Role of Crypto in Mobile Communications: Outline

Role of Crypto in
Mobile
Communications
Valtteri Niemi
ECRYPT workshop 27-29 May 2008
1 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN
Outline
• Some history about:
• Use of crypto in 1G, 2G, 3G mobile communications
• 3GPP security specifications
• SAE/LTE security
• Role of crypto in other 3GPP features
• Network domain security (NDS)
• IP Multimedia Subsystem (IMS)
• Interworking with WLAN (I-WLAN)
• Generic Authentication Architecture (GAA)
• Multimedia Broadcast/Multicast Service (MBMS)
• Secure channel between UICC and a (remote) terminal
• Lawful interception
• Summary

Essential crypto-features in 2G, 3G, SAE/LTE
Radio
Core
network
network
control
Auth (1-way)
GSM:
Ciph

Radio
Core
network
network
control
Auth (1-way)
GSM:
Ciph
Auth (1-way) + ciph
GPRS:

Radio
Core
network
network
control
Auth (1-way)
GSM:
Ciph
Auth (1-way) + ciph
GPRS:
Auth (2-way)
3G:
Ciph + integrity of signalling

Radio
Core
network
network
control
Auth (1-way)
GSM:
Ciph
Auth (1-way) + ciph
GPRS:
Auth (2-way)
3G:
Ciph + integrity of signalling
Auth (2-way)
SAE/LTE:
Ciph + intg of radio signalling IPsec
intg of core ntwk signalling

Some history of 3GPP security 1/2
• For 3GPP Release 99, WG SA3 created 14 new specifications, e.g.
TS 33.102 “3G security; Security architecture”
• In addition 5 specifications originated by ETSI SAGE, e.g. TS 35.202
“KASUMI specification”
• For Release 4, SA3 was kept busy with GERAN security, MAP
security (later to be replaced by TCAP security) and various
extensions to Rel-99
• ETSI SAGE originated again 5 new specifications, e.g. TS 35.205-208
“MILENAGE algorithm set”
• 3GPP Release 5: SA3 added 3 new specifications, e.g.:
• TS 33.203 “IMS security”
• TS 33.210 “Network domain security: IP layer”
Some history of 3GPP security 2/2

• Release 6: SA3 added 17 new specifications, e.g.:
• TS 33.310 “Network domain security: Authentication Framework”
• TS 33.234 “I-WLAN security”
• TS 33.220-222 “Generic Authentication Architecture” specs
• TS 33.246 “MBMS security
• Release 7: SA3 added 8 new specifications, e.g:
• TS 33.110 “Key establishment between a UICC and a terminal”
• TS 33.259 “Key establishment between a UICC hosting device and a
remote device”
• TS 33.204 “Network Domain Security; Transaction Capabilities
Application Part (TCAP) user security”
• In addition, ETSI SAGE created 5 specifications for UEA2 & UIA2
(incl. SNOW 3G spec) (TS 35.215-218, TR 35.919)
• Release 8: Main addition is SAE/LTE security

SAE/LTE: What and why?
SAE = System Architecture Evolution
LTE = Long Term Evolution (of radio networks)
• LTE offers higher data rates, up to 100 Mb/sec

• Multi-antenna technologies
• New transmission schema based on OFDM
• Signaling/scheduling optimizations
• SAE offers optimized IP-based architecture
• Packet-based
• Flat architecture: 2 network nodes for user plane
• Simplified protocol stack
• Optimized inter-working with legacy cellular, incl. CDMA
• Inter-working with non-3GPP accesses, incl. WiMAX
SAE: Non-Roaming Architecture for 3GPP

Accesses (TS 23.401)
UTRAN
SGSN
GERAN HS
S3
S1-MME S6a
MME
PCRF
S12
S11 S7 Rx+
S4
S10
“LTE-Uu”
Serving S5 PDN SGi
UE E-UTRAN Gateway Operator’s IP Services
Gateway (e.g. IMS, PSS etc.)
S1-U
E-UTRAN = Evolved UTRAN (LTE radio network)

EPC = Evolved Packet Core (SAE core network)
EPS = Evolved Packet System ( = RAN + EPC )

LTE: E-UTRAN architecture (TS 36.300)
Implications on security
• Flat architecture Æ user plane security terminates in eNodeB

• Deeper key hierarchy
• Implementation security for eNodeB
• Many different access technologies Æ different kind of networks
participate Æ trust models more complex
• Extended key hierarchy
• Weaknesses in one network not to affect others
• Many inter-working cases to be covered

Security functions
• Authentication and key agreement
• UMTS AKA re-used for SAE
• SIM access to LTE is explicitly excluded
• On the other hand, Rel-99 USIM is sufficient
• Signalling protection
• For core network (NAS) signalling, integrity and confidentiality protection terminate in
MME
• For radio network (RRC) signalling, integrity and confidentiality protection terminate in
eNodeB
• User plane protection
• Encryption terminates in eNodeB
• Separate protection in network interfaces
• Network domain security used for network internal interfaces
SAE key hierarchy

USIM / AuC K
CK, IK
UE / HSS
KASME
UE / ASME
KNASenc KNASint KeNB
UE / MME
KUPenc KRRCint KRRCenc
UE / eNB

Key derivation and distribution, network side
256
HSS KeNB* 256
KDF
Ks C-RNTI
KeNB
256
network-ID 256 eNB
KDF KDF
Physical cell ID eNB
256
256 256 256
MME KeNB
KDF
KASME
UP-enc-alg,
256 Alg-ID
NAS COUNT
RRC-int-alg,
Alg-ID
NAS-enc-alg, NAS-int-alg, RRC-enc-alg,
Alg-ID Alg-ID Alg-ID
KDF KDF KDF KDF KDF
256 256 256 256
256-bit 256-bit
keys KNASenc KNASint keys KRRCenc KRRCint
256 256 256 256
Trunc Trunc Trunc Trunc
128 128 128 128
128-bit 128-bit
keys KNASenc KNASint keys KRRCenc KRRCint
Key derivations, terminal side

ME 256
KeNB*
KDF
Ks C-RNTI
256
network-ID 256
256
KDF KDF
Physical cell ID
256
256 256 256
KeNB
KDF
KASME UP-enc-alg,
Alg-ID
256 NAS COUNT
RRC-int-alg,
Alg-ID
NAS-enc-alg, NAS-int-alg, RRC-enc-alg,
Alg-ID Alg-ID Alg-ID
KDF KDF KDF KDF KDF
256 256 256 256 256
256-bit 256-bit
keys KNASenc KNASint keys KRRCenc KRRCint KUPenc
256 256 256 256 256
Trunc Trunc Trunc Trunc Trunc
128 128 128 128 128
128-bit 128-bit
keys KNASenc KNASint keys KRRCenc KRRCint KUPenc

Crypto-algorithms
• Two sets of algorithms from Day One
• If one breaks, we still have one standing
• Should be as different from each other as possible
• AES and SNOW 3G chosen as basis Æ ETSI SAGE to specify modes
• Rel-99 USIM is sufficient Æ master key 128 bits
• All keys used for crypto-algorithms are 128 bits but included possibility to add 256-bit
keys later (if needed)
• Deeper key hierarchy Æ (one-way) key derivation function needed
• HMAC-SHA-256 chosen as basis
Need for algorithm agility: example
Theory Practical
break of break of
algo 2 algo 2
time
Spec Algo 3 Majority of
work for implemented terminal base
algo 3 supports algo 3

Need for algorithm agility: example
Theory Practical Dependent on

break of break of
algo 2 algo 2 one algo only
time
Spec Algo 3 Majority of
work for implemented terminal base
algo 3 supports algo 3
Caveat: Security of algorithm capability

negotiation
• Algorithm capabilities exchanged first without protection
• Re-exchanged and verified once integrity protection is turned on
Æ all integrity algorithms should resist real-time attacks in the beginning of the
connection
• If this is not the case anymore, broken algorithm has to be withdrawn completely
from the system
• In the same way as A5/2 is withdrawn from GSM

Security for handovers
• Extended key hierarchy allows fast key refreshing for intra-LTE handovers
• Security context transferred in handovers with GERAN/UTRAN
• After completion of HO, possibility for key renewal
• Possibility to refresh keys also during long sessions with no handovers
Inter-working with non-3GPP networks

• Two options for mobility between 3GPP and non-3GPP networks:
• Proxy Mobile IP: no user-specific security associations between the Proxy and Home
Agent
• Client Mobile IP: for Dual Stack MIPv6, IPsec with IKEv2 is used
• IPsec tunnel (with evolved Packet Data Gateway) used in case the non-3GPP
network is untrusted by the operator (of SAE network)

SAE/LTE: SA3 specifications
• TS 33.401: SAE security architecture

• TS 33.402: Security with non-3GPP accesses
Network domain security using IPsec

• Inter-operator signaling is done via security gateways (a)
• End-to-end security (b) can be added using key management with PKI,
see TS 33.310
• 3GPP has also created TCAPsec (analogous to IPsec), see TS 33.204
Network A Network B
a
a a
SEGA SEGB
Intermediate
IP network
NEA b NEB

IMS (SIP) security
IMS home
authentication & security

mechanism network domain security
key agreement,
RFC 3310 Agreement,
RFC 3329
IMS visited
Integrity (+ conf) protection, IPsec + 33.203
PS domain
bearer access security
WLAN interworking in 3GPP

• WLAN access zone can be connected to cellular core network
• Shared subscriber database & charging & authentication (WLAN
Direct IP access)
• Authentication between WLAN-UE and 3GPP AAA server
• based on EAP (RFC3748)
• EAP-SIM: based on GSM AKA and network authentication (RFC4186)
• EAP-AKA: based on UMTS AKA (RFC4187)
• Shared services (WLAN 3GPP IP Access), e.g. access to IMS
• Security is provided by IPsec tunnel between UE and PDG
• WLAN-UE uses IKEv2 for tunnel establishment
• EAP messages carried over IKEv2 terminate in AAA server.
• Service continuity is the next step

Generic Authentication
Architecture (GAA)
• GAA consists of three parts (Rel-6):
• TS 33.220 Generic Bootstrapping HSS
Architecture (GBA) offers generic

authentication capability for various
applications based on shared secret. GBA GAA
Subscriber authentication in GBA is based Certificates

on HTTP Digest AKA [RFC 3310].
AP
• TS 33.221 Support of subscriber
certificates: PKI Portal issues subscriber
certificates for UEs and delivers an operator UE NE
CA certificates. The issuing procedure is

secured by using shared keys from GBA.
• TS 33.222 Access to Network Application
Function using HTTPS is also based on
GBA.
GBA: Generic Bootstrapping
HSS
• Bootstrapping Server Function (BSF)
and the UE run AKA protocol, and
Zh Zn agreed session keys are later used
between UE and Network Application
BSF NAF Function (NAF).
• After the bootstrapping, the UE and
NAF can run some application-specific
Ub Ua
protocol where security is based on
derived session keys
UE

MBMS Security Architecture (node layout)
Mobile Operator Network Content

Server
BM-SC
Content
BSF Server Internet
BGW
BM-SC can reside in home or visited network
BGW: Bearer Gateway (first hop IP-router)

BM-SC: Broadcast/Multicast Service Center
BSF: Bootstrapping Server Function
Summary of MBMS Security

• Service protection, not content protection in DRM-sense
• Application layer solution which is bearer agnostic
• Based on IETF and OMA protocols
• MIKEY for key delivery
• SRTP for streaming protection
• DCF for download protection
• GBA used for mutual authentication and distribution of shared
secret
• Three-level key hierarchy for data protection
• Specified in TS 33.246

Secure channel between UICC and terminal
• Background: security elements emerge in terminals, e.g. TPM in laptops, MTM in
mobile phones
• It makes sense to secure the (local) interface between UICC and terminal, esp.
for scenarios where the user may be the enemy, e.g. broadcast
• Secure transport specified by ETSI SCP group
• Key management specified in TS 33.110
• Based on GBA
• “Sister” spec TS 33.259 provides key management between UICC-hosting device
and a (remote) terminal
Lawful interception
• 3GPP specifies required lawful interception mechanisms for all features
• Call/message content and related data provided from certain network elements to
the law enforcement side
• Assumes typically that the content appears in clear in the network element
• End-to-end encryption is still possible if keys are provided
• No weak algorithms introduced for LI purposes
• All 3GPP algorithms are publicly known
• National variations exist
• Specified in TSs 33.106-108

Summary
• Number of cryptographic solutions still growing in mobile communications
• 3GPP has provided 6 releases of security specifications
• SAE/LTE security
• User plane security terminates in base station site
• Extended key hierarchy
• Covers interworking with non-3GPP networks
• Cryptoalgorithms based on AES and SNOW 3G
• Other 3GPP features
• 3GPP has specified several emerging standards that rely heavily on crypto
• Lawful interception is not provided using weak algorithms but it puts constraints on
end-to-end security

Role of Crypto in Mobile Communications: Outline

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Role of Crypto in Mobile Communications: Outline

Uploaded by

Copyright:

Available Formats

Role of Crypto in

1 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

2 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

3 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Essential crypto-features in 2G, 3G, SAE/LTE

4 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

5 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Essential crypto-features in 2G, 3G, SAE/LTE

intg of core ntwk signalling

6 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

7 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Some history of 3GPP security 2/2

8 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

• LTE offers higher data rates, up to 100 Mb/sec

9 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

SAE: Non-Roaming Architecture for 3GPP

E-UTRAN = Evolved UTRAN (LTE radio network)

10 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

11 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

• Flat architecture Æ user plane security terminates in eNodeB

12 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

13 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

SAE key hierarchy

KNASenc KNASint KeNB

14 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

KDF KDF KDF KDF KDF

256 256 256 256

256 256 256 256

Trunc Trunc Trunc Trunc

128 128 128 128

15 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Key derivations, terminal side

KDF KDF KDF KDF KDF

256 256 256 256 256

256 256 256 256 256

Trunc Trunc Trunc Trunc Trunc

128 128 128 128 128

16 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

17 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Need for algorithm agility: example

18 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Theory Practical Dependent on

19 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Caveat: Security of algorithm capability

20 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

21 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Inter-working with non-3GPP networks

22 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

• TS 33.401: SAE security architecture

23 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Network domain security using IPsec

24 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

authentication & security

Integrity (+ conf) protection, IPsec + 33.203

WLAN interworking in 3GPP

26 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Architecture (GBA) offers generic

Subscriber authentication in GBA is based Certificates

CA certificates. The issuing procedure is

27 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

GBA: Generic Bootstrapping

28 © 2008 Nokia Crypto_in_Mobile.ppt / 2008-05-28 / VN

Mobile Operator Network Content