Communication Security Lecture 8: LTE Dr. Shahriar Bijani Shahed University Spring 2016

Main References Iyappan Ramachandran, A Deeper Look at LTE, Agilent Technologies, 2010.

Cellular Comms Evolution 3GPP – collaboration for 3G based on GSM 3GPP2 – collaboration for 3G based on IS-95 GSM GPRS EDGE WCDMA HSPA HSPA+ LTE TD-SCDMA TD-HSPA TD-HSPA+ IS-95 CDMA2000 EV-DO

3GPP standards Release Start Date Release 4 (all IP) 2001 … Release 7 2007-8 Release 8 (LTE)  2008-9 Release 10 (LTE Advanced)   Release 13 2016 Release 14 2017

Extract from ”Towards Global Mobile Broadband” A White Paper from the UMTS Forum

Architecture UE – User Equipment eNodeB – evolved NodeB (BS) S-GW – Serving Gateway P-GW – PDN Gateway MME – Mobility Management Entity HSS – Home Subscriber Server PCRF – Policy Rules and Charging Control Function

Elements HSS – Home Subscriber Server – stores subscriber information, roaming capabilities, QoS profiles, current registration; may integrate AUC functionality P-GW – PDN Gateway – allocates UE IP address, QoS enforcement, filters downlink packets in different QoS bearers S-GW – Serving Gateway local mobility node as UE switches between eNodeBs, buffers downlink data until paging completes, charging for visiting users MME – Mobile Management Entity controls flow between UE and CN (corresponding node) – handles idle mobility PCRF – Policy Control and Charging Rules Function – charging, policy control, QoS authorization

4G (LTE) LTE stands for Long Term Evolution Next Generation mobile broadband technology Promises data transfer rates of 100 Mbps Based on UMTS 3G technology Optimized for All-IP traffic

Advantages of LTE

Comparison of LTE Speed

Major LTE Radio Technogies Uses Orthogonal Frequency Division Multiplexing (OFDM) for downlink Uses Single Carrier Frequency Division Multiple Access (SC-FDMA) for uplink Uses Multi-input Multi-output(MIMO) for enhanced throughput Reduced power consumption Higher RF power amplifier efficiency (less battery power used by handsets)

LTE Architecture

LTE vs UMTS Functional changes compared to the current UMTS architecture

LTE performance requirements Data Rate: Instantaneous downlink peak data rate of 100Mbit/s in a 20MHz downlink spectrum (i.e. 5 bit/s/Hz) Instantaneous uplink peak data rate of 50Mbit/s in a 20MHz uplink spectrum (i.e. 2.5 bit/s/Hz) Cell range 5 km - optimal size 30km sizes with reasonable performance up to 100 km cell sizes supported with acceptable performance Cell capacity up to 200 active users per cell(5 MHz) (i.e., 200 active data clients)

LTE performance requirements Mobility Optimized for low mobility(0-15km/h) but supports high speed Latency user plane < 5ms control plane < 50 ms Improved spectrum efficiency Cost-effective migration from Release 6 Universal Terrestrial Radio Access (UTRA) radio interface and architecture Improved broadcasting IP-optimized Scalable bandwidth of 20MHz, 15MHz, 10MHz, 5MHz and <5MHz Co-existence with legacy standards (users can transparently start a call or transfer of data in an area using an LTE standard, and, when there is no coverage, continue the operation without any action on their part using GSM/GPRS or W-CDMA-based UMTS)

Key Features of LTE Multiple access scheme Downlink: OFDMA Uplink: Single Carrier FDMA (SC-FDMA) Adaptive modulation and coding DL modulations: QPSK, 16QAM, and 64QAM UL modulations: QPSK and 16QAM Rel-6 Turbo code: Coding rate of 1/3, two 8-state constituent encoders, and a contention- free internal interleaver. Bandwidth scalability for efficient operation in differently sized allocated spectrum bands Possible support for operating as single frequency network (SFN) to support MBMS

Key Features of LTE(contd.) Multiple Antenna (MIMO) technology for enhanced data rate and performance. ARQ within RLC sublayer and Hybrid ARQ within MAC sublayer. Power control and link adaptation Implicit support for interference coordination Support for both FDD and TDD Channel dependent scheduling & link adaptation for enhanced performance. Reduced radio-access-network nodes to reduce cost,protocol-related processing time & call set-up time

3GPP Evolution Release 99 (2000): UMTS/WCDMA Release 5 (2002) : HSDPA Release 6 (2005) : HSUPA, MBMS(Multimedia Broadcast/Multicast Services) Release 7 (2007) : DL MIMO, IMS (IP Multimedia Subsystem), optimized real-time services (VoIP, gaming, push-to-talk). Release 8(2009?) :LTE (Long Term Evolution) Long Term Evolution (LTE) 3GPP work on the Evolution of the 3G Mobile System started in November 2004. Currently, standardization in progress in the form of Rel-8. Specifications scheduled to be finalized by the end of mid 2008. Target deployment in 2010.

Motivation Can be achieved with HSDPA/HSUPA Need for higher data rates and greater spectral efficiency Can be achieved with HSDPA/HSUPA and/or new air interface defined by 3GPP LTE Need for Packet Switched optimized system Evolve UMTS towards packet only system Need for high quality of services Use of licensed frequencies to guarantee quality of services Always-on experience (reduce control plane latency significantly) Reduce round trip delay Need for cheaper infrastructure Simplify architecture, reduce number of network elements

LTE Network Architecture [Source:Technical Overview of 3GPP Long Term Evolution (LTE) Hyung G. Myung] LTE Network Architecture The LTE architecture consists of E-UTRAN (Evolved UMTS Terrestrial Radio Access Network) on the access side and EPC (Evolved Packet Core) on the core side. A typical LTE/SAE network will have two types of network elements. The first is the new enhanced base station, so called “Evolved NodeB (eNodeB)” per 3GPP standards. This enhanced BTS provides the LTE air interface and performs radio resource management for the evolved access system. The second is the new Access Gateway (AGW). The AGW provides termination of the LTE bearer. It also acts as a mobility anchor point for the user plane. It implements key logical functions including MME (Mobility Management Entity) for the Control Plane and for the User Plane. These functions may be split into separate physical nodes, depending on the vendor-specific implementation.   [Source:Technical Overview of 3GPP Long Term Evolution (LTE) Hyung G. Myung http://hgmyung.googlepages.com/3gppLTE.pdf

SAE S1: provides access to Evolved RAN radio resources for the transport of user plane and control plane traffic. The S1 reference point enables MME and UPE separation and also deployments of a combined MME and UPE S2: mobility support between WLAN 3GPP IP access or non 3GPP IP access and Inter AS Anchor S3: Enables user and bearer information exchange for inter 3GPP access system S4 : Mobility support between GPRS Core and Inter AS Anchor S5a: Provides the user plane with related control and mobility support between MME/UPE and 3GPP anchor. S6: Provides transfer of subscription and authentication data for user access to the evolved system . S7: provides transfer of (QoS) policy and charging rules from PCRF (Policy and Charging Rule Function ) to Policy and Charging Enforcement Function (PCEF) GERAN-GSM EDGE Radio Access Network UTRAN-UMTS Terrestrial Radio Access Network SGSN Serving GPRS Support Node [Source:http://www.3gpp.org/Highlights/LTE/LTE.htm]

Evolved Packet Core(EPC) MME (Mobility Management Entity): -Manages and stores the UE control plane context, generates temporary Id, provides UE authentication, authorization, mobility management UPE (User Plane Entity): -Manages and stores UE context, ciphering, mobility anchor, packet routing and forwarding, initiation of paging 3GPP anchor: -Mobility anchor between 2G/3G and LTE SAE anchor: -Mobility anchor between 3GPP and non 3GPP (I-WLAN, etc)

E-UTRAN Architecture The functions hosted by the eNB are: - Selection of aGW at attachment; - Routing towards aGW at RRC activation; - Scheduling and transmission of paging messages; - Scheduling and transmission of BCCH information; - Dynamic allocation of resources to UEs in both uplink and downlink; - The configuration and provision of eNB measurements; - Radio Bearer Control; - Radio Admission Control; The functions hosted by the aGW are: - Paging origination - Ciphering of the user plane - PDCP - SAE Bearer Control - Ciphering and integrity protection of NAS signaling. Non Access Stratum (NAS) is a functional layer in the UMTS protocol stack between Core Network CN and User Equipment UE. The layer supports signaling and traffic between these two elements. [Source: E-UTRAN Architecture(3GPP TR 25.813 ]7.1.0 (2006-09))]

User-plane Protocol Stack - RLC and MAC sublayers (terminated in eNB on the network side) perform the following functions - Scheduling - ARQ - HARQ PDCP (Packet Data Convergence Protocol) sublayer (terminated in aGW on the network side) performs for the user plane the following functions - Header Compression - Integrity Protection - Ciphering. [Source: E-UTRAN Architecture(3GPP TR 25.813 ]7.1.0 (2006-09))]

Control-plane protocol Stack RLC and MAC sublayers (terminated in eNB on the network side) perform the same functions as for the user plane The various functions performed by RRC (terminated in eNB on the network side) are - Broadcast - Paging - RRC connection management - Mobility functions - UE measurement reporting and control. PDCP sublayer performs - Integrity Protection Ciphering. NAS (terminated in aGW on the network side) performs - SAE bearer management - Authentication - Idle mode mobility handling - Paging origination - Security control for the signaling between aGW and UE, and for the user plane. [Source: E-UTRAN Architecture(3GPP TR 25.813 ]7.1.0 (2006-09))]

LTE key features High Spectral Efficiency more customers, less costs Co-existence with other standards Flexible radio planning (cell size of 5km30/100km) Reduced Latency less RTT, multi-player gaming, audio/video conferencing Reduced costs for operators (OPEX & CAPEX) Increased data rates via enhanced air interface (OFDMA,SC-FDMA,MIMO) All-IP environment SAE or EPC key advantages of SAE

Standardized QoS Class Identifiers (QCI) GBR – Guaranteed Bit-Rate

User Plane Protocol Stack PDCP – Packet Data Convergence Protocol RLC – Radio Link Control GTP-U – GPRS Tunneling Protocol – User Plane

Control Plane Protocol Stack NAS – Non-Access Stratum RRC – Radio Resource Control PDCP – Packet Data Convergence Protocol RLC – Radio Link Control STCP – Stream Transport Control Protocol

Layer 2 The service access points between the physical layer and the MAC sublayer provide the transport channels. The service access points between the MAC sublayer and the RLC sublayer provide the logical channels.   Radio bearers are defined on top of PDCP layer. Multiplexing of several logical channels on the same transport channel is possible. There are two levels of re-transmissions for providing reliability, namely, the Hybrid Automatic Repeat request (HARQ) at the MAC layer and outer ARQ at the RLC layer. The outer ARQ is required to handle residual errors that are not corrected by HARQ. A N-process stop-and-wait HARQ is employed that has asynchronous re-transmissions in the DL and synchronous re-transmissions in the UL. Synchronous HARQ means that the re-transmissions of HARQ blocks occur at pre-defined periodic intervals. Hence, no explicit signaling is required to indicate to the receiver the retransmission schedule. Asynchronous HARQ offers the flexibility of scheduling re-transmissions based on air interface conditions. ARQ retransmissions are based on RLC status reports and HARQ/ARQ interaction. The three sublayers are Medium access Control(MAC) Radio Link Control(RLC) Packet Data Convergence Protocol(PDCP) [Source: E-UTRAN Architecture(3GPP TR 25.012 ]

Layer 2 MAC (media access control) protocol handles uplink and downlink scheduling and HARQ signaling. Performs mapping between logical and transport channels. RLC (radio link control) protocol focuses on lossless transmission of data. In-sequence delivery of data. Provides 3 different reliability modes for data transport. They are Acknowledged Mode (AM)-appropriate for non-RT (NRT) services such as file downloads. Unacknowledged Mode (UM)-suitable for transport of Real Time (RT) services because such services are delay sensitive and cannot wait for retransmissions Transparent Mode (TM)-used when the PDU sizes are known a priori such as for broadcasting system information.

Layer 2 PDCP (packet data convergence protocol) handles the header compression and security functions of the radio interface RRC (radio resource control) protocol handles radio bearer setup active mode mobility management Broadcasts of system information, while the NAS protocols deal with idle mode mobility management and service setup

Three Types of Channels in LTE In GMS only logical and physical In LTE: Logical Channels – what type of information is transported Control x 5 Traffic x 2 Transport Channels – how is the information transported Modulation, coding, antenna port Physical Channels – where is the information transported What resource blocks are allocated

LTE Downlink Channels Paging Control Channel Paging Channel Physical Downlink Shared Channel

LTE Uplink Channels CQI report Random Access Channel Physical Uplink Shared Channel Physical Radio Access Channel

LTE Downlink Logical Channels

LTE Downlink Transport Channel

LTE Downlink Transport Channel

LTE Downlink Physical Channels

LTE Downlink Physical Channels

LTE Uplink Logical Channels

LTE Uplink Transport Channel

LTE Uplink Physical Channels

LTE Advanced Features 100MHz Bandwidth supported 1Gbps DL, 500 Mbps UL Carrier Aggregation Relays

Carrier Aggregation

Carrier Aggregation

Enhanced Techniques to Extend Coverage Area and/or Data Rates

LTE vs. LTE-Advanced

Fataneh Safavieh, Long Term Evolution and its security infrastructure, Bonn University, 2011.

Security in the LTE-SAE Network Security features in the network (from TS 33.401- Fig.4-1)

Security features in the LTE Five security feature groups defined in TS 33.401 (I): Network access security provides users with secure access to services protects against attacks on the access interface (II): Network domain security enables nodes to exchange signaling- & user- data securely protects against attacks on the wire line network (III): User domain security Provides secure access to mobile stations (IV): Application domain security enables applications in the user & provider domains to exchnage messages securely (V): Visibility and configurability of security allows the users to learn whether a security feature is in operation

Authentication & key agreement HSS generates authentication data and provides it to MME Challenge-response authentication and key agreement procedure between MME and UE 4th ETSI Security Workshop - Sophia-Antipolis , 13-14 January 2009