Long Term Evolution
Download
Report
Transcript Long Term Evolution
Long Term Evolution
and
its security infrastructure
Fataneh Safavieh
Mobile security Seminar,Bit,07.02.2011
Outline
Introduction: some history &background
What is LTE?
LTE-SAE Security: some highlights
Home(e)Node B Security
2
Introduction:
some history & background
3
Mobile Evolution
Improvements in mobile communication
technology during the last two decades
The Mobile Broadband is as important as Internt
http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf
4
User Expectations
Highly desire of broadband acces everywhere
1. Home, Office
2. Train, Aeroplane, Canteen, during the Breake
Ubiquity (anywhere, anytime)
Higher voice quality
Higher speed
Lower prices
Multitude of services
http://www.nsma.org/conf2008/Presentation/2-1045-Miyahara-LTE_Overview_NMSA%2021March08_final.pdf
5
3GPP
The 3rd generation partnership project
A global partnership of six SDOs:
1.
2.
3.
4.
5.
Europe
USA
China
Japan
Korea
ETSI
ATIS
CCSA
ARIB & TTC
TTA
LTE The UMTS Long Term Evolution - Sesia, Toufik, Baker
6
What is LTE?
7
What is LTE?
The latest standard in the mobile network
technology tree
A project of 3GPP & mainly built on 3GPP
cellular systems´ family
May be referred as E-UTRA & E-UTRAN
Has advanced new radio interface
Circuit switched networksall-IP networks
Broadband connectivity on the move
100Mbps(DL), 50Mbps(UL), ~10 ms Latency
8
UMTS and LTE architecture
Extract from ”Towards Global Mobile Broadband”
A White Paper from the UMTS Forum
9
LTE key features
High Spectral Efficiency more customers, less
costs
Co-existence with other standards
Flexible radio planning (cell size of 5km30/100km)
Reduced Latency less RTT, multi-player gaming,
audio/video conferencing
Reduced costs for operators (OPEX & CAPEX)
Increased data rates via enhanced air interface
(OFDMA,SC-FDMA,MIMO)
All-IP environment SAE or EPC
key advantages of SAE
10
LTE-SAE Security:
some highlights
11
Security in the LTE-SAE Network
Security features in the network (from TS 33.401- Fig.4-1)
12
Security features in the LTE-SAE
Network
Five security feature groups defined in TS 33.401
(I): Network access security
provides users with secure access to services
protects against attacks on the access interface
(II): Network domain security
enables nodes to exchange signaling- & user- data securely
protects against attacks on the wire line network
(III): User domain security
Provides secure access to mobile stations
(IV): Application domain security
enables applications in the user & provider domains to exchnage messages
securely
(V): Visibility and configurability of security
allows the users to learn whether a security feature is in operation
13
Authentication & key agreement
HSS generates authentication data and provides it to
MME
Challenge-response authentication and key agreement
procedure between MME and UE
4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
15
Confidentiality & integrity of
signaling
RRC signaling between UE and E-UTRAN
NAS signaling between UE and MME
S1 interface signaling
protection is not UE-specific
optional to use
4th ETSI Security Workshop - Sophia- Antipolis,13-14 January 2009
16
User plane confidentiality
S1-U protection is not UE-specific
(Enhanced) network domain security mechanisms (based on IPsec)
Optional to use
Integrity is not protected for various reasons, e.g.:
performance
limited protection for application layer
4th ETSI Security Workshop - Sophia- Antipolis, 13-14 January 2009
17
Cryptographic network separation
Key hierarchy (TS 33.401 - Figure 6.2-1)
18
Cryptographic network separation
Authentication vectors are specific to the serving network
AV’s usable in UTRAN/GERAN cannot be used in
EPS
AV’s usable for UTRAN/GERAN access cannot be used
for EUTRAN access
Solution by a “separation bit”
Rel-99 USIM is still sufficient for EPS access
ME has to check the “separation bit” (when
accessing E-UTRAN)
4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009
19
Home (e) Node B Security
21
System architecture of H(e)NB
UE
HNB
insecure
link
SeGW
Operator’s
core
network
E-UTRAN air interface between UE and HeNB
HeNB accesses operator’s core network via a Security Gateway
The backhaul between HeNB and SeGW may be insecure
Operator’s core network performs mutual authentication with HeNB
via SeGW
Security tunnel between HeNB and SeGW to protect information
transmitted in backhaul link
Figure from draft TR 33.820
22
Common threats to H(e)NB
1. Physical tampering with H(e)NB
2. Fraudulent software update / configuration
changes
3. Denial of service attacks against core network
4. Eavesdropping of the other user’s UTRAN or
E-UTRAN user data
5. User cloning the H(e)NB authentication Token
From TR 33.820
23
Security requirements to H(e)NB
1.
2.
3.
4.
5.
Unprotected data should never leave a secure domain inside
H(e)NB
Software updates and configuration changes for the H(e)NB shall
be cryptographically signed (by operator or H(e)NB supplier) and
verified configuration changes shall be authorized by H(e)NB
operator or supplier
Unauthenticated traffic shall be filtered out on the links between
the core network and the H(e)NB
New users should be required to explicitly confirm their
acceptance before being joined to an H(e)NB
H(e)NB authentication credentials shall be stored inside a secure
domain i.e. from which outsider cannot retrieve or clone the
credentials
From TR 33.820
24
References and Resources
25
References and Resources
A Long Term Evolution Downlink inspired channel
simulator using the SUI 3Channel Model, Thesis of
Sanjay Kumar Sarkar, August 2009
LTE The UMTS Long Term EvolutionSesia, Toufik, Baker (WILEY Publication) 2009
http://www.nsma.org/conf2008/Presentation/2-1045MiyaharaLTE_Overview_NMSA%2021March08_final.pdf
Towards Global Mobile Broadband” A White Paper
from the UMTS Forum, February 2008
TS 33.401
26
References and Resources
4th ETSI Security Workshop- Sophia-Antipolis ,
13-14 January 2009
TR 33.820
A Survey of Security Threats on 4G Networks,
Yongsuk Park and Taejoon Park
Security in the LTE-SAE Network,
www.agilent.com/find/lte
www.3gpp.org
www.radio-electronics.com
http://sites.google.com/site/lteencyclopedia
27
Thank
You
For
Your
Attention!
28