Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland ITU-T security workshop Geneva, Switzerland, 9-10 February 2009.

Similar presentations


Presentation on theme: "1 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland ITU-T security workshop Geneva, Switzerland, 9-10 February 2009."— Presentation transcript:

1 1 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland ITU-T security workshop Geneva, Switzerland, 9-10 February 2009

2 2 Outline Some history and background SAE/LTE security: some highlights Home (e)NodeB security Other work items

3 3 Some history and background

4 4 Some history (1/2) For 3GPP Release 99 (frozen 2000), WG SA3 created 19 new specifications, e.g. –TS G security; Security architecture –5 specifications (out of these 19) originated by ETSI SAGE, e.g. TS KASUMI specification For Release 4 (frozen 2001), SA3 was kept busy with GERAN security while ETSI SAGE originated again 5 new specifications, e.g. –TS for MILENAGE algorithm set Release 5 (frozen 2002): SA3 added 3 new specifications, e.g.: –TS IMS security –TS Network domain security: IP layer

5 5 Some history (2/2) Release 6 (frozen 2005): SA3 added 17 new specifications, e.g.: –TS Security of MBMS –TS Generic Authentication Architecture Release 7 (frozen 2007): SA3 added 13 new specifications –ETSI SAGE created 5 specifications for UEA2 & UIA2 (incl. SNOW 3G spec) (TS , TR ) Release 8 (frozen 2008): SA3 has added 5 new specifications, e.g.: –TS SAE: Security architecture –TS SAE: Security with non-3GPP accesses –(1-2 more TRs maybe still be included in Rel-8)

6 6 SAE/LTE security (Rel-8): some highlights

7 7 SAE/LTE: What and why? SAE = System Architecture Evolution LTE = Long Term Evolution (of radio networks) LTE offers higher data rates, up to 100 Mb/sec SAE offers optimized (flat) IP-based architecture Technical terms: –E-UTRAN = Evolved UTRAN (LTE radio network) –EPC = Evolved Packet Core (SAE core network) –EPS = Evolved Packet System ( = RAN + EPC )

8 8 Implications on security Flat architecture: –All radio access protocols terminate in one node: eNB –IP protocols also visible in eNB Security implications due to –Architectural design decisions –Interworking with legacy and non-3GPP networks –Allowing eNB placement in untrusted locations –New business environments with less trusted networks involved –Trying to keep security breaches as local as possible As a result (when compared to UTRAN/GERAN): –Extended Authentication and Key Agreement –More complex key hierarchy –More complex interworking security –Additional security for eNB (compared to NB/BTS/RNC)

9 9 Home (e) Node B security

10 10 Home (e)NB architecture Figure from draft TR One of the key concepts: Closed Subscriber Group UEHeNBSGW insecure link Operators core network OAM

11 11 Threats Compromise of HeNB credentials –e.g. cloning of credentials Physical attacks on HeNB –e.g. physical tampering Configuration attacks on HeNB –e.g. fraudulent software updates Protocol attacks on HeNB –e.g. man-in-the-middle attacks Attacks against the core network –e.g. Denial of service Attacks against user data and identity privacy –e.g. by eavesdropping Attacks against radio resources and management

12 12 Other features in past releases of 3GPP

13 13 IMS home IMS visited PS domain R99 access security authentication & key agreement security mechanism agreement integrity protection network domain security IMS (SIP) security (Rel-5)

14 14 Release 6 highlights

15 15 WLAN interworking in 3GPP WLAN access zone can be connected to cellular core network Shared subscriber database & charging & authentication (WLAN Direct IP access) Shared services (WLAN 3GPP IP Access) Service continuity is the next step

16 16 MBMS Security Architecture (node layout) BM-SC BSF Content Server BGW BGW: Bearer Gateway (first hop IP-router) BM-SC: Broadcast/Multicast Service Center BSF: Bootstrapping Server Function Mobile Operator Network Content Server Internet BM-SC can reside in home or visited network

17 17 Generic Authentication Architecture (GAA) GAA consists of three parts (Rel-6): TS Generic Bootstrapping Architecture (GBA) offers generic authentication capability for various applications based on shared secret. Subscriber authentication in GBA is based on HTTP Digest AKA [RFC 3310]. TS Support of subscriber certificates: PKI Portal issues subscriber certificates for UEs and delivers an operator CA certificates. The issuing procedure is secured by using shared keys from GBA. TS Access to Network Application Function using HTTPS is also based on GBA. Figure from 3GPP TR

18 18 Release 7 & 8 highlights

19 19 Release 7 & 8: security enhancements Key establishment for secure UICC-terminal channel (TS ) –Applies, e.g. for secure UICC-terminal channel specified by ETSI SCP –Built on top of GBA Key establishment between UICC hosting device and a remote device (TS ) Liberty-3GPP security interworking GBA push (TS , Rel-8) –Applies to several OMA specified features (e.g. BCAST) Network domain security: Authentication Framework (TS ) enhanced for TLS support Withdrawal of A5/2 algorithm

20 20 Work in progress: Rel-9

21 21 Rel-9 work items SAE/LTE: emergence call security Media security –End-to-end and end-to-middle protection of media independently of access technology Protection against unsolicited communications in IMS Remote management of USIM/ISIM for machine- to-machine communications Security of Earthquake and Tsunami Warning System

22 22 For more information:


Download ppt "1 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland ITU-T security workshop Geneva, Switzerland, 9-10 February 2009."

Similar presentations


Ads by Google