EPC Security Functions EPC Security Functions
The EPC is responsible for maintaining user subscription and security data and for using that data to ensure that unauthorized users cannot gain access to network services. UEs must also be given the means to ensure that the network they are connecting to is valid and authentic.
The EPC must also ensure that users’ identities remain confidential. The same applies to the traffic that users send over the network.
Finally, the integrity of the flow of signalling and control traffic around and across the network must be protected to ensure that it is not intercepted and altered by unauthorized persons.
Further Reading: 3GPP TS 33.301
2.62
LTE Evolved Packet Core Network
MME
KUPenc KNASenc KNASint
K ASME
AKA (Authentication and Key Agreement) AKA (Authentication and Key Agreement)
EPS employs the same AKA (Authentication and Key Agreement) mechanism as is used by 3G UMTS networks.
The EPS AKA mechanism aims to ensure that the network can authenticate users and vice versa, and that once authenticated, users and network can agree on a set of encryption mechanisms to employ to protect users and control traffic. EPS AKA operates between the UE and the MME and is facilitated by subscription data stored in the USIM (Universal Subscriber Identity Module) and the HSS.
As in 3G UMTS, when a user is required to authenticate, the HSS will generate a quintet of AVs (Authentication Vectors): a random 128-bit number (RAND), an XRES (Expected Response), a CK (Cipher Key), an IK (Integrity Key) and an AUTN (Authentication Token). In UMTS, CK and IK were secure keys for ciphering and integrity protection between the UE and the RNC. They still exist in LTE, but are now used differently. From CK and IK, the UE and network separately derive a key known as K ASME. From this, they ultimately derive five low-level keys, which are used for ciphering and integrity protection of data and signalling messages, both at the level of the access stratum (as in 3G), and at the level of the non-access stratum (a new feature in LTE).
K ASME, RAND, XRES and AUTN are passed to the MME and from there are variously propagated to the eNB and UE to enable key generation to take place.
RAND is used as a challenge and is transmitted to the UE. The USIM processes RAND through its copy of the ‘shared secret’ K authentication key and generates a response, which is transmitted back to the MME. If the USIM response matches XRES then the USIM is deemed to be genuine and the UE is allowed to access network services.
Finally, the AUTN is passed to the UE to allow it to authenticate the network.
Further Reading: 3GPP TS 33.102; 33.401; 23.401
LT3604/v4.0 © Wray Castle Limited 2.63
Evolved Packet Core
MME
UE/USIM EPC & E-UTRAN
IMSI M-TMSI
User Confidentiality User Confidentiality
As with legacy 3GPP systems, the EPS uses the IMSI to absolutely and uniquely identify each user. The user confidentiality mechanism provides subscriber anonymity by ensuring that the IMSI is transmitted across the network as little as possible.
A UE accessing a network for the first time or after a long period of inactivity has no option but to transmit its user’s IMSI to the network to allow identification and authentication to take place. Once the user has been authenticated, however, the MME generates an ‘alias’ that may then be used in place of the IMSI to identify the subscriber.
Generically in 3GPP networks this alias is known as a TMSI. The specific variety employed in the EPS is the M-TMSI. The correspondence between M-TMSI and a user’s true IMSI is known only to the MME and user’s UE. An M-TMSI will be unique within the MME that issued it. When combined with an MMEC to make an S-TMSI it becomes unique within an MME pool. When the M-TMSI is combined with a GUMMEI to form a GUTI it becomes unique within all EPS networks.
The MME may elect to request UEs to reauthenticate periodically and will issue a new M-TMSI at this time. A UE may be issued a new M-TMSI when it moves to the control of a new MME.
The EPS user confidentiality mechanism is essentially the same as that employed in the GERAN and UTRAN, although the identities of the relevant network elements have changed.
2.64
LTE Evolved Packet Core Network
Ciphering Options
On the E-UTRAN air interface UP (User Plane) and RRC traffic is ciphered at the PDCP (Packet Data Compression Protocol) level in the UE and deciphered at the same level in the eNB (and vice versa), which makes the EPS process more aligned to that of GSM than GPRS or UMTS. The ciphering process is based on similar principles to that of previous network versions, although a different set of encryption algorithms is employed.
The relevant 3GPP specification (33.401, R11 onwards) currently lists four EEA (EPS Encryption Algorithm) options: EEA-0 – null encryption algorithm (no ciphering), 128-EEA-1 – SNOW 3G algorithm,
and 128-EEA-2 – AES (Advanced Encryption System) and 128-EEA-3 ZUC (an algorithm devised in China and named after an ancient Chinese mathematician named Zu Chongzhi).
All EEA options default to a 128-bit encryption key and are mandatory for UEs and eNBs to support, even if operators decide not to invoke them. In fact, even if ciphering is not required the UE and eNB still perform the required ciphering functions, they simply use the EEA0 null cipher key which results in no change to the transmitted data.
Air interface RRC signalling may also be ciphered to prevent unauthorized user identity discovery or UE location tracking. The same set of EEA options is available for RRC ciphering, although their use is optional.
Further Reading: 3GPP TS 33.102; 33.401; 35.216 (SNOW 3G)
LT3604/v4.0 © Wray Castle Limited 2.65
Ciphering and Integrity Protection
Ciphering and Integrity Protection (continued)(continued)
Whether RRC ciphering is employed or not, RRC integrity protection must be performed. Integrity protection is designed to allow nodes to detect when unauthorized changes have been made to messages whilst ‘in flight’. Before a control message is transmitted it is ‘hashed’ using an encryption key and a token (known as a MAC or Message Authentication Code) created from the hash is inserted in the message. Upon receipt, the peer device rehashes the message using its copy of the current encryption key. If the newly generated token fails to match the embedded token the message is rejected. Air interface integrity protection is applicable to RRC and NAS connections only; there is no integrity protection of user plane traffic.
Three EIA (EPS Integrity Algorithms) have so far been defined based on the EEA1, EEA2 and EEA3 algorithms.
There are circumstances where it may not be necessary to encrypt S1 traffic, for instance in cases where the eNB is sited within an operator’s switch site where the link between the base station and the S-GW is protected by other means.
In circumstances where the eNB is distant from the operator’s site, however, appropriate S1-U and S1-MME ciphering using the IPsec protocol is recommended (some clauses in TS 33.401 state that this is mandatory). IPsec offers two methods of protection – ciphering and integrity protection – so both forms of protection are technically available for S1 interfaces. Instead of creating separate IPsec tunnels for each logical S1-U and S1-MME interface it supports, an eNB is more likely to create a single IPsec tunnel to carry all backhaul traffic. The network will then typically deploy a SeGW to the edge of the EPC to terminate the incoming IPsec tunnels from e-UTRAN eNBs before forwarding traffic on to internal EPC nodes.
Integrity protection of S1-MME NAS signalling links is mandatory. UEs and MMEs can use either of the two EIA options to protect these links.
Further Reading: 3GPP TS 33.102; 33.401; 35.216 (SNOW 3G)
2.66