075308A3DF0E6E323B36C4
0801203A90051EF06369B1F1861B25203C78DFC6ABB8837191D9B62362AAAD1EF8737191DB1C88

Source: 3GPP Conformance Test 8.1.2.1

©3G4G
 LTE Security Signaling – NAS Security 1
Security Mode Command
Security Mode Command PDU
Continued…
Security Mode Command PDU
[1]Security header type [4 bits] = 0x0 [ 0 ] Security Protected NAS Message
Protocol Discriminator [4 bits] = 0x7 [ 7 ] Security Protected NAS Message PDU
Message Type [8 bits] = 0x5D - Security Mode Command [ 93 ]
Selected NAS security algorithms Security header type [4 bits] = 0x3 [ 3 ]
Spare Bits [1 bit] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ]
Type of ciphering algorithm [3 bits] = 0x0 [ 0 ] MAC = 0x0B4DAFA8 [ 189640616 ]
Spare Padding [1 bit] = 0x0 [ 0 ] Sequence Number = 0x00 [ 0 ]
Type of integrity protection algorithm [3 bits] = 0x1 [ 1 ] NAS message = 0x075D010002C0C0
Spare Half Octet [4 bits] = 0x0 [ 0 ]
NAS key set identifierASME 370B4DAFA800075D010002C0C0
Type of security context flag [1 bit] = 0x0 [ 0 ]
ksi [3 bits] = 0x0 [ 0 ] DL-DCCH-Message
Replayed UE security capabilities dlInformationTransfer
IE Length [8 bits] = 0x2 [ 2 ] DL-DCCH-Message =
eea0_128 [1 bit] = 0x1 [ 1 ] message = c1 = dlInformationTransfer =
eea1_128 [1 bit] = 0x1 [ 1 ] rrc-TransactionIdentifier = 0
eea2_128 [1 bit] = 0x0 [ 0 ] criticalExtensions = c1 = dlInformationTransfer-r8 =
eea3 [1 bit] = 0x0 [ 0 ] dedicatedInfoType = dedicatedInfoNAS = 370B4DAFA800075D010002C0C0
eea4 [1 bit] = 0x0 [ 0 ] 080069B85A6D7D40003AE80800160600
eea5 [1 bit] = 0x0 [ 0 ]
eea6 [1 bit] = 0x0 [ 0 ]
eea7 [1 bit] = 0x0 [ 0 ]
Spare Bits [1 bit] = 0x1 [ 1 ]
eia1_128 [1 bit] = 0x1 [ 1 ]
eia2_128 [1 bit] = 0x0 [ 0 ]
eia3 [1 bit] = 0x0 [ 0 ]
eia4 [1 bit] = 0x0 [ 0 ]
eia5 [1 bit] = 0x0 [ 0 ]
eia6 [1 bit] = 0x0 [ 0 ]
eia7 [1 bit] = 0x0 [ 0 ] Source: 3GPP Conformance Test 8.1.2.1
075D010002C0C0

©3G4G
 LTE Security Signaling – NAS Security 2
UL-DCCH-Message
ulInformationTransfer 3GPP TS 24.301 V10.10.0 (2013-03)
UL-DCCH-Message =
message = c1 = ulInformationTransfer = Security header type (octet 1)
criticalExtensions = c1 = ulInformationTransfer-r8 =
8 7 6 5
dedicatedInformationType = dedicatedInfoNAS = 4794E585C000075E
0 0 0 0 Plain NAS message, not security protected
480108F29CB0B80000EBC0
Security protected NAS message:
Security Protected NAS Message 0 0 0 1 Integrity protected
Security Protected NAS Message PDU 0 0 1 0 Integrity protected and ciphered
0 0 1 1 Integrity protected with new EPS security context (NOTE 1)
Security header type [4 bits] = 0x4 [ 4 ] 0 1 0 0 Integrity protected and ciphered with new EPS security context (NOTE 2)
Protocol Discriminator [4 bits] = 0x7 [ 7 ]
MAC = 0x94E585C0 [ 2498069952 ] Non-standard L3 message:
1 1 0 0 Security header for the SERVICE REQUEST message
Sequence Number = 0x00 [ 0 ]
NAS message = 0x075E [ 1886 ] 1 1 0 1 These values are not used in this version of the protocol.
to If received they shall be interpreted as '1100'. (NOTE 3)
4794E585C000075E 1 1 1 1

Security Mode Complete All other values are reserved.

Security Mode Complete PDU
NOTE 1: This codepoint may be used only for a SECURITY MODE COMMAND message.
Security header type [4 bits] = 0x0 [ 0 ] NOTE 2: This codepoint may be used only for a SECURITY MODE COMPLETE message.
NOTE 3: When bits 7 and 8 are set to '11', bits 5 and 6 can be used for future extensions of
Protocol Discriminator [4 bits] = 0x7 [ 7 ]
the SERVICE REQUEST message.
Message Type [8 bits] = 0x5E - Security Mode Complete [ 94 ]

075E Table 9.3.1: Security header type

Source: 3GPP Conformance Test 8.1.2.1

©3G4G
 LTE Security Signaling – RRC Security
DL-DCCH-Message
securityModeCommand
DL-DCCH-Message =
message = c1 = securityModeCommand =
rrc-TransactionIdentifier = 0
criticalExtensions = c1 = securityModeCommand-r8 =
securityConfigSMC =
securityAlgorithmConfig =
cipheringAlgorithm = eea0
integrityProtAlgorithm = eia1 PDCPDataIndPDU
300010
PLANE = 1 (Control)
SeqNum = 4
PDCPDataReqPDU Data Packet = 28 00 CC E1 31 D1
042800CCE131D1
PLANE = 1 (Control)
SeqNum = 3
Data Packet = 30 00 10 65 3E 8C... UL-DCCH-Message
03300010653E8C00 securityModeComplete
UL-DCCH-Message =
message = c1 = securityModeComplete =
rrc-TransactionIdentifier = 0
criticalExtensions = securityModeComplete-r8 =
2800

Source: 3GPP Conformance Test 8.1.2.1

©3G4G
 Mapped Security (Applicable for PS Only)
HLR/HSS/AuC
‘Native’ UTRAN to
‘Mapped’ E-UTRAN DATA

Logic

2G/3G LTE

1. Performs Authentication 1. No need for Authentication

2. Performs security 2. Map security keys from
previous Authentication

Handover
or
Cell Re-selection
©3G4G
 Mapped Security (Applicable for PS Only)
HLR/HSS/AuC
‘Native’ E-UTRAN to
DATA
‘Mapped’ UTRAN
Logic

2G/3G LTE

1. No need for Authentication 1. Performs Authentication

2. Map security keys from 2. Performs security
previous Authentication

Handover
or
Cell Re-selection More details

©3G4G
 Security Architecture Evolution
AN – Access Network
AS – Access Stratum
RRC – Radio Resource Control
NAS – Non-Access Stratum Core
CP – Control Plane
UP – User Plane Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC

Handset Authentication
GSM Ciphering (AN CP, UP)

Handset Authentication + Ciphering (AN CP, UP)

GPRS
Mutual Authentication
UMTS Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) IPSec (Optional)

Mutual Authentication
Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) IPSec (Optional)
LTE
Ciphering (NAS) + Signalling Integrity (NAS)

©3G4G
 Summary of Algorithms for 2G, 3G & 4G
GSM GPRS UMTS LTE

Authentication GSM Milenage GSM Milenage Milenage Milenage

Algorithms TUAK TUAK

Integrity Algorithms UIA0 – NULL EIA0 – NULL

UIA1 – Kasumi EIA1 – Snow3G
UIA2 – Snow3G EIA2 – AES
EIA3 – ZUC
Ciphering A5/1 GEA3 UEA0 - NULL EEA0 – NULL
Algorithms A5/2 GEA4 UEA1 – Kasumi EEA1 – Snow3G
A5/3 UEA2 – Snow3G EEA2 – AES
A5/4 EEA3 – ZUC

GSM Milenage - 3GPP TS 55.205, Milenage - 3GPP TS 35.206, TUAK - 3GPP TS 35.231,
A5/3 & GEA3 - 3GPP TS 55.216, A5/4 & GE4 - 3GPP TS 55.226
For other specifications see GSMA Security Algorithms

©3G4G
 Further Reading Material
• 3GPP: Confidentiality Algorithms
• GSMA: Security Algorithms
• Netmanias
• LTE Security I: Concept and Authentication
• LTE Security II: NAS and AS Security
• 3G4G Website
• GSM, GPRS and EDGE
• 3G/UMTS Tutorials
• 3GPP LTE/SAE
• Security in Mobile Cellular Systems
• EventHelix:
• GSM, LTE, UMTS and IMS Call Flows
• LTE Security: Encryption and Integrity Protection Call Flows

©3G4G
 Hacking: Papers, Talks, Materials
• The SS7 flaws that allows hackers to snoop on your calls and SMS
• Video: LTE & IMSI Catcher Myths - by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan
& Valtteri Niemi & Jean-Pierre Seifert
• Video: Understanding IMSI Privacy - By Ravishankar Borgaonkar and Swapnil Udar
• Video: Femtocells: A Poisonous Needle in the Operator's Hay Stack - Ravishankar
Borgaonkar, Kevin Redon and Nico Golde
• Breaking Band - reverse engineering and exploiting the shannon baseband
• Huawei: Security Advisory - UE Measurement Leak Vulnerability in Huawei P8 Phones
• LTE protocol exploits – IMSI catchers, blocking devices and location leaks - Roger Piqueras
Jover
• WiFi-Based IMSI Catcher
• ‘Small Cells’ and the City
• Long Term Exploitation: “Baseband security? 4Get about it.”

©3G4G
 3GPP Specifications
• 3GPP TS 33.102: 3G Security; Security architecture
• 3GPP TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture
• 3GPP TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved
Universal Terrestrial Radio Access Network (E-UTRAN) access
• 3GPP TS 36.323: E-UTRA; Packet Data Convergence Protocol (PDCP) specification
• 3GPP TS 25.331: UTRA RRC Protocol Specification
• 3GPP TS 36.331:E-UTRA RRC Protocol specification
• 3GPP TS 24.008: Mobile Radio Interface Layer 3 specification; Core Network
Protocols; Stage 3
• 3GPP TS 24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System
(EPS); Stage 3

©3G4G
 To learn more, visit:

3G4G Website – http://www.3g4g.co.uk/

3G4G Blog – http://blog.3g4g.co.uk/
3G4G Small Cells Blog – http://smallcells.3g4g.co.uk/
Thank You Operator Watch - http://operatorwatch.3g4g.co.uk/

Follow us on Twitter: https://twitter.com/3g4gUK

Follow us on Facebook: https://www.facebook.com/3g4gUK/
Follow us on Linkedin: https://www.linkedin.com/company/3g4g
Follow us on Slideshare: https://www.slideshare.net/3G4GLtd
Follow us on Youtube: https://www.youtube.com/3G4G5G
Follow us on Storify: https://storify.com/3g4gUK

©3G4G