Presentation is loading. Please wait.

Presentation is loading. Please wait.

Valtteri Niemi, SA3 Chairman

Similar presentations

Presentation on theme: "Valtteri Niemi, SA3 Chairman"— Presentation transcript:

1 Valtteri Niemi, SA3 Chairman
ITU-T security workshop Geneva, Switzerland, 9-10 February 2009 3GPP SA3 status Valtteri Niemi, SA3 Chairman Nokia Research Center Lausanne, Switzerland 1

2 Outline Some history and background SAE/LTE security: some highlights
Home (e)NodeB security Other work items

3 Some history and background

4 Some history (1/2) For 3GPP Release 99 (frozen 2000), WG SA3 created 19 new specifications, e.g. TS “3G security; Security architecture” 5 specifications (out of these 19) originated by ETSI SAGE, e.g. TS “KASUMI specification” For Release 4 (frozen 2001), SA3 was kept busy with GERAN security while ETSI SAGE originated again 5 new specifications, e.g. TS for MILENAGE algorithm set Release 5 (frozen 2002): SA3 added 3 new specifications, e.g.: TS “IMS security” TS “Network domain security: IP layer”

5 Some history (2/2) Release 6 (frozen 2005): SA3 added 17 new specifications, e.g.: TS “Security of MBMS” TS “Generic Authentication Architecture” Release 7 (frozen 2007): SA3 added 13 new specifications ETSI SAGE created 5 specifications for UEA2 & UIA2 (incl. SNOW 3G spec) (TS , TR ) Release 8 (frozen 2008): SA3 has added 5 new specifications, e.g.: TS “SAE: Security architecture” TS “SAE: Security with non-3GPP accesses” (1-2 more TR’s maybe still be included in Rel-8)

6 SAE/LTE security (Rel-8): some highlights

7 SAE/LTE: What and why? SAE = System Architecture Evolution
LTE = Long Term Evolution (of radio networks) LTE offers higher data rates, up to 100 Mb/sec SAE offers optimized (flat) IP-based architecture Technical terms: E-UTRAN = Evolved UTRAN (LTE radio network) EPC = Evolved Packet Core (SAE core network) EPS = Evolved Packet System ( = RAN + EPC )

8 Implications on security
Flat architecture: All radio access protocols terminate in one node: eNB IP protocols also visible in eNB Security implications due to Architectural design decisions Interworking with legacy and non-3GPP networks Allowing eNB placement in untrusted locations New business environments with less trusted networks involved Trying to keep security breaches as local as possible As a result (when compared to UTRAN/GERAN): Extended Authentication and Key Agreement More complex key hierarchy More complex interworking security Additional security for eNB (compared to NB/BTS/RNC)

9 Home (e) Node B security

10 Home (e)NB architecture
UE HeNB SGW insecure link Operator’s core network OAM Figure from draft TR One of the key concepts: Closed Subscriber Group

11 Threats Compromise of HeNB credentials e.g. cloning of credentials
Physical attacks on HeNB e.g. physical tampering Configuration attacks on HeNB e.g. fraudulent software updates Protocol attacks on HeNB e.g. man-in-the-middle attacks Attacks against the core network e.g. Denial of service Attacks against user data and identity privacy e.g. by eavesdropping Attacks against radio resources and management

12 Other features in past releases of 3GPP

13 IMS (SIP) security (Rel-5)
IMS home authentication & key agreement network domain security security mechanism agreement IMS visited integrity protection PS domain R99 access security

14 Release 6 highlights

15 WLAN interworking in 3GPP
WLAN access zone can be connected to cellular core network Shared subscriber database & charging & authentication (WLAN Direct IP access) Shared services (WLAN 3GPP IP Access) Service continuity is the next step

16 MBMS Security Architecture (node layout)
Content Server Mobile Operator Network BM-SC Content Server BSF Internet BGW BM-SC can reside in home or visited network BGW: Bearer Gateway (first hop IP-router) BM-SC: Broadcast/Multicast Service Center BSF: Bootstrapping Server Function

17 Generic Authentication Architecture (GAA)
GAA consists of three parts (Rel-6): TS Generic Bootstrapping Architecture (GBA) offers generic authentication capability for various applications based on shared secret. Subscriber authentication in GBA is based on HTTP Digest AKA [RFC 3310]. TS Support of subscriber certificates: PKI Portal issues subscriber certificates for UEs and delivers an operator CA certificates. The issuing procedure is secured by using shared keys from GBA. TS Access to Network Application Function using HTTPS is also based on GBA. Figure from 3GPP TR

18 Release 7 & 8 highlights

19 Release 7 & 8: security enhancements
Key establishment for secure UICC-terminal channel (TS ) Applies, e.g. for secure UICC-terminal channel specified by ETSI SCP Built on top of GBA Key establishment between UICC hosting device and a remote device (TS ) Liberty-3GPP security interworking GBA push (TS , Rel-8) Applies to several OMA specified features (e.g. BCAST) Network domain security: Authentication Framework (TS ) enhanced for TLS support Withdrawal of A5/2 algorithm

20 Work in progress: Rel-9

21 Rel-9 work items SAE/LTE: emergence call security Media security
End-to-end and end-to-middle protection of media independently of access technology Protection against unsolicited communications in IMS Remote management of USIM/ISIM for machine-to-machine communications Security of Earthquake and Tsunami Warning System

22 For more information:

Download ppt "Valtteri Niemi, SA3 Chairman"

Similar presentations

Ads by Google