Long Term Evolution and its security infrastructure

Fataneh Safavieh Mobile security Seminar,Bit,07.02.2011

Outline

Introduction: some history &background What is LTE? LTE-SAE Security: some highlights Home(e)Node B Security

Introduction:
some history & background

Mobile Evolution
Improvements in mobile communication technology during the last two decades The Mobile Broadband is as important as Internt

http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf

User Expectations
Highly desire of broadband acces everywhere
1. Home, Office 2. Train, Aeroplane, Canteen, during the Breake

Ubiquity (anywhere, anytime) Higher voice quality Higher speed Lower prices Multitude of services
5

http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf

3GPP
The 3rd generation partnership project A global partnership of six SDOs:
1. 2. 3. 4. 5. Europe USA China Japan Korea ETSI ATIS CCSA ARIB & TTC TTA
6

LTE The UMTS Long Term Evolution - Sesia, Toufik, Baker

What is LTE?

What is LTE?
The latest standard in the mobile network technology tree A project of 3GPP & mainly built on 3GPP cellular systems family May be referred as E-UTRA & E-UTRAN Has advanced new radio interface Circuit switched networksall-IP networks Broadband connectivity on the move 100Mbps(DL), 50Mbps(UL), ~10 ms Latency
8

UMTS and LTE architecture

Extract from Towards Global Mobile Broadband A White Paper from the UMTS Forum

LTE key features

High Spectral Efficiency more customers, less
costs

Co-existence with other standards Flexible radio planning (cell size of 5km30/100km) Reduced Latency less RTT, multi-player gaming,
audio/video conferencing

Reduced costs for operators (OPEX & CAPEX) Increased data rates via enhanced air interface
(OFDMA,SC-FDMA,MIMO) All-IP environment SAE or EPC
key advantages of SAE
10

LTE-SAE Security:
some highlights

11

Security in the LTE-SAE Network

Security features in the network (from TS 33.401- Fig.4-1)

12

Security features in the LTE-SAE Network

Five security feature groups defined in TS 33.401 (I): Network access security
provides users with secure access to services protects against attacks on the access interface

(II): Network domain security

enables nodes to exchange signaling- & user- data securely protects against attacks on the wire line network

(III): User domain security

Provides secure access to mobile stations

(IV): Application domain security

enables applications in the user & provider domains to exchnage messages securely

(V): Visibility and configurability of security

allows the users to learn whether a security feature is in operation
13

Authentication & key agreement

HSS generates authentication data and provides it to MME Challenge-response authentication and key agreement procedure between MME and UE
4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
15

Confidentiality & integrity of signaling

RRC signaling between UE and E-UTRAN NAS signaling between UE and MME S1 interface signaling
protection is not UE-specific optional to use 4th ETSI Security Workshop - Sophia- Antipolis,13-14 January 2009
16

User plane confidentiality

S1-U protection is not UE-specific

(Enhanced) network domain security mechanisms (based on IPsec) Optional to use

Integrity is not protected for various reasons, e.g.:

performance limited protection for application layer
4th ETSI Security Workshop - Sophia- Antipolis, 13-14 January 2009
17

Cryptographic network separation

Key hierarchy (TS 33.401 - Figure 6.2-1)

18

Cryptographic network separation

Authentication vectors are specific to the serving network

AVs usable in UTRAN/GERAN cannot be used in

EPS AVs usable for UTRAN/GERAN access cannot be used for EUTRAN access Solution by a separation bit

Rel-99 USIM is still sufficient for EPS access ME has to check the separation bit (when
accessing E-UTRAN)
4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
19

Home (e) Node B Security

21

System architecture of H(e)NB

UE HNB insecure link SeGW

Operators core network

E-UTRAN air interface between UE and HeNB HeNB accesses operators core network via a Security Gateway The backhaul between HeNB and SeGW may be insecure Operators core network performs mutual authentication with HeNB via SeGW Security tunnel between HeNB and SeGW to protect information transmitted in backhaul link
22

Figure from draft TR 33.820

Common threats to H(e)NB

1. Physical tampering with H(e)NB 2. Fraudulent software update / configuration changes 3. Denial of service attacks against core network 4. Eavesdropping of the other users UTRAN or E-UTRAN user data 5. User cloning the H(e)NB authentication Token

From TR 33.820
23

Security requirements to H(e)NB

1. 2. Unprotected data should never leave a secure domain inside H(e)NB Software updates and configuration changes for the H(e)NB shall be cryptographically signed (by operator or H(e)NB supplier) and verified configuration changes shall be authorized by H(e)NB operator or supplier Unauthenticated traffic shall be filtered out on the links between the core network and the H(e)NB New users should be required to explicitly confirm their acceptance before being joined to an H(e)NB H(e)NB authentication credentials shall be stored inside a secure domain i.e. from which outsider cannot retrieve or clone the credentials
From TR 33.820
24

3.
4.

5.

References and Resources

25

References and Resources

A Long Term Evolution Downlink inspired channel simulator using the SUI 3Channel Model, Thesis of Sanjay Kumar Sarkar, August 2009 LTE The UMTS Long Term EvolutionSesia, Toufik, Baker (WILEY Publication) 2009 http://www.nsma.org/conf2008/Presentation/2-1045MiyaharaLTE_Overview_NMSA%2021March08_final.pdf Towards Global Mobile Broadband A White Paper from the UMTS Forum, February 2008 TS 33.401
26

References and Resources

4th ETSI Security Workshop- Sophia-Antipolis , 13-14 January 2009 TR 33.820 A Survey of Security Threats on 4G Networks, Yongsuk Park and Taejoon Park Security in the LTE-SAE Network, www.agilent.com/find/lte www.3gpp.org www.radio-electronics.com

http://sites.google.com/site/lteencyclopedia
27

Thank
You For Your

Attention!
28