Present and future Standards for mobile internet and smart phone information security
47
Present and future Standards for mobile internet and smart phone information security Presented by Alain Sultan for MIIT and TMC visit to ETSI - September 2012 © ETSI 2012. All rights reserved
-
Upload
zahid-ghadialy -
Category
Technology
-
view
15.516 -
download
3
Transcript of Present and future Standards for mobile internet and smart phone information security
Present and future Standards for mobile internet and smart phone information security
Presented by Alain Sultan for MIIT and TMC visit to ETSI - September 2012
© ETSI 2012. All rights reserved
Mobile Internet and Smart Phone
Mobile Internet security: not addressed by 3GPP• Mobile IP refers to extensions of IP as to be able to address mobility • But the system defined by 3GPP is mobile by nature, so there is no need
for these extensions
Smart Phone security: not addressed by 3GPP• 3GPP defines Interfaces• The internal design of whatever system component (Mobile, Node B,
MSC, etc.) is up to each manufacturer
But Security is a major topic of 3GPP specifications, from the first phase of GSM (2G) until the latest phase of LTE (4G)• This is what this set of slides addresses
Standards for 2G/3G security
2G/3G Security Overview
Authentication
Encryption
2G/3G Authentication & Key Agreement (AKA)
Non-encrypted -> data
-> Non-encrypted data
Authentication
Encryption
A5 algorithms
Contained in mobile devices and base stations Confidentiality between handset and base station• Protect voice and data traffic over radio path
Versions of A5 available• A5/0: NULL• A5/1: original strong algorithm from 1986
=> broken in 2009!• A5/2: weakened algorithm to be used outside US/Europe• A5/3: KASUMI-based new algorithm
=> mandatory from 2007 (but taking long to be deployed…)
• A5/4: A5/3 with longer key (128-bit)
Standards for LTE security
LTE Security
Characteristics of LTE Security• Re-use of UMTS Authentication and Key Agreement (AKA)• Use of USIM required (GSM SIM excluded, but Rel-99 USIM is
sufficient)• Extended key hierarchy• Possibility for longer keys• Greater protection for backhaul• Integrated interworking security for legacy and non-3GPP networks
Authentication and key agreement (AKA)
HSS generates authentication data and provides it to MME Challenge-response authentication and key agreement procedure between MME and UE• SIM access to LTE is explicitly excluded (USIM R99 onwards allowed)
S12
S3 S1-MME S6a
HSS
S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
S5 Serving Gateway
S1-U
S4
UTRAN
GERAN
Confidentiality and integrity of signaling
RRC signaling between UE and E-UTRAN• Encryption on PDCP layer
NAS signaling between UE and MME
S12
S3 S1-MME S6a
HSS
S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
S5 Serving Gateway
S1-U
S4
UTRAN
GERAN
User plane confidentiality
S1 protection is not UE-specific• (Enhanced) network domain security mechanisms
• based on IPSec
• Optional• Integrity protection not available
S12
S3 S1-MME S6a
HSS
S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
S5 Serving Gateway
S1-U
S4
UTRAN
GERAN
LTE Authentication and Key Agreement
UE eNB MME AuCNAS attach request (IMSI)
AUTH data request (IMSI, SN_id)
AUTH data response (AV={AUTN, XRES, RAND, Kasme})
NAS auth request (AUTN, RAND, KSIasme)
NAS auth response (RES)
NAS SMC (confidentiality and integrity algo)
NAS Security Mode Complete
RRC SMC (confidentiality and integrity algo)
RRC Security Mode Complete
S1AP Initial Context Setup
Indication of access network encryption
Indication of access network encryption• user is informed whether confidentiality of user data is protected
on the radio access link• in particular when non-ciphered calls are set-up
Security Algorithms
LTE Security Algorithms (1/2)
Three separate algorithms specified• In addition to one NULL algorithm
Current keylength 128 bits• Possibility to extend to 256 in the future
Confidentiality protection of NAS/AS signalling recommended Integrity protection of NAS/AS signalling mandatory User data confidentiality protection recommended Ciphering/Deciphering applied on PDCP and NAS
LTE Security Algorithms (2/2)
128-EEA1/EIA1• Based on SNOW 3G: stream cipher; keystream produced by Linear Feedback Shift
Register (LFSR) and a Finite State Machine (FSM)• Different from KASUMI as possible• Allows for low power consumption
128-EEA2/EIA2 • AES block cipher
• Counter (CTM) Mode for ciphering• CMAC Mode for MAC-I creation (integrity)
• Different from SNOW 3G as possible, so cracking one would not affect the other• KASUMI not re-used: eNB already supports AES as well as other non-3GPP accesses,
e.g. 802.11i
128-EEA3/EIA3 (Rel-11 onwards)• Based on ZUC (Zu Chongzhi): stream cipher• Developed by Data Assurance and Communication Security Research Center of
Chinese Academy of Sciences (DACAS)
Lawful Interception
Lawful Interception in 3GPP
HandoverRetrieval
Cost Political
LegalBusiness
Relations
process
Storage
Interception
Analysis
Lawful Interception in EPS
Context and mechanisms similar to case of UMTS PS• Different core entities (ICE, Intercepting Control Elements)• ADMF handles requests from Law Enforcement Authorities
• target identity: IMSI, MSISDN and IMEI
• X1 interface provisions ICEs and Delivery Functions• X2 delivers IRI (Intercept Related Information)• X3 delivers CC (Content of Communication)• HI1,2,3: Handover Interfaces with law enforcement
• Convey requests for interception of targets (HI1)• Deliver IRI (HI2) and CC (HI3) to LEAs
SGi
S12
S3 S1-MME
PCRF
Gx
S6a
HSS
Operator's IP Services
(e.g. IMS, PSS etc.)
Rx S10
UE
SGSN
LTE-Uu
E-UTRAN
MME
S11
Serving Gateway
PDN Gateway
S1-U
S4
UTRAN
GERAN
EPS LI Architecture
LEMF
MediationFunction
DeliveryFunction 2
MediationFunction
DeliveryFunction 3
MediationFunction
ADMF
X1_1
X1_2
X1_3X2 X3
HI1 HI2 HI3
X2
Additional slides for more info
More on LTE security• Backhaul Security• Relay Node Security
IMS authenticationHome (e) Node B securityStatus of work at 3GPP on Security issuesMain 3GPP Security Standards
Conclusions
Security is a major point of interest from GSM (2G) up to LTE (4G)GSM/UMTS Security: continues to evolve, recent introduction of A5/3 (planned before attack on old A5/1 succeeded) LTE Security: building on GSM and UMTS Security with newer security algorithms, longer keys, Extended key hierarchy Security aspects taken into consideration each time the system evolves (IMS, HNB, MTC, …)
Deeper Key hierarchy in LTE
Faster handovers and key changes, independent of AKAAdded complexity in handling of security contextsSecurity breaches local
USIM / AuC
UE / MME
UE / ASME
K
KUPenc
KNASint
UE / HSS
UE / eNB
KNASenc
CK, IK
KRRCint KRRCenc
KASME
KeNB
KUPint
Backhaul Security
Backhaul Security
Base stations becoming more powerful• LTE eNode B includes functions of NodeB and RNC
Coverage needs grow constantlyInfrastructure sharing
Not always possible to trust physical security of eNBGreater backhaul link protection necessary
Certificate Enrollment for Base Stations
RA/CA
base stationbase station obtains operator-signed certificate on its own public key from RA/CA using CMPv2.
CMPv2
Vendor-signed certificate of base station public key pre-installed.
Vendor root certificate pre-installed.
SEG
Operator root certificate pre-installed.
Enrolled base station certificate is used in IKE/IPsec.IPsec
Picture from 3GPP TS 33.310
Relay Node Security
Relay Node Authentication
Mutual authentication between Relay Node and network• AKA used (RN attach)• credentials stored on UICC
Binding of Relay Node and USIM:• Based on symmetric pre-shared keys, or• Based on certificates
RelayDonoreNBUE
Core
NW
Radio Radio Backhaul
Relay Node Security
Control plane traffic integrity protectedUser plane traffic optionally integrity protectedRelay Node and network connection confidentiality protectedDevice integrity checkSecure environment for storing and processing sensitive data
IP Multimedia Subsystem (IMS) Security
HSSHSSHSSHSSDNSDNSENUMENUMDNSDNS
ENUMENUM
I-I-CSCFCSCF
I-I-CSCFCSCF
S-S-CSCFCSCF
S-S-CSCFCSCF
Own/VisitedNetwork
Home NetworkASASASASASASASASASASASAS
Home Subscriber Server• Centralized DB• HLR successor• User profile• Filter criteria (sent to S-CSCF)
• Which applications• Which conditions
Home Subscriber Server• Centralized DB• HLR successor• User profile• Filter criteria (sent to S-CSCF)
• Which applications• Which conditions
Application Servers• Push-to-talk• Instant messaging• Telephony AS• 3rd party
Application Servers• Push-to-talk• Instant messaging• Telephony AS• 3rd party
P-P-CSCFCSCF
P-P-CSCFCSCF
BackboneBackbonePacketPacket
NetworkNetwork
BackboneBackbonePacketPacket
NetworkNetwork
AccessAccessAccessAccess
MGCFMGCFMGCFMGCF
MGWMGWMGWMGWPSTNPSTNPSTNPSTN
BGCFBGCFBGCFBGCF
SS7SS7SS7SS7
Call SessionControl Function• SIP registration • SIP session setup
Call SessionControl Function• SIP registration • SIP session setup
MRFMRFPP
MRFMRFPP
MRFMRFPP
MRFMRFPP
MRFCMRFCMRFCMRFC
Media Gatewayand MG Control FunctionInterfaces to PSTN/PLMN MGCF:• SIP ISUP/BICC • controls the MGW (H.248)MGW:• IP transport e.g. TDM• transcoding e.g. AMR G.711•Tones/Announcements
Media Gatewayand MG Control FunctionInterfaces to PSTN/PLMN MGCF:• SIP ISUP/BICC • controls the MGW (H.248)MGW:• IP transport e.g. TDM• transcoding e.g. AMR G.711•Tones/Announcements
Breakout Gateway Control Function• Selects network (MGCF or other BGCF) in which PSTN/ PLMN breakout is to occur
Breakout Gateway Control Function• Selects network (MGCF or other BGCF) in which PSTN/ PLMN breakout is to occur
Media Resource Function Controller• Pooling of Media servers
Media Resource Function Controller• Pooling of Media servers
Proxy CSCF• 1st contact point for UE• QoS• Routes to I-CSCF- Charging Records- Lawful Interception- SIP Header Comp
Proxy CSCF• 1st contact point for UE• QoS• Routes to I-CSCF- Charging Records- Lawful Interception- SIP Header Comp
Interrogating CSCF• Entry point for incoming calls• Determines S-CSCF for Subscribers• Hides network topology
Interrogating CSCF• Entry point for incoming calls• Determines S-CSCF for Subscribers• Hides network topology
Serving CSCF• Register• Session control• Application Interface- IMS User Authentication- Loads IMS User Profiles- Service (AS) Control- Address Translation- Charging Records
Serving CSCF• Register• Session control• Application Interface- IMS User Authentication- Loads IMS User Profiles- Service (AS) Control- Address Translation- Charging Records
Domain Name Server
Domain Name Server
IP CAN
More detailed view of IMS (2/2)
SIP
H.248
ISUP
SIP
SIP
SIP SIP
SIP
SIP
SIP
SIPSIPSIP
Diameter
RTP TDM
RTP
RTP
Flow for IMS RegistrationUE GGSN HSSS-CSCFP-CSCF I-CSCF AS
1. Register (no Integrity Key (IK), no Confidentiality Key (CK), no RES)
2. Register (“integrity-protected”=no, no RES)
(find appropriate S-CSCF)
3. Register (“integrity-protected”=no, no RES)
4. Retrieval of Authentication Vector(s) for that PrivateID
5. RAND, AUTN, IK(HSS), CK (HSS), RES(HSS)6. 401 non authorized (RAND, AUTN, IK(HSS), CK (HSS))
7. 401 non authorized (RAND, AUTN)
8. Register (IK(UE), CK (UE), RES(UE))
UE computes IK(UE), CK(UE) from AUTN and RES(UE) from RAND
P-CSCF compares IK(UE) and CK(UE) with IK(HSS) and CK(HSS). If identical, then “integrity-protected”=yes
9. Register (“integrity-protected”=yes, RES(UE))
I-CSCF compares RES(UE) with RES(HSS). If not identical, then registration failure
10. Update HSS
11. Update S-CSCF (User Profile: subscribed services, user pref., etc)
12. 200 OK13. 200 OK
Home (e) Node B security
(out of scope for security)Datamodel cooperation with BBF
ref. S5-091892, S5-092661
Broadband Forum
RAN3
tim
e
DatamodelBased on RAN3, FF input+SA5 input (late in the process)
FF
Flat list of radio parameters SA51. Influenced the data modelBased on SA5 requirements2. Derived info model (semantics)
Produced stage 1,2,3
Threats
Examplescloning of credentialsphysical tamperingfraudulent software updatesman-in-the-middle attacksDenial of service against core networkEavesdropping (identity theft, privacy breaches, …)
countermeasures in Technical
Report 33.820
3GPP TR 33.820 V8.2.0 (2009-09) Technical Report
3rd Generation Partnership Project; Technical Specification Group Service and System Aspects;
Security of H(e)NB; (Release 8)
The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented. This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification. Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices.
3GPP TR 33.820 V8.2.0 (2009-09) Technical Report
3rd Generation Partnership Project; Technical Specification Group Service and System Aspects;
Security of H(e)NB; (Release 8)
The present document has been developed within the 3rd Generation Partnership Project (3GPP TM) and may be further elaborated for the purposes of 3GPP. The present document has not been subject to any approval process by the 3GPP Organizational Partners and shall not be implemented. This Specification is provided for future development work within 3GPP only. The Organizational Partners accept no liability for any use of this Specification. Specifications and reports for implementation of the 3GPP TM system should be obtained via the 3GPP Organizational Partners' Publications Offices.
Home (e)NB Security architecture (1/2)
Security Gateway (SeGW)• element at the edge of the core network terminating security association(s) for backhaul
link between H(e)NB and core networkH(e)MS – Home (e) NodeB Management System• management server that configures the H(e)NB according to the operator’s policy, instals
software updates on the H(e)NBHosting Party Module (HPM)• physical entity distinct from the H(e)NB physical equipment, dedicated to the
identification and authentication of the Hosting Party towards the MNOTrusted Environment (TrE)• logical entity which provides a trustworthy environment for the execution of sensitive
functions and the storage of sensitive data
UE H(e)NB SeGWunsecure link
Operator’s core network
H(e)NB GW
H(e)MSH(e)MS
AAA Server/HSS
Home (e)NB Security architecture (2/2)
Air interface between UE and H(e)NB backwards compatible with UTRANH(e)NB access operator’s core network via a Security Gateway (SeGW)• Backhaul between H(e)NB and SeGW may be unsecure
Security tunnel established between H(e)NB and SeGW• to protect information transmitted in backhaul link
UE H(e)NB SeGWunsecure link
Operator’s core network
H(e)NB GW
H(e)MSH(e)MS
AAA Server/HSS
H(e)NB Authentication
Two separate concepts of authentication:Mutual authentication of H(e)NB and operator (SeGW) (mandatory)• Certificate based• Credentials stored in TrE in H(e)NB
Authentication of hosting party by operator’s network (optional)• EAP-AKA based• credentials contained in separate Hosting Party Module (HPM) in H(e)NB• bundled with the device authentication (one step)
Backhaul link protection• IPSec, IKEv2, based on H(e)NB/SeGW authentication
Other security mechanisms for H(e)NB
Device Integrity Check• AV, SAV, Hybrid, …
Location Locking• IP address based• Macro-cell/UE reporting based• (A)GPS based• Combination of the above
Access Control Mechanism• ACL for Pre-R8 UE accessing HNB• CSG for H(e)NB
Clock Synchronization• Based on backhaul link between H(e)NB and SeGW• Based on security protocol of clock synchronization protocol
H(e)NB security in the real world…
location locking does NOT seem to work• in current commercial trials• HNBs operating from different countries
• No roaming charges
algorithm licensing is an issue• customers do not sign any agreement for use of COTS HNBs
Lawful Interception• currently would not work in LIPA• would not work between CSG MSs camping on the same HNB
rogue HNB roaming
Status of work at 3GPP on Security issues
Recently completed security activities at 3GPP (Rel-11)
Recently completed security activities at 3GPP (Rel-10)
Ongoing security activities at 3GPP
Main 3GPP Security Standards
Main 3GPP Security Standards
UMTS Security:• 33.102 Security Architecture. • 33.105. 3GPP Cryptographic Algorithm Requirements. • 35.201. f8 and f9 Specification. • 35.202. KASUMI Specification.
IMS Security:• 23.228 IMS Architecture.
LTE Security:• 33.401 System Architecture Evolution (SAE); Security architecture• 33.402 System Architecture Evolution (SAE); Security aspects of non-3GPP
Lawful Interception:• 33.106 Lawful interception requirements• 33.107 Lawful interception architecture and functions• 33.108 Handover interface for Lawful Interception
Key Derivation Function:• 33.220 GAA: Generic Bootstrapping Architecture (GBA)
Backhaul Security:• 33.310 Network Domain Security (NDS); Authentication Framework (AF)
Relay Node Security• 33.816 Feasibility study on LTE relay node security (also 33.401)
Home (e) Node B Security:• 33.320 Home (evolved) Node B Security
All documents available for free at: ftp://ftp.3gpp.org/specs
