LTE Security

Dan Forsberg, Poplatek Oy, Finland Dr. Dan Forsberg is currently a development manager at Poplatek Oy where he takes care of the payment terminals area and also works with payment card industry security. Earlier, Dan led the SAE/LTE security standardization work in Nokia. He was also nominated as one of the Nokia top inventors in 2007-2008. Dan started his Ph.D. studies while working in Nokia and has published several scientific papers in the area of "improving and distributing session key management for mobile networks". He joined Helsinki University of Technology in 2009 and finalized his PhD studies there before the end of 2009. Gunther Horn, Nokia Siemens Networks, Germany Dr Horn is a senior standardization expert at Nokia Siemens Networks. The focus of his work is on the standardization of 3G and SAE/LTE security in the 3GPPP security group (SA3), of which he has been a member since it started in 1999. Wolf-Dietrich Moeller, Nokia Siemens Networks, Germany Wolf-Dietrich Moeller is a senior researcher with Nokia Siemens Networks. Valtteri Niemi, University of Turku, Finland and Nokia Corporation, Finland Dr Niemi is a Professor of Mathematics in University of Turku, Finland and also a Nokia Fellow, for which role he is based at the Nokia Research Center in Helsinki, Finland. Prof. Niemi's work has been on security and privacy issues of future mobile networks and terminals, the main emphasis being on cryptological aspects. He participated in the 3GPP SA3 (security) standardization group from the beginning, and during 2003-2009 he was the chairman of the group.

Preface xiii Foreword to the First Edition xv Acknowledgements xix Copyright Acknowledgements xix 1 Overview of the Book 1 2 Background 5 2.1 Evolution of Cellular Systems 5 2.1.1 Third-Generation Network Architecture 6 2.1.2 Important Elements of the 3G Architecture 7 2.1.3 Functions and Protocols in the 3GPP System 8 2.1.4 The EPS System 9 2.2 Basic Security Concepts 10 2.2.1 Information Security 10 2.2.2 Design Principles 11 2.2.3 Communication Security Features 12 2.3 Basic Cryptographic Concepts 13 2.3.1 Cryptographic Functions 14 2.3.2 Securing Systems with Cryptographic Methods 16 2.3.3 Symmetric Encryption Methods 17 2.3.4 Hash Functions 18 2.3.5 Public-Key Cryptography and PKI 19 2.3.6 Cryptanalysis 20 2.4 Introduction to LTE Standardization 21 2.4.1 Working Procedures in 3GPP 22 2.5 Notes on Terminology and Specification Language 26 2.5.1 Terminology 26 2.5.2 Specification Language 27 3 GSM Security 29 3.1 Principles of GSM Security 29 3.2 The Role of the SIM 30 3.3 Mechanisms of GSM Security 31 3.3.1 Subscriber Authentication in GSM 32 3.3.2 GSM Encryption 32 3.3.3 GPRS Encryption 33 3.3.4 Subscriber Identity Confidentiality 34 3.4 GSM Cryptographic Algorithms 34 4 Third-Generation Security (UMTS) 37 4.1 Principles of Third-Generation (3G) Security 37 4.1.1 Elements of GSM Security Carried over to 3G 37 4.1.2 Weaknesses in GSM Security 38 4.1.3 Higher Level Objectives 39 4.2 Third-Generation Security Mechanisms 40 4.2.1 Authentication and Key Agreement 40 4.2.2 Ciphering Mechanism 45 4.2.3 Integrity Protection Mechanism 46 4.2.4 Identity Confidentiality Mechanism 48 4.3 Third-Generation Cryptographic Algorithms 49 4.3.1 KASUMI 50 4.3.2 UEA1 and UIA1 51 4.3.3 SNOW3G, UEA2 and UIA2 51 4.3.4 MILENAGE 54 4.3.5 Hash Functions 54 4.4 Interworking between GSM and 3G Security 55 4.4.1 Interworking Scenarios 55 4.4.2 Cases with SIM 56 4.4.3 Cases with USIM 57 4.4.4 Handovers between GSM and 3G 58 4.5 Network Domain Security 59 4.5.1 Generic Security Domain Framework 59 4.5.2 Security Mechanisms for NDS 62 4.5.3 Application of NDS 64 4.6 Architectures with RNCs in Exposed Locations 65 5 3G--WLAN Interworking 67 5.1 Principles of 3G--WLAN Interworking 67 5.1.1 The General Idea 67 5.1.2 The EAP Framework 69 5.1.3 Overview of EAP-AKA 72 5.2 Security Mechanisms of 3G--WLAN Interworking 75 5.2.1 Reference Model for 3G--WLAN Interworking 75 5.2.2 Security Mechanisms of WLAN Direct IP Access 76 5.2.3 Security Mechanisms of WLAN 3GPP IP Access 78 5.3 Cryptographic Algorithms for 3G--WLAN Interworking 81 6 EPS Security Architecture 83 6.1 Overview and Relevant Specifications 83 6.1.1 Need for Security Standardization 85 6.1.2 Relevant Nonsecurity Specifications 87 6.1.3 Security Specifications for EPS 88 6.2 Requirements and Features of EPS Security 89 6.2.1 Threats against EPS 90 6.2.2 EPS Security Features 91 6.2.3 How the Features Meet the Requirements 95 6.3 Design Decisions for EPS Security 97 6.4 Platform Security for Base Stations 103 6.4.1 General Security Considerations 103 6.4.2 Specification of Platform Security 103 6.4.3 Exposed Position and Threats 103 6.4.4 Security Requirements 104 7 EPS Authentication and Key Agreement 109 7.1 Identification 109 7.1.1 User Identity Confidentiality 110 7.1.2 Terminal Identity Confidentiality 111 7.2 The EPS Authentication and Key Agreement Procedure 112 7.2.1 Goals and Prerequisites of EPS AKA 112 7.2.2 Distribution of EPS Authentication Vectors from HSS to MME 114 7.2.3 Mutual Authentication and Establishment of a Shared Key between the Serving Network and the UE 118 7.2.4 Distribution of Authentication Data inside and between Serving Networks 122 7.3 Key Hierarchy 123 7.3.1 Key Derivations 124 7.3.2 Purpose of the Keys in the Hierarchy 125 7.3.3 Cryptographic Key Separation 127 7.3.4 Key Renewal 128 7.4 Security Contexts 129 7.4.1 EPS Security Context 129 7.4.2 EPS NAS Security Context 130 7.4.3 UE Security Capabilities 130 7.4.4 EPS AS Security Context 130 7.4.5 Native versus Mapped Contexts 130 7.4.6 Current versus Non-current Contexts 131 7.4.7 Key Identification 131 7.4.8 EPS Security Context Storage 131 7.4.9 EPS Security Context Transfer 132 8 EPS Protection for Signalling and User Data 133 8.1 Security Algorithms Negotiation 133 8.1.1 Mobility Management Entities 134 8.1.2 Base Stations 135 8.2 NAS Signalling Protection 136 8.2.1 NAS Security Mode Command Procedure 136 8.2.2 NAS Signalling Protection 137 8.3 AS Signalling and User Data Protection 138 8.3.1 AS Security Mode Command Procedure 138 8.3.2 RRC Signalling and User Plane Protection 138 8.3.3 RRC Connection Re-establishment 140 8.4 Security on Network Interfaces 141 8.4.1 Application of NDS to EPS 141 8.4.2 Security for Network Interfaces of Base Stations 142 8.5 Certificate Enrolment for Base Stations 143 8.5.1 Enrolment Scenario 143 8.5.2 Enrolment Principles 144 8.5.3 Enrolment Architecture 147 8.5.4 CMPv2 Protocol and Certificate Profiles 148 8.5.5 CMPv2 Transport 149 8.5.6 Example Enrolment Procedure 150 8.6 Emergency Call Handling 151 8.6.1 Emergency Calls with NAS and AS Security Contexts in Place 153 8.6.2 Emergency Calls without NAS and AS Security Contexts 153 8.6.3 Continuation of the Emergency Call When Authentication Fails 154 9 Security in Intra-LTE State Transitions and Mobility 155 9.1 Transitions to and from Registered State 156 9.1.1 Registration 156 9.1.2 Deregistration 156 9.2 Transitions between Idle and Connected States 157 9.2.1 Connection Initiation 158 9.2.2 Back to Idle State 158 9.3 Idle State Mobility 158 9.4 Handover 161 9.4.1 Handover Key Management Requirements Background 161 9.4.2 Handover Keying Mechanisms Background 162 9.4.3 LTE Key Handling in Handover 166 9.4.4 Multiple Target Cell Preparations 168 9.5 Key Change on the Fly 169 9.5.1 KeNB Rekeying 169 9.5.2 KeNB Refresh 169 9.5.3 NAS Key Rekeying 170 9.6 Periodic Local Authentication Procedure 170 9.7 Concurrent Run of Security Procedures 171 10 EPS Cryptographic Algorithms 175 10.1 Null Algorithms 176 10.2 Ciphering Algorithms 177 10.3 Integrity Algorithms 180 10.4 Key Derivation Algorithms 180 11 Interworking Security between EPS and Other Systems 183 11.1 Interworking with GSM and 3G Networks 183 11.1.1 Routing Area Update Procedure in UTRAN or GERAN 186 11.1.2 Tracking Area Update Procedure in EPS 187 11.1.3 Handover from EPS to 3G or GSM 190 11.1.4 Handover from 3G or GSM to EPS 191 11.2 Interworking with Non-3GPP Networks 193 11.2.1 Principles of Interworking with Non-3GPP Networks 193 11.2.2 Authentication and Key Agreement for Trusted Access 201 11.2.3 Authentication and Key Agreement for Untrusted Access 205 11.2.4 Security for Mobile IP Signalling 208 11.2.5 Mobility between 3GPP and Non-3GPP Access Networks 211 12 Security for Voice over LTE 215 12.1 Methods for Providing Voice over LTE 215 12.1.1 IMS over LTE 216 12.1.2 Circuit Switched Fallback (CSFB) 218 12.1.3 Single Radio Voice Call Continuity (SRVCC) 218 12.2 Security Mechanisms for Voice over LTE 220 12.2.1 Security for IMS over LTE 220 12.2.2 Security for Circuit Switched Fallback 228 12.2.3 Security for Single Radio Voice Call Continuity 228 12.3 Rich Communication Suite and Voice over LTE 230 13 Security for Home Base Station Deployment 233 13.1 Security Architecture, Threats and Requirements 234 13.1.1 Scenario 234 13.1.2 Threats and Risks 237 13.1.3 Requirements 239 13.1.4 Security Architecture 240 13.2 Security Features 241 13.2.1 Authentication 241 13.2.2 Local Security 243 13.2.3 Communications Security 244 13.2.4 Location Verification and Time Synchronization 244 13.3 Security Procedures Internal to the Home Base Station 244 13.3.1 Secure Boot and Device Integrity Check 245 13.3.2 Removal of Hosting Party Module 245 13.3.3 Loss of Backhaul Link 245 13.3.4 Secure Time Base 246 13.3.5 Handling of Internal Transient Data 246 13.4 Security Procedures between Home Base Station and Security Gateway 247 13.4.1 Device Integrity Validation 247 13.4.2 Device Authentication 247 13.4.3 IKEv2 and Certificate Profiling 250 13.4.4 Certificate Processing 253 13.4.5 Combined Device-Hosting Party Authentication 255 13.4.6 Authorization and Access Control 256 13.4.7 IPsec Tunnel Establishment 258 13.4.8 Verification of HeNB Identity and CSG Access 258 13.4.9 Time Synchronization 260 13.5 Security Aspects of Home Base Station Management 261 13.5.1 Management Architecture 261 13.5.2 Management and Provisioning during Manufacturing 264 13.5.3 Preparation for Operator-Specific Deployment 266 13.5.4 Relationships between HeNB Manufacturer and Operator 267 13.5.5 Security Management in Operator Network 267 13.5.6 Protection of Management Traffic 268 13.5.7 Software Download 270 13.5.8 Location Verification 272 13.6 Closed Subscriber Groups and Emergency Call Handling 275 13.6.1 UE Access Control to HeNBs 275 13.6.2 Emergency Calls 276 13.7 Support for Subscriber Mobility 277 13.7.1 Mobility Scenarios 277 13.7.2 Direct Interfaces between HeNBs 278 14 Relay Node Security 281 14.1 Overview of Relay Node Architecture 281 14.1.1 Basic Relay Node Architecture 281 14.1.2 Phases for Start-Up of Relay Nodes 283 14.2 Security Solution 284 14.2.1 Security Concepts 284 14.2.2 Security Procedures 288 14.2.3 Security on the Un Interface 290 14.2.4 USIM and Secure Channel Aspects 290 14.2.5 Enrolment Procedures 291 14.2.6 Handling of Subscription and Certificates 291 15 Security for Machine-Type Communications 293 15.1 Security for MTC at the Application Level 294 15.1.1 MTC Security Framework 295 15.1.2 Security (Kmr) Bootstrapping Options 298 15.1.3 Connection (Kmc) and Application-Level Security Association (Kma) Establishment Procedures 301 15.2 Security for MTC at the 3GPP Network Level 301 15.2.1 3GPP System Improvements for MTC 301 15.2.2 Security Related to 3GPP System Improvements for MTC 303 15.3 Security for MTC at the Credential Management Level 306 15.3.1 Trusted Platform in the Device 307 15.3.2 Embedded UICC 307 15.3.3 Remote Management of Credentials 308 16 Future Challenges 309 16.1 Near-Term Outlook 309 16.1.1 Security for Relay Node Architectures 309 16.1.2 Security for Interworking of 3GPP Networks and Fixed Broadband Networks 310 16.1.3 Security for Voice over LTE 310 16.1.4 Security for Machine-Type Communication 311 16.1.5 Security for Home Base Stations 311 16.1.6 New Cryptographic Algorithms 312 16.1.7 Public Warning System 313 16.1.8 Proximity Services 314 16.2 Far-Term Outlook 314 Abbreviations 319 References 327 Index 337