1. Present and future Standards for mobile internet and smart phone information security Presented by Alain Sultan for MIIT and TMC visit to ETSI - September 2012 © ETSI 2012. All rights reserved

2. Mobile Internet and Smart Phone Mobile Internet security: not addressed by 3GPP Mobile IP refers to extensions of IP as to be able to address mobility But the system defined by 3GPP is mobile by nature, so there is no need for these extensions Smart Phone security: not addressed by 3GPP 3GPP defines Interfaces The internal design of whatever system component (Mobile, Node B, MSC, etc.) is up to each manufacturer But Security is a major topic of 3GPP specifications, from the first phase of GSM (2G) until the latest phase of LTE (4G) This is what this set of slides addresses

3. Standards for 2G/3G security

4. 2G/3G Security Overview Authentication Encryption

5. 2G/3G Authentication & Key Agreement (AKA) Non-encrypted -> data -> Non-encrypted data Authentication Encryption

6. A5 algorithms Contained in mobile devices and base stations Confidentiality between handset and base station Protect voice and data traffic over radio path Versions of A5 available A5/0: NULL A5/1: original strong algorithm from 1986 => broken in 2009! A5/2: weakened algorithm to be used outside US/Europe A5/3: KASUMI-based new algorithm => mandatory from 2007 (but taking long to be deployed…) A5/4: A5/3 with longer key (128-bit)

7. Standards for LTE security

8. LTE Security Characteristics of LTE Security Re-use of UMTS Authentication and Key Agreement (AKA) Use of USIM required (GSM SIM excluded, but Rel-99 USIM is sufficient) Extended key hierarchy Possibility for longer keys Greater protection for backhaul Integrated interworking security for legacy and non-3GPP networks

9. Authentication and key agreement (AKA) HSS generates authentication data and provides it to MME Challenge-response authentication and key agreement procedure between MME and UE SIM access to LTE is explicitly excluded (USIM R99 onwards allowed)

10. Confidentiality and integrity of signaling RRC signaling between UE and E-UTRAN Encryption on PDCP layer NAS signaling between UE and MME

11. User plane confidentiality S1 protection is not UE-specific (Enhanced) network domain security mechanisms based on IPSec Optional Integrity protection not available

12. LTE Authentication and Key Agreement UE eNB MME AuC NAS attach request (IMSI) AUTH data request (IMSI, SN_id) AUTH data response (AV={AUTN, XRES, RAND, Kasme}) NAS auth request (AUTN, RAND, KSIasme) NAS auth response (RES) NAS SMC (confidentiality and integrity algo) NAS Security Mode Complete RRC SMC (confidentiality and integrity algo) RRC Security Mode Complete S1AP Initial Context Setup

13. Indication of access network encryption user is informed whether confidentiality of user data is protected on the radio access link in particular when non-ciphered calls are set-up

14. Security Algorithms

15. LTE Security Algorithms (1/2) Three separate algorithms specified In addition to one NULL algorithm Current keylength 128 bits Possibility to extend to 256 in the future Confidentiality protection of NAS/AS signalling recommended Integrity protection of NAS/AS signalling mandatory User data confidentiality protection recommended Ciphering/Deciphering applied on PDCP and NAS

16. LTE Security Algorithms (2/2) 128-EEA1/EIA1 Based on SNOW 3G: stream cipher; keystream produced by Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM) Different from KASUMI as possible Allows for low power consumption 128-EEA2/EIA2 AES block cipher Counter (CTM) Mode for ciphering CMAC Mode for MAC-I creation (integrity) Different from SNOW 3G as possible, so cracking one would not affect the other KASUMI not re-used: eNB already supports AES as well as other non- 3GPP accesses, e.g. 802.11i 128-EEA3/EIA3 (Rel-11 onwards) Based on ZUC (Zu Chongzhi): stream cipher Developed by Data Assurance and Communication Security Research Center of Chinese Academy of Sciences (DACAS)

17. Lawful Interception

18. Lawful Interception in 3GPP Handover Retrieval CostPolitical LegalBusiness Relations process Storage Interception Analysis

19. Lawful Interception in EPS Context and mechanisms similar to case of UMTS PS Different core entities (ICE, Intercepting Control Elements) ADMF handles requests from Law Enforcement Authorities target identity: IMSI, MSISDN and IMEI X1 interface provisions ICEs and Delivery Functions X2 delivers IRI (Intercept Related Information) X3 delivers CC (Content of Communication) HI1,2,3: Handover Interfaces with law enforcement Convey requests for interception of targets (HI1) Deliver IRI (HI2) and CC (HI3) to LEAs

20. EPS LI Architecture LEMF Mediation Function Delivery Function 2 Mediation Function Delivery Function 3 Mediation Function ADMF X1_1 X1_2 X1_3 X2 X3 HI1 HI2 HI3 X2

21. Additional slides for more info More on LTE security Backhaul Security Relay Node Security IMS authentication Home (e) Node B security Status of work at 3GPP on Security issues Main 3GPP Security Standards

22. Conclusions Security is a major point of interest from GSM (2G) up to LTE (4G) GSM/UMTS Security: continues to evolve, recent introduction of A5/3 (planned before attack on old A5/1 succeeded) LTE Security: building on GSM and UMTS Security with newer security algorithms, longer keys, Extended key hierarchy Security aspects taken into consideration each time the system evolves (IMS, HNB, MTC, …)

23. Thank you! Contact Details: Alain.Sultan@etsi.org 23 Thank you! © ETSI 2012. All rights reserved

24. Deeper Key hierarchy in LTE Faster handovers and key changes, independent of AKA Added complexity in handling of security contexts Security breaches local USIM / AuC UE / MME UE / ASME K K UPenc K NASint UE / HSS UE / eNB K NASenc CK, IK K RRCint K RRCenc K ASME K eNB K UPint

25. Backhaul Security

26. Base stations becoming more powerful LTE eNode B includes functions of NodeB and RNC Coverage needs grow constantly Infrastructure sharing Not always possible to trust physical security of eNB Greater backhaul link protection necessary

27. Certificate Enrollment for Base Stations RA/CA base station base station obtains operator-signed certificate on its own public key from RA/CA using CMPv2. CMPv2 Vendor-signed certificate of base station public key pre-installed. Vendor root certificate pre-installed. SEG Operator root certificate pre-installed. Enrolled base station certificate is used in IKE/IPsec. IPsec Picture from 3GPP TS 33.310

28. Relay Node Security

29. Relay Node Authentication Mutual authentication between Relay Node and network AKA used (RN attach) credentials stored on UICC Binding of Relay Node and USIM: Based on symmetric pre-shared keys, or Based on certificates Relay Donor eNB UE Core NW Radio Backhaul

30. Relay Node Security Control plane traffic integrity protected User plane traffic optionally integrity protected Relay Node and network connection confidentiality protected Device integrity check Secure environment for storing and processing sensitive data

31. IP Multimedia Subsystem (IMS) Security

32. HSSDNSENUM I-CSCF S- CSCF Own/Visited Network Home Network AS AS AS Home Subscriber Server Centralized DB HLR successor User profile Filter criteria (sent to S-CSCF) Which applications Which conditions Home Subscriber Server Centralized DB HLR successor User profile Filter criteria (sent to S-CSCF) Which applications Which conditions Application Servers Push-to-talk Instant messaging Telephony AS 3 rd party Application Servers Push-to-talk Instant messaging Telephony AS 3 rd party P- CSCF BackbonePacketNetwork Access MGCF MGW PSTN BGCF SS7 Call Session Control Function SIP registration SIP session setup Call Session Control Function SIP registration SIP session setup MRFPMRFP MRFC Media Gateway and MG Control Function Interfaces to PSTN/PLMN MGCF: SIP  ISUP/BICC controls the MGW (H.248) MGW: IP transport  e.g. TDM transcoding e.g. AMR  G.711 Tones/Announcements Media Gateway and MG Control Function Interfaces to PSTN/PLMN MGCF: SIP  ISUP/BICC controls the MGW (H.248) MGW: IP transport  e.g. TDM transcoding e.g. AMR  G.711 Tones/Announcements Breakout Gateway Control Function Selects network (MGCF or other BGCF) in which PSTN/ PLMN breakout is to occur Breakout Gateway Control Function Selects network (MGCF or other BGCF) in which PSTN/ PLMN breakout is to occur Media Resource Function Controller Pooling of Media servers Media Resource Function Controller Pooling of Media servers Proxy CSCF 1 st contact point for UE QoS Routes to I-CSCF - Charging Records - Lawful Interception - SIP Header Comp Proxy CSCF 1 st contact point for UE QoS Routes to I-CSCF - Charging Records - Lawful Interception - SIP Header Comp Interrogating CSCF Entry point for incoming calls Determines S-CSCF for Subscribers Hides network topology Interrogating CSCF Entry point for incoming calls Determines S-CSCF for Subscribers Hides network topology Serving CSCF Register Session control Application Interface - IMS User Authentication - Loads IMS User Profiles - Service (AS) Control - Address Translation - Charging Records Serving CSCF Register Session control Application Interface - IMS User Authentication - Loads IMS User Profiles - Service (AS) Control - Address Translation - Charging Records Domain Name Server IP CAN More detailed view of IMS (2/2) SIP H.248 ISUP SIP Diameter RTP TDM RTP

33. Flow for IMS Registration UEGGSNHSSS-CSCFP-CSCFI-CSCFAS 1. Register (no Integrity Key (IK), no Confidentiality Key (CK), no RES) 2. Register (“integrity-protected”=no, no RES) (find appropriate S-CSCF) 3. Register (“integrity-protected”=no, no RES) 4. Retrieval of Authentication Vector(s) for that PrivateID 5. RAND, AUTN, IK(HSS), CK (HSS), RES(HSS) 6. 401 non authorized (RAND, AUTN, IK(HSS), CK (HSS)) 7. 401 non authorized (RAND, AUTN) 8. Register (IK(UE), CK (UE), RES(UE)) UE computes IK(UE), CK(UE) from AUTN and RES(UE) from RAND P-CSCF compares IK(UE) and CK(UE) with IK(HSS) and CK(HSS). If identical, then “integrity-protected”=yes 9. Register (“integrity-protected”=yes, RES(UE)) I-CSCF compares RES(UE) with RES(HSS). If not identical, then registration failure 10. Update HSS 11. Update S-CSCF (User Profile: subscribed services, user pref., etc) 12. 200 OK 13. 200 OK

34. Home (e) Node B security

35. (out of scope for security) Datamodel cooperation with BBF ref. S5-091892, S5-092661

36. Threats Examples cloning of credentials physical tampering fraudulent software updates man-in-the-middle attacks Denial of service against core network Eavesdropping (identity theft, privacy breaches, …) countermeasures in Technical Report 33.820

37. Home (e)NB Security architecture (1/2) Security Gateway (SeGW) element at the edge of the core network terminating security association(s) for backhaul link between H(e)NB and core network H(e)MS – Home (e) NodeB Management System management server that configures the H(e)NB according to the operator ’ s policy, instals software updates on the H(e)NB Hosting Party Module (HPM) physical entity distinct from the H(e)NB physical equipment, dedicated to the identification and authentication of the Hosting Party towards the MNO Trusted Environment (TrE) logical entity which provides a trustworthy environment for the execution of sensitive functions and the storage of sensitive data UEH(e)NBSeGW unsecure link Operator’s core network H(e)NB GW H(e)MS AAA Server/HSS

38. Home (e)NB Security architecture (2/2) Air interface between UE and H(e)NB backwards compatible with UTRAN H(e)NB access operator ’ s core network via a Security Gateway (SeGW) Backhaul between H(e)NB and SeGW may be unsecure Security tunnel established between H(e)NB and SeGW to protect information transmitted in backhaul link UEH(e)NBSeGW unsecure link Operator’s core network H(e)NB GW H(e)MS AAA Server/HSS

39. H(e)NB Authentication Two separate concepts of authentication: Mutual authentication of H(e)NB and operator (SeGW) (mandatory) Certificate based Credentials stored in TrE in H(e)NB Authentication of hosting party by operator’s network (optional) EAP-AKA based credentials contained in separate Hosting Party Module (HPM) in H(e)NB bundled with the device authentication (one step) Backhaul link protection IPSec, IKEv2, based on H(e)NB/SeGW authentication

40. Other security mechanisms for H(e)NB Device Integrity Check AV, SAV, Hybrid, … Location Locking IP address based Macro-cell/UE reporting based (A)GPS based Combination of the above Access Control Mechanism ACL for Pre-R8 UE accessing HNB CSG for H(e)NB Clock Synchronization Based on backhaul link between H(e)NB and SeGW Based on security protocol of clock synchronization protocol

41. H(e)NB security in the real world… location locking does NOT seem to work in current commercial trials HNBs operating from different countries No roaming charges algorithm licensing is an issue customers do not sign any agreement for use of COTS HNBs Lawful Interception currently would not work in LIPA would not work between CSG MSs camping on the same HNB rogue HNB roaming

42. Status of work at 3GPP on Security issues

43. Recently completed security activities at 3GPP (Rel-11)

44. Recently completed security activities at 3GPP (Rel-10)

45. Ongoing security activities at 3GPP

46. Main 3GPP Security Standards

47. UMTS Security: 33.102 Security Architecture. 33.105. 3GPP Cryptographic Algorithm Requirements. 35.201. f8 and f9 Specification. 35.202. KASUMI Specification. IMS Security: 23.228 IMS Architecture. LTE Security: 33.401 System Architecture Evolution (SAE); Security architecture 33.401 33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP 33.402 Lawful Interception: 33.106 Lawful interception requirements 33.106 33.107 Lawful interception architecture and functions 33.107 33.108 Handover interface for Lawful Interception 33.108 Key Derivation Function: 33.220 GAA: Generic Bootstrapping Architecture (GBA) 33.220 Backhaul Security: 33.310 Network Domain Security (NDS); Authentication Framework (AF) 33.310 Relay Node Security 33.816 Feasibility study on LTE relay node security (also 33.401) 33.81633.401 Home (e) Node B Security: 33.320 Home (evolved) Node B Security 33.320 All documents available for free at: ftp://ftp.3gpp.org/specs