ETSI_visit_MiiT_10sept2012_Security

Download Report

Transcript ETSI_visit_MiiT_10sept2012_Security

Present and future Standards for mobile internet and smart
phone information security
Presented by Alain Sultan
© ETSI 2012. All rights reserved
for MIIT and TMC visit to ETSI - September 2012
Mobile Internet and Smart Phone
Mobile Internet security: not addressed by 3GPP
• Mobile IP refers to extensions of IP as to be able to address mobility
• But the system defined by 3GPP is mobile by nature, so there is no need
for these extensions
Smart Phone security: not addressed by 3GPP
• 3GPP defines Interfaces
• The internal design of whatever system component (Mobile, Node B,
MSC, etc.) is up to each manufacturer
But Security is a major topic of 3GPP specifications, from the first
phase of GSM (2G) until the latest phase of LTE (4G)
• This is what this set of slides addresses
Standards for 2G/3G security
2G/3G Security Overview
Authentication
Encryption
2G/3G Authentication & Key Agreement (AKA)
Authentication
Non-encrypted ->
data
Encryption
-> Non-encrypted
data
A5 algorithms
Contained in mobile devices and base stations
Confidentiality between handset and base station
• Protect voice and data traffic over radio path
Versions of A5 available
• A5/0: NULL
• A5/1: original strong algorithm from 1986
=> broken in 2009!
• A5/2: weakened algorithm to be used outside US/Europe
• A5/3: KASUMI-based new algorithm
=> mandatory from 2007 (but taking long to be
deployed…)
• A5/4: A5/3 with longer key (128-bit)
Standards for LTE security
LTE Security
Characteristics of LTE Security
• Re-use of UMTS Authentication and Key Agreement (AKA)
• Use of USIM required (GSM SIM excluded, but Rel-99 USIM is
•
•
•
•
sufficient)
Extended key hierarchy
Possibility for longer keys
Greater protection for backhaul
Integrated interworking security for legacy and non-3GPP networks
Authentication and key agreement (AKA)
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
MME
S11
S10
LTE-Uu
UE
S12
S4
Serving
Gateway
E-UTRAN
S5
S1-U
HSS generates authentication data and provides it to MME
Challenge-response authentication and key agreement procedure
between MME and UE
• SIM access to LTE is explicitly excluded (USIM R99 onwards allowed)
Confidentiality and integrity of signaling
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
MME
S11
S10
LTE-Uu
UE
S12
S4
Serving
Gateway
E-UTRAN
S1-U
RRC signaling between UE and E-UTRAN
• Encryption on PDCP layer
NAS signaling between UE and MME
S5
User plane confidentiality
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
MME
S11
S10
LTE-Uu
UE
S12
S4
Serving
Gateway
E-UTRAN
S5
S1-U
S1 protection is not UE-specific
• (Enhanced) network domain security mechanisms
• based on IPSec
• Optional
• Integrity protection not available
LTE Authentication and Key Agreement
UE
eNB
MME
AuC
NAS attach request (IMSI)
AUTH data request
(IMSI, SN_id)
AUTH data response
(AV={AUTN, XRES, RAND, Kasme})
NAS auth request (AUTN, RAND, KSIasme)
NAS auth response (RES)
NAS SMC (confidentiality and integrity algo)
NAS Security Mode Complete
S1AP Initial Context Setup
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete
Indication of access network encryption
Indication of access network encryption
• user is informed whether confidentiality of user data is protected
on the radio access link
• in particular when non-ciphered calls are set-up
Security Algorithms
LTE Security Algorithms (1/2)
Three separate algorithms specified
• In addition to one NULL algorithm
Current keylength 128 bits
• Possibility to extend to 256 in the future
Confidentiality protection of NAS/AS signalling recommended
Integrity protection of NAS/AS signalling mandatory
User data confidentiality protection recommended
Ciphering/Deciphering applied on PDCP and NAS
LTE Security Algorithms (2/2)
128-EEA1/EIA1
• Based on SNOW 3G: stream cipher; keystream produced by Linear
•
•
Feedback Shift Register (LFSR) and a Finite State Machine (FSM)
Different from KASUMI as possible
Allows for low power consumption
128-EEA2/EIA2
•
AES block cipher
• Counter (CTM) Mode for ciphering
• CMAC Mode for MAC-I creation (integrity)
•
•
Different from SNOW 3G as possible, so cracking one would not affect
the other
KASUMI not re-used: eNB already supports AES as well as other non3GPP accesses, e.g. 802.11i
128-EEA3/EIA3 (Rel-11 onwards)
• Based on ZUC (Zu Chongzhi): stream cipher
• Developed by Data Assurance and Communication Security Research
Center of Chinese Academy of Sciences (DACAS)
Lawful Interception
Lawful Interception in 3GPP
Cost
Political
Interception
Business
Retrieval
Handover
Analysis
process
Relations
Storage
Legal
Lawful Interception in EPS
Context and mechanisms similar to case of UMTS PS
• Different core entities (ICE, Intercepting Control Elements)
• ADMF handles requests from Law Enforcement Authorities
• target identity: IMSI, MSISDN and IMEI
•
•
•
•
X1 interface provisions ICEs and Delivery Functions
X2 delivers IRI (Intercept Related Information)
X3 delivers CC (Content of Communication)
HI1,2,3: Handover Interfaces with law enforcement
• Convey requests for interception of targets (HI1)
• Deliver IRI (HI2) and CC (HI3) to LEAs
EPS LI Architecture
UTRAN
SGSN
HSS
GERAN
S3
S1-MME
S6a
X2
MME
S11
UE
Serving
Gateway
E-UTRAN
S1-U
X1_1
X1_2
SGi
X3
Delivery
Function 3
ADMF
Mediation
Function
PDN
Gateway
X2
X1_3
Rx
Gx
S4
S10
LTE-Uu
PCRF
S12
Delivery
Function 2
Mediation
Function
HI2
HI1
LEMF
Mediation
Function
HI3
Operator's IP
Services
(e.g. IMS, PSS etc.)
Additional slides for more info
More on LTE security
• Backhaul Security
• Relay Node Security
IMS authentication
Home (e) Node B security
Status of work at 3GPP on Security issues
Main 3GPP Security Standards
Conclusions
Security is a major point of interest from GSM (2G) up to
LTE (4G)
GSM/UMTS Security: continues to evolve, recent
introduction of A5/3 (planned before attack on old A5/1
succeeded)
LTE Security: building on GSM and UMTS Security with
newer security algorithms, longer keys, Extended key
hierarchy
Security aspects taken into consideration each time the
system evolves (IMS, HNB, MTC, …)
Thank you!
Contact Details:
[email protected]
Thank you!
23
© ETSI 2012. All rights reserved
Deeper Key hierarchy in LTE
USIM / AuC
K
CK, IK
UE / HSS
KASME
UE / ASME
KNASenc
KNASint
KeNB
UE / MME
KUPint
KUPenc
KRRCint
UE / eNB
Faster handovers and key changes, independent of AKA
Added complexity in handling of security contexts
Security breaches local
KRRCenc
Backhaul Security
Backhaul Security
Base stations becoming more powerful
• LTE eNode B includes functions of NodeB and RNC
Coverage needs grow constantly
Infrastructure sharing
Not always possible to trust physical security of eNB
Greater backhaul link protection necessary
Certificate Enrollment
for Base Stations
RA/CA
Vendor root certificate
pre-installed.
base station obtains operator-signed
certificate on its own public key from RA/CA
using CMPv2.
SEG
CMPv2
IPsec
base station
Operator root certificate
pre-installed.
Enrolled base station
certificate is used in IKE/IPsec.
Vendor-signed certificate
of base station public key
pre-installed.
Picture from 3GPP TS 33.310
Relay Node Security
Relay Node Authentication
Mutual authentication between Relay Node and network
• AKA used (RN attach)
• credentials stored on UICC
Binding of Relay Node and USIM:
• Based on symmetric pre-shared keys, or
• Based on certificates
UE
Radio
Relay
Radio
Donor
eNB
Backhaul
Core
NW
Relay Node Security
Control plane traffic integrity protected
User plane traffic optionally integrity protected
Relay Node and network connection confidentiality protected
Device integrity check
Secure environment for storing and processing sensitive data
IP Multimedia Subsystem (IMS) Security
More detailed view of IMS (2/2)
Home Subscriber Server
Domain Name
Server
• Centralized DB
• HLR successor
• User profile
• Filter criteria (sent to S-CSCF)
• Which applications
• Which conditions
Application Servers
• Push-to-talk
• Instant messaging
• Telephony AS
• 3rd party
Media Resource
Function Controller
• Pooling of Media servers
Media Gateway
and MG Control
Function
IP CAN
SIP
Access
DNS
ENUM
RTP
RTP
Own/Visited
Network
HSS
Proxy CSCF
Interfaces to PSTN/PLMN
SIP
SIP
PCSCF
SIP
I-CSCF
SIP
SCSCF
SIP
MRFC
MRFP MRFP
SIP
SIP
Call Session
Control
Function
• SIP registration
• SIP session setup
Home
Network
Diameter
SIP
Backbone
Packet
Network
AS
AS
AS
SIP
BGCF
SIP
MGCF:
• SIP  ISUP/BICC
• controls the MGW (H.248)
MGW:
• IP transport  e.g. TDM
• transcoding e.g. AMR 
G.711
•Tones/Announcements
MGCF
ISUP
H.248
RTP
MGW
SS7
TDM
PSTN
Serving CSCF
• Register
•
contact point for UE
• Session control
• QoS
• Application Interface
• Routes to I-CSCF
Interrogating CSCF
- IMS User Authentication
- Charging Records
• Entry point for incoming calls
- Loads IMS User Profiles Breakout Gateway Control Function
- Lawful Interception
• Determines S-CSCF for Subscribers
• Selects network (MGCF or other BGCF)
- Service (AS) Control
- SIP Header Comp
• Hides network topology
in which PSTN/ PLMN breakout is to occur
- Address Translation
- Charging Records
1st
Flow for IMS Registration
UE
GGSN
P-CSCF
I-CSCF
S-CSCF
AS
HSS
1. Register (no Integrity Key (IK), no Confidentiality Key (CK), no RES)
2. Register (“integrity-protected”=no, no RES)
(find appropriate S-CSCF)
3. Register (“integrity-protected”=no, no RES)
4. Retrieval of Authentication Vector(s) for that PrivateID
5. RAND, AUTN, IK(HSS), CK (HSS), RES(HSS)
6. 401 non authorized (RAND, AUTN, IK(HSS), CK (HSS))
7. 401 non authorized (RAND, AUTN)
UE computes IK(UE), CK(UE) from AUTN and RES(UE) from RAND
8. Register (IK(UE), CK (UE), RES(UE))
P-CSCF compares IK(UE) and CK(UE) with IK(HSS) and CK(HSS).
If identical, then “integrity-protected”=yes
9. Register (“integrity-protected”=yes, RES(UE))
I-CSCF compares RES(UE) with RES(HSS).
If not identical, then registration failure
10. Update HSS
11. Update S-CSCF (User Profile: subscribed services, user pref., etc)
12. 200 OK
13. 200 OK
Home (e) Node B security
(out of scope for security)
Datamodel cooperation with BBF
RAN3
FF
Produced stage 1,2,3
time
Flat list of radio parameters
Broadband Forum
ref. S5-091892, S5-092661
SA5
1. Influenced the data model
Based on SA5 requirements
2. Derived info model (semantics)
Based on RAN3, FF input+
Datamodel
SA5 input (late in the process)
Threats
countermeasures
in Technical
Report 33.820
3GPP TR 33.820 V8.2.0 (2009-09)
Examples
cloning of credentials
physical tampering
fraudulent software updates
man-in-the-middle attacks
Denial of service against core network
Eavesdropping (identity theft, privacy breaches, …)
Technical Report
3rd Generation Partnership Project;
Technical Specification Group Service and System Aspects;
Security of H(e)NB;
(Release 8)
The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP.
The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented.
This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification.
Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices.
Home (e)NB Security architecture (1/2)
Operator’s
AAA
core network Server/HSS
UE
H(e)NB
unsecure
link
SeGW
H(e)MS
H(e)NB GW
H(e)MS
Security Gateway (SeGW)
• element at the edge of the core network terminating security association(s) for backhaul
link between H(e)NB and core network
H(e)MS – Home (e) NodeB Management System
• management server that configures the H(e)NB according to the operator’s policy, instals
software updates on the H(e)NB
Hosting Party Module (HPM)
• physical entity distinct from the H(e)NB physical equipment, dedicated to the
identification and authentication of the Hosting Party towards the MNO
Trusted Environment (TrE)
•
logical entity which provides a trustworthy environment for the execution of sensitive
functions and the storage of sensitive data
Home (e)NB Security architecture (2/2)
Operator’s
AAA
core network Server/HSS
UE
H(e)NB
unsecure
link
SeGW
H(e)NB GW
H(e)MS
H(e)MS
Air interface between UE and H(e)NB backwards compatible with UTRAN
H(e)NB access operator’s core network via a Security Gateway (SeGW)
• Backhaul between H(e)NB and SeGW may be unsecure
Security tunnel established between H(e)NB and SeGW
• to protect information transmitted in backhaul link
H(e)NB Authentication
Two separate concepts of authentication:
Mutual authentication of H(e)NB and operator (SeGW) (mandatory)
• Certificate based
• Credentials stored in TrE in H(e)NB
Authentication of hosting party by operator’s network (optional)
• EAP-AKA based
• credentials contained in separate Hosting Party Module (HPM) in H(e)NB
• bundled with the device authentication (one step)
Backhaul link protection
• IPSec, IKEv2, based on H(e)NB/SeGW authentication
Other security mechanisms for H(e)NB
Device Integrity Check
• AV, SAV, Hybrid, …
Location Locking
• IP address based
• Macro-cell/UE reporting based
• (A)GPS based
• Combination of the above
Access Control Mechanism
• ACL for Pre-R8 UE accessing HNB
• CSG for H(e)NB
Clock Synchronization
• Based on backhaul link between H(e)NB and SeGW
• Based on security protocol of clock synchronization protocol
H(e)NB security in the real world…
location locking does NOT seem to work
• in current commercial trials
• HNBs operating from different countries
• No roaming charges
algorithm licensing is an issue
• customers do not sign any agreement for use of COTS HNBs
Lawful Interception
• currently would not work in LIPA
• would not work between CSG MSs camping on the same HNB
rogue HNB roaming
Status of work at 3GPP on Security issues
Recently completed security activities at 3GPP (Rel-11)
Recently completed security activities at 3GPP (Rel-10)
Ongoing security activities at 3GPP
Main 3GPP Security Standards
Main 3GPP Security Standards
UMTS Security:
• 33.102 Security Architecture.
• 33.105. 3GPP Cryptographic Algorithm Requirements.
• 35.201. f8 and f9 Specification.
• 35.202. KASUMI Specification.
IMS Security:
• 23.228 IMS Architecture.
LTE Security:
• 33.401 System Architecture Evolution (SAE); Security architecture
• 33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP
Lawful Interception:
• 33.106 Lawful interception requirements
• 33.107 Lawful interception architecture and functions
• 33.108 Handover interface for Lawful Interception
Key Derivation Function:
• 33.220 GAA: Generic Bootstrapping Architecture (GBA)
Backhaul Security:
• 33.310 Network Domain Security (NDS); Authentication Framework (AF)
Relay Node Security
• 33.816 Feasibility study on LTE relay node security (also 33.401)
Home (e) Node B Security:
• 33.320 Home (evolved) Node B Security
All documents available for free at: ftp://ftp.3gpp.org/specs