Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Geir M. Kien
Dept. of Engineering and Technology
University of Agder, Norway
Email: geir.koien@uia.no
I. I NTRODUCTION
In this paper we outline the LTE system architecture and associated Authentication and Key Agreement (AKA) protocol.
The protocol, known as EPS-AKA, is based on its predecessor
the UMTS AKA protocol, which again was based on the GSM
AKA protocol, which dates back to the late 1980ies. Within
3GPP the acronym EPS (Evolved Packet System) is sometimes
used in place of LTE. Backwards compatibility is an important
factor in getting acceptance, but it may also hinder progress
and limit the design freedom. Thus, there are issues with the
EPS-AKA protocol, like lack of online authentication, which
can be traced back to its evolved history. In this paper we
propose a slightly modified version of the EPS-AKA protocol
which provides online authentication and true mutual entity
authentication, while still only requiring minor modifications
to the access security architecture.
II. T HE LTE/EPS S YSTEM A RCHITECTURE
In this section we briefly outline the LTE/EPS system
architecture [1]. The security architecture is defined in [2].
A. Overview of the System Architecture
The principal parties are the Home Public Land Mobile
Network (HPLMN), the Visited Public Land Mobile Network
(VPLMN) and the user/subscriber. The user is represented
by the user equipment (UE), which consists of the mobile
equipment (ME) and the subscriber module (UICC/USIM).
Figure 1 depicts the LTE system architecture for a roaming
subscriber, with routing of user data towards the HPLMN.
Figure 2 outlines the LTE radio access network (E-UTRAN).
B. Nodes Participating in the EPS-AKA Protocol
1) Home Subscriber Server (HSS): The HSS is the central
subscriber database at the home network (HPLMN). The
authentication credentials in LTE are called the EPS Authentication Vector (EPS-AV). The HSS forwards the EPS-AV
Fig. 1.
towards the MME during the AV-forwarding part of the EPSAKA protocol.
2) Mobility Management Entity (MME): The MME is
located in the visited network (VPLMN). It is the network
termination for the challenge-response part of the EPS-AKA
protocol. The MME is the host for the Access Security
Management Entity (ASME), which handles access security.
In practice one tend only to refer to MME when one means
MME and/or ASME. The outcome of a successful EPS-AKA
run is the EPS Security Context, which is the main
security context for a roaming subscriber. Security for system
signaling between MME/ASME and the UE is covered by the
NAS Security Context.
3) eNodeB (eNB): The eNB is the radio access point in
LTE and it belongs to the visited network (VPLMN). The
eNB is an active party in LTE access security, and is the
network termination of the AS Security Context. This
security context contains session keys (data integrity/data confidentiality) for protection of the over-the-air interface (LTEUu). The eNB may protect communications within E-UTRAN
(X2-interface) and towards the core network (S1-U interface),
but this is optional and left for the operators to decide.
4) The Subscription Module (UICC/USIM):
The
UICC/USIM is required for access to E-UTRAN. The
aging GSM SIM smart-card was permitted for access
to UTRAN/UMTS for backwards compatibility reasons.
However, the GSM SIM is limited to GSM security and a
689
M M E
M M E
S -G W
H S S
A u t h e n t ic a t io n d a t a r e q u e s t ( I M S I , S N I d e n t it y , N e t w o r k T y p e )
S 1 -U
S 1 -M M E
A u t h e n t ic a t io n d a t a r e s p o n s e ( E P S - A u t h e n t ic a t io n V e c t o r ( s ) )
e N B
X 2
E -U T R A N
X 2
e N B
Fig. 3.
X 2
e N B
L T
E U
u
W e lc o m e to th e
w o r ld o f L T E
U E
Fig. 2.
single 64-bit cipher key (Kc). For use in UMTS one had
to convert the 64-bit key (Kc) into the two 128-bit keys
(CK, IK). Cryptographically, this is nonsense. The GSM
SIM is thus not allowed for access to E-UTRAN.
5) Mobile Equipment: In UMTS the ME was only responsible for the over-the-air encryption. In LTE the ME is also
responsible for deriving the key hierarchy based on the output
from the UMTS AKA part of the EPS-AKA protocol.
III. T HE EPS-AKA P ROTOCOL
The authentication part of the EPS-AKA protocol is based
directly on the authentication part of UMTS AKA. The
challenge-response procedure is executed between the UE and
the MME and the forwarding of authentications credentials is
done from the HSS to the MME (S6a interface).
A. Authentication in UMTS
The UMTS AKA protocol is specified in TS 33.102 [4]. The
UMTS AKA is a delegated protocol in which the home network delegates authentication authority to the visited network.
The home network is off-line with respect to the challengeresponse part of the protocol. The challenge-response procedure is a one-pass protocol and relies on a sequence number
scheme to provide mutual authentication. Therefore it can only
verifies that the challenge is authentic and that the sequence
number is current. The outcome of UMTS AKA includes the
two 128 bit wide session keys CK and IK. Rekeying in
UMTS requires the UMTS AKA protocol to be re-run.
Fig. 4.
U E
U s e r a u t h e n t ic a t io n r e q u e s t ( R A N D , A U T N , K S I
A S M E
U s e r a u t h e n t ic a t io n r e s p o n s e ( R E S )
U s e r a u t h e n t ic a t io n r e je c t ( C A U S E )
Fig. 5.
EPS Authentication
690
U I C C /U S I M
a n d H S S
(N A S
M E a n d H S S
(E P S S e c u r ity C o n te x t)
M E a n d M M E
S e c u r ity C o n te x t)
C K , I K
K
P re -sh a re d
a u th e n b tic a tio n
se c re t
P ro d u c e d b y
" U M T S A K A "
p a rt
P ro d u c e d b y
S 1 0 k e y d e riv a tio n
R R C i n t
R R C e n c
U P e n c
e N B
P ro d u c e d b y
S 1 1 k e y d e riv a tio n
(a ls o S 1 2 a n d S 1 3 )
Fig. 6.
N A S e n c
M E a n d e N o d e B
(A S S e c u r ity C o n te x t)
A S M E
N A S i n t
E. Security Context
There are three types of native EPS security contexts. The
main context is the EPS Security Context, which is the
outcome of successful EPS-AKA execution.
(1)
The key is the (CK, IK) output from the USIM and the
SQN AK element is the sequence number masked with an
anonymity key (AK). The N etworkId is the network identity
(PLMN-ID) of the MME. The NAS Security Context
keys are derived in similar fashion, with the KASM E as the
input key.
The handling of the AS Security Context and the
way one refresh/chain this context is fairly complicated. The
initial version of the AS Security Context is created
when the UE goes into connected state, and it is based on
KASM E and NAS protocol context data. The AS Security
Context can be chained and this happens whenever there is
a handover (HO) event. The outcome of a chaining event (HO
event) is that a new KeN B root key is generated and that all
dependent keys are freshly derived.
Given that we focus of improvements to the authentication
part of the EPS-AKA protocol we shall refrain from further
discussion of the EPS key hierarchy and the key derivations.
691
692
4)
5)
6)
Code:
0XXX
1000
1001
Protocol ID:
UMTS AKA
EPS-AKA
EAKA
Comment:
The standard UMTS AKA protocol
The standard EPS-AKA protocol
The EAKA protocol described here
7)
2) The EAV: The authentication vector has been partially redefined for EAKA. The AU T N.M ACA field
has been replaced with the response field AU T N.RESU E .
The AU T N.SQN is replaced with a context identity
AU T N.CID, which is supplied by the MME/ASME. The
purpose of CID is to provide the MME/ASME with an index
to the EPS Security Context. The minimum size of
(RES) has been increased to 64 bit (from 32). The EAV, see
Fig. 7, is otherwise identical to the EPS-AV.
Enhanced Authentication Vector = {
RAND :
128 bit; Random challenge (from HSS)
RES :64-128 bit; Expected Response
Kasme:
256 bit; EPS security context master key
AUTN :
128 bit; Modified AUTN {
CID
: 48 bit; MME/ASME EPS Context Identity
AMF
: 16 bit; Auth.mngt. field(w/4 bit PI block)
RESue : 64 bit; Response to the ESIM challenge
Fig. 7.
693
694