Present and future Standards for mobile internet

and smart phone information security

Presented by Alain Sultan for MIIT and TMC visit to ETSI - September 2012

ETSI 2012. All rights reserved

Mobile Internet and Smart Phone

Mobile Internet security: not addressed by 3GPP

Mobile IP refers to extensions of IP as to be able to
address mobility
But the system defined by 3GPP is mobile by nature, so
there is no need for these extensions
Smart Phone security: not addressed by 3GPP
3GPP defines Interfaces
The internal design of whatever system component
(Mobile, Node B, MSC, etc.) is up to each manufacturer
But Security is a major topic of 3GPP specifications,
from the first phase of GSM (2G) until the latest phase
of LTE (4G)
This is what this set of slides addresses
Standards for 2G/3G security
2G/3G Security Overview

Authentication

Encryption
2G/3G Authentication & Key Agreement
(AKA)

Authentication

Non-encrypted -> -> Non-encrypted

data data
Encryption
A5 algorithms

Contained in mobile devices and base stations

Confidentiality between handset and base station
Protect voice and data traffic over radio path
Versions of A5 available
A5/0: NULL
A5/1: original strong algorithm from 1986
=> broken in 2009!
A5/2: weakened algorithm to be used outside US/Europe
A5/3: KASUMI-based new algorithm
=> mandatory from 2007 (but taking long to be
deployed)
A5/4: A5/3 with longer key (128-bit)
Standards for LTE security
LTE Security

Characteristics of LTE Security

Re-use of UMTS Authentication and Key Agreement
(AKA)
Use of USIM required (GSM SIM excluded, but Rel-99
USIM is sufficient)
Extended key hierarchy
Possibility for longer keys
Greater protection for backhaul
Integrated interworking security for legacy and non-
3GPP networks
Authentication and key agreement (AKA)

HSS generates authentication data and provides it to MME

Challenge-response authentication and key agreement
procedure between MME and UE
SIM access to LTE is explicitly excluded (USIM R99 onwards allowed)
Confidentiality and integrity of
signaling

RRC signaling between UE and E-UTRAN

Encryption on PDCP layer
NAS signaling between UE and MME
User plane confidentiality

S1 protection is not UE-specific

(Enhanced) network domain security mechanisms
based on IPSec
Optional
Integrity protection not available
 LTE Authentication and Key Agreement

UE eNB MME AuC

NAS attach request (IMSI)
AUTH data
request (IMSI,
SN_id)
AUTH data response
(AV={AUTN, XRES, RAND,
NAS auth request (AUTN, RAND, Kasme})
KSIasme)
NAS auth response
(RES)
NAS SMC (confidentiality and
integrity algo)
NAS Security Mode
Complete
S1AP Initial Context
Setup
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete
Indication of access network encryption

Indication of access network encryption

user is informed whether confidentiality of user data
is protected on the radio access link
in particular when non-ciphered calls are set-up
Security Algorithms
LTE Security Algorithms (1/2)

Three separate algorithms specified

In addition to one NULL algorithm
Current keylength 128 bits
Possibility to extend to 256 in the future
Confidentiality protection of NAS/AS signalling
recommended
Integrity protection of NAS/AS signalling mandatory
User data confidentiality protection recommended
Ciphering/Deciphering applied on PDCP and NAS
LTE Security Algorithms (2/2)

128-EEA1/EIA1
Based on SNOW 3G: stream cipher; keystream produced by Linear
Feedback Shift Register (LFSR) and a Finite State Machine (FSM)
Different from KASUMI as possible
Allows for low power consumption
128-EEA2/EIA2
AES block cipher
Counter (CTM) Mode for ciphering
CMAC Mode for MAC-I creation (integrity)
Different from SNOW 3G as possible, so cracking one would not affect
the other
KASUMI not re-used: eNB already supports AES as well as other non-3GPP
accesses, e.g. 802.11i
128-EEA3/EIA3 (Rel-11 onwards)
Based on ZUC (Zu Chongzhi): stream cipher
Developed by Data Assurance and Communication Security Research
Center of Chinese Academy of Sciences (DACAS)
Lawful Interception
Lawful Interception in 3GPP

Cost Political
Interception

Business Handover Legal

Retrieval Analysis

process
Relations
Storage
Lawful Interception in EPS

Context and mechanisms similar to case of UMTS PS

Different core entities (ICE, Intercepting Control Elements)
ADMF handles requests from Law Enforcement Authorities
target identity: IMSI, MSISDN and IMEI
X1 interface provisions ICEs and Delivery Functions
X2 delivers IRI (Intercept Related Information)
X3 delivers CC (Content of Communication)
HI1,2,3: Handover Interfaces with law enforcement
Convey requests for interception of targets (HI1)
Deliver IRI (HI2) and CC (HI3) to LEAs
EPS LI Architecture

X
2

X1_1 X X
X1_3 2 3
Delivery
ADMF Function 3
X1_2 Deliver
y
Functio Mediation
Mediation n2
Mediation Function
Function Function

HI1 HI HI3
2
LEMF
Additional slides for more info

More on LTE security

Backhaul Security
Relay Node Security
IMS authentication
Home (e) Node B security
Status of work at 3GPP on Security issues
Main 3GPP Security Standards
Conclusions

Security is a major point of interest from GSM

(2G) up to LTE (4G)
GSM/UMTS Security: continues to evolve,
recent introduction of A5/3 (planned before
attack on old A5/1 succeeded)
LTE Security: building on GSM and UMTS
Security with newer security algorithms, longer
keys, Extended key hierarchy
Security aspects taken into consideration each
time the system evolves (IMS, HNB, MTC, )
 Thank you!

Contact Details:
Alain.Sultan@etsi.org

Thank you!

23 ETSI 2012. All rights reserved

Deeper Key hierarchy in LTE

USIM / K
AuC
CK, IK
UE /
HSS KASME
UE /
ASME
KNASenc KNASint KeNB

UE / MME
KUPint KUPenc KRRCint KRRCenc

UE /
eNB
Faster handovers and key changes, independent of AKA
Added complexity in handling of security contexts
Security breaches local
Backhaul Security
Backhaul Security

Base stations becoming more powerful

LTE eNode B includes functions of NodeB and RNC
Coverage needs grow constantly
Infrastructure sharing

Not always possible to trust physical security of eNB

Greater backhaul link protection necessary
Certificate Enrollment
for Base Stations

Operator root
certificate
RA/CA SEG pre-installed.

Vendor root certificate Enrolled base station

IPse
pre-installed. CMPv certificate is used in
c
2 IKE/IPsec.

Vendor-signed certificate
base of base station public
base station obtains operator-
station key
signed certificate on its own public
key from RA/CA using CMPv2. pre-installed.

Picture from 3GPP TS 33.310

Relay Node Security
Relay Node Authentication

Mutual authentication between Relay Node and network

AKA used (RN attach)
credentials stored on UICC
Binding of Relay Node and USIM:
Based on symmetric pre-shared keys, or
Based on certificates

Radio Radio Backhaul Core

UE Relay Donor
eNB NW
Relay Node Security

Control plane traffic integrity protected

User plane traffic optionally integrity protected
Relay Node and network connection confidentiality
protected
Device integrity check
Secure environment for storing and processing sensitive
data
IP Multimedia Subsystem (IMS)
Security
 More detailed view of IMS (2/2)
Home Subscriber Media Resource
Server Function Controller
Centralized DB Application Pooling of Media
HLR successor Servers servers
Domain Push-to-talk
User profile
Name Filter criteria (sent to S- Instant
Server CSCF) messaging Media Gateway
Which applications Telephony AS and MG Control
IP CAN Which conditions 3rd
rd party
Function
SIP Home Interfaces to
Access
Access DNS
DNS AS
AS PSTN/PLMN MGCF:
MGCF:
HSS
HSS
AS
AS
AS
AS Network SIP
RTP ENUM
ENUM ISUP/BICC
SIP ISUP/BICC
SIP Diameter controls
controls the
the MGW
MGW
RTP
SIP (H.248)
(H.248)
Backbone MGW:
MGW:
Backbone P-
P- SIP I-
I- SIP S-
S- SIP MRFC
MRFC
Packet IP
IP transport
transport e.g.
e.g.
Packet CSCF
CSCF CSCF
CSCF CSCF
CSCF
SIP TDM
TDM
Own/Visited Network
Network MRF
MRF MRF
MRF
transcoding
SIP SIP P
P P
P transcoding e.g.
e.g. AMR
AMR
Network SIP G.711
G.711
SIP Tones/Announcements
Tones/Announcements
Call Session BGCF
BGCF MGCF
MGCF
ISUP
Control
Function H.248 SS7
SS7
SIP PSTN
PSTN
RTP TDM
registration MGW
MGW
SIP session
setup Serving CSCF
Proxy CSCF
Proxy CSCF
1 contact point for
st
st Register
UE Session control
QoS Application
Interrogating CSCF Interface
Routes to I-CSCF
Entry point for incoming calls Breakout Gateway Control
- Charging Records - IMS User
Determines S-CSCF for
- Lawful Interception Authentication Function
Subscribers
- SIP Header Comp - Loads IMS User Selects network (MGCF or other
Hides network topology
Profiles BGCF)
 Flow for IMS Registration
UE GGSN P-CSCF I-CSCF S-CSCF AS HSS

1. Register (no Integrity Key (IK), no Confidentiality Key (CK), no RES)

2. Register (integrity-protected=no, no RES)
(find appropriate S-CSCF)
3. Register (integrity-protected=no, no RES)
4. Retrieval of Authentication Vector(s) for that PrivateID
5. RAND, AUTN, IK(HSS), CK (HSS), RES(HSS)
6. 401 non authorized (RAND, AUTN, IK(HSS), CK (HSS))
7. 401 non authorized (RAND, AUTN)

UE computes IK(UE), CK(UE) from AUTN and RES(UE) from RAND

8. Register (IK(UE), CK (UE), RES(UE))

P-CSCF compares IK(UE) and CK(UE) with IK(HSS) and CK(HSS).

If identical, then integrity-protected=yes
9. Register (integrity-protected=yes, RES(UE))

I-CSCF compares RES(UE) with RES(HSS).

If not identical, then registration failure

10. Update HSS

11. Update S-CSCF (User Profile: subscribed services, user pref., etc)
12. 200 OK
13. 200 OK
Home (e) Node B security
(out of scope for security)
Datamodel cooperation with BBF

RAN3 FF

Produced stage 1,2,3

1. Influenced the data model

Flat list of radio parameters SA5 Based on SA5 requirements
2. Derived info model (semantics)
time

Based on RAN3, FF input+

Broadband Forum Datamodel
SA5 input (late in the process)

ref. S5-091892, S5-092661

Threats

countermeasures
in Technical
Report 33.820
Examples
cloning of credentials
physical tampering
fraudulent software updates
man-in-the-middle attacks
Denial of service against core network
Eavesdropping (identity theft, privacy breaches,
)
Home (e)NB Security architecture (1/2)

Operators AAA
core Server/HSS
network
UE H(e)NB unsecure SeGW
link H(e)NB GW

H(e)MS
H(e)MS

Security Gateway (SeGW)

element at the edge of the core network terminating security
association(s) for backhaul link between H(e)NB and core network
H(e)MS Home (e) NodeB Management System
management server that configures the H(e)NB according to the
operators policy, instals software updates on the H(e)NB
Hosting Party Module (HPM)
physical entity distinct from the H(e)NB physical equipment, dedicated
to the identification and authentication of the Hosting Party towards the
MNO
Trusted Environment (TrE)
logical entity which provides a trustworthy environment for the
execution of sensitive functions and the storage of sensitive data
Home (e)NB Security architecture (2/2)

Operators AAA
core Server/HSS
network
UE H(e)NB unsecure SeGW
link H(e)NB GW

H(e)MS
H(e)MS

Air interface between UE and H(e)NB backwards compatible

with UTRAN
H(e)NB access operators core network via a Security
Gateway (SeGW)
Backhaul between H(e)NB and SeGW may be unsecure
Security tunnel established between H(e)NB and SeGW
to protect information transmitted in backhaul link
H(e)NB Authentication

Two separate concepts of authentication:

Mutual authentication of H(e)NB and operator (SeGW)
(mandatory)
Certificate based
Credentials stored in TrE in H(e)NB
Authentication of hosting party by operators network
(optional)
EAP-AKA based
credentials contained in separate Hosting Party Module (HPM)
in H(e)NB
bundled with the device authentication (one step)
Backhaul link protection
IPSec, IKEv2, based on H(e)NB/SeGW authentication
Other security mechanisms for H(e)NB

Device Integrity Check

AV, SAV, Hybrid,
Location Locking
IP address based
Macro-cell/UE reporting based
(A)GPS based
Combination of the above
Access Control Mechanism
ACL for Pre-R8 UE accessing HNB
CSG for H(e)NB
Clock Synchronization
Based on backhaul link between H(e)NB and SeGW
Based on security protocol of clock synchronization
protocol
H(e)NB security in the real world

location locking does NOT seem to work

in current commercial trials
HNBs operating from different countries
No roaming charges
algorithm licensing is an issue
customers do not sign any agreement for use of COTS HNBs
Lawful Interception
currently would not work in LIPA
would not work between CSG MSs camping on the same HNB
rogue HNB roaming
Status of work at 3GPP on Security
issues
Recently completed security activities at
3GPP (Rel-11)
Recently completed security activities at
3GPP (Rel-10)
Ongoing security activities at 3GPP
Main 3GPP Security Standards
Main 3GPP Security Standards

UMTS Security:
33.102 Security Architecture.
33.105. 3GPP Cryptographic Algorithm Requirements.
35.201. f8 and f9 Specification.
35.202. KASUMI Specification.
IMS Security:
23.228 IMS Architecture.
LTE Security:
33.401 System Architecture Evolution (SAE); Security architecture
33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP
Lawful Interception:
33.106 Lawful interception requirements
33.107 Lawful interception architecture and functions
33.108 Handover interface for Lawful Interception
Key Derivation Function:
33.220 GAA: Generic Bootstrapping Architecture (GBA)
Backhaul Security:
33.310 Network Domain Security (NDS); Authentication Framework (AF)
Relay Node Security
33.816 Feasibility study on LTE relay node security (also 33.401)
Home (e) Node B Security:
33.320 Home (evolved) Node B Security

All documents available for free at: ftp://ftp.3gpp.org/specs