3GPP security hot topicsHome base station &

IMS media plane securityIMS media plane security

Valtteri NiemiNokia Research Center, Lausanne,

SwitzerlandBengt Sahlin,

Ericsson NomadicLab, Jorvas, Finland

© ETSI 2009. All rights reserved5th ETSI Security Workshop

Some history

Some history (1/2)� For 3GPP Release 99 (frozen 2000), WG SA3 created 19 new

specifications, e.g. � TS 33.102 “3G security; Security architecture”� 5 specifications (out of these 19) originated by ET SI SAGE, e.g.

TS 35.202 “KASUMI specification”� For Release 4 (frozen 2001), SA3 was kept busy with

GERAN security while ETSI SAGE originated again 5 new specifications, e.g.� TS 35.205-208 for MILENAGE algorithm set� TS 35.205-208 for MILENAGE algorithm set

� Release 5 (frozen 2002): SA3 added 3 new specifications, e.g.:� TS 33.203 “IMS security”

� Release 6 (frozen 2005): SA3 added 17 new specifications, e.g.:� TS 33.220-222 “Generic Authentication Architecture”

� Release 7 (frozen 2007): SA3 added 13 new specifications� ETSI SAGE created 5 specifications for UEA2 & UIA2 (incl.

SNOW 3G spec) (TS 35.215-218, TR 35.919)

Some history (2/2)� Release 8 (frozen 2008): SA3 added 7 new specifications,

e.g.:� TS 33.401 “SAE: Security architecture”

� Release 9 (frozen end of 2009 ): SA3 added 6 new specifications (one more TR still to be included):� TS 33.224 “Generic Push layer”� TS 33.328 “IMS media plane security”� TS 33.328 “IMS media plane security”� TS 33.320 “Security Aspects of Home NodeB/eNodeB”� TRs:

• 33.937 “Protection against Unsolicited Communicatio n for IMS”• 33.924 “Identity Management and 3GPP Security Inter working”• 33.812 “Feasibility Study on the Security Aspects o f Remote

Provisioning and Change of Subscription for M2M Equ ipment”

Home (e)Node B securityHome (e)Node B security

Configuration of eNB

� Communication between the remote/local O&M systems and the eNB mutually authenticated.

� The eNB shall be able to ensure that software/data change attempts are authorized

� Confidentiality and integrity of software transfer towards the eNB ensured.eNB ensured.

� etc.

(see TS 33.401)

Secure environment inside eNB

� Secure storage of sensitive data, e.g. long term cr yptographic secrets and vital configuration data.

� The secure environment shall support the execution of sensitive functions, e.g. use of long term secrets in authentication protocols.

� The secure environment shall support the execution of � The secure environment shall support the execution of sensitive parts of the boot process.

� Only authorised access shall be granted to the secu re environment.

� etc.

(see TS 33.401)

Home base stations: new architecture

UE H(e)NB SeGWinsecure link

Operator’s core network

H(e)NB-GW

AAA Server/HSS

� Concept of Closed Subscriber Group introduced� Applies also to HSPA base stations

H(e)MSH(e)MS

Security mechanisms for Home base stations

� Device Integrity Check upon booting, based on Trusted Environment (TrE)

� secured Clock synchronization� Device authentication

� Mutual authentication between H(e)NB and SeGW� Based on IKEv2 and certificates

� IPsec tunnel between H(e)NB and SeGW� Optionally Hosting Party authentication, based on UICC� Location verification

Base stations and Lawful interception

� Usually lawful interception is not applied in base stations� However, current (Release 10) work for Local IP Access and

Selective IP Traffic Offload may change the situation

IMS media plane security

Goals of IMS media security

1. to provide security for media usable across all a ccess networks2. to provide an end-to-end media security solution to satisfy major

user categories3. to provide end-to-end media security for importan t user groups

like enterprises, National Security and Public Safe ty (NSPS) organizationsorganizations

Mechanisms for IMS media security

The media stream is protected by SRTP (RFC 3711)

Three solutions for key managementEnd to access edge (e2ae)

���� SDES (RFC 4568) between IMS terminal and P -CSCF (first SIP proxy) ���� SDES (RFC 4568) between IMS terminal and P -CSCF (first SIP proxy) to provide keys

end-to-end (e2e)� SDES between two IMS terminals to exchange keys���� specific Key Management Service with GBA authentication (or a proprietary

authentication mechanism) and MIKEY-TICKET protocol (draft-mattsson-mikey-ticket)

SDES e2e case: Originating side

P-CSCF S-CSCF

1. SDP Offer

2. SDP Offer

Originating Network

3. SDP Offer)

UE A

Terminating Network

4. SDP Answer

5. SDP Answer

6. SDP Answer

7. Completion of session setup and bearer setup procedures

e2e protected media

SDES e2e case: Terminating side

P-CSCF UE B

1. SDP Offer

2. SDP Offer

Terminating Network

3. SDP Offer

S-CSCF

Originating Network

4. SDP Answer

5. SDP Answer

6. SDP Answer

7. Completion of session setup and bearer setup procedures

Media

KMS originating side

P-CSCF S-CSCF

2. SDP Offer

3. SDP Offer

Originating Network

4. SDP Offer)

UE A

Terminating Network

1. Interactions with KMS

5. SDP Answer

6. SDP Answer

7. SDP Answer

8. Completion of session setup and bearer setup procedures

e2e protected media

KMS terminating side

P-CSCF UE B

1. SDP Offer

2. SDP Offer

Terminating Network

3. SDP Offer

S-CSCF

Originating Network

5. SDP Answer

6. SDP Answer

7. SDP Answer

8. Completion of session setup and bearer setup procedures

Media

4. Interactions with KMS Reference figure in 6

Key management for MIKEY TICKET

MIKEY TICKET messages

IMS media security LI issues

� e2e security and LI do not go well together� For SDES and KMS, keys are delivered to LEA – we are OK� IETF prefers DTLS-SRTP, based on Diffie-Hellman key exhange� On the other hand, LI must not be detectable to the target� Three potential solutions (but all problematic for undetectability)� Three potential solutions (but all problematic for undetectability)

� Network plays man-in-the-middle� Key hidden in protocol messages� Terminals disclose keys to network

Summary

� Home (e)NB security� New architecture with more exposed locations of NB’ s� New types of threats� Many new countermeasures needed

� IMS media plane securityTwo methods for IMS media e2e protection� Two methods for IMS media e2e protection

• SDES for major user categories• MIKEY-TICKET for special user groups

� One e2ae method for IMS media protection• SDES

For more information:www.3gpp.org