lte r di i t flte radio interface - deepsec · pdf filelte r di i t flte radio interface and...

LTE R di I t fLTE Radio Interfaceand its

Security Mechanism

Content•Comparison of 2G,3G and LTE Packed Domain•EPSEPS•LTE Requirements•Main Characteristics of LTE Physical LayerMain Characteristics of LTE Physical Layer•The MME•LTE and SAE ID´s•LTE and SAE ID s•Latency Considerations•DL Resource Elements•DL Resource Elements•Keys in LTE•Security for Voice over LTE•Security for Voice over LTE•Future

Deepsec 2010 2Herbert Koblmiller, 26. November 2010

Comparison of 2G, 3G, LTE – PACKET DOMAIN

2G

BTS

2G

BSC

3G

Serving GPRSSupport

Gateway GPRSSupport

NodeB RNC

Node Node

Internet

LTE

eNodeBServing Gateway

PDNGateway


EPS – Evolved Packet System

E-UTRAN EPC(LTE) (SAE)

HomeSubscriber

Server

MobilityManagementEntity

S6a

Internet

eNodeB

X2

Server

S1-MME

Entity

S11

eNodeBPDNGateway

Serving G

X2

S1-U S5eNodeB GatewayGateway

U l


User planeContrrol plane

LTE Requirements

InternetServices

TelephonyMobility up to 250km/hBroadcast (eg MBMS)

Up to >100 Mbit/s DL (2x2 Ant)

High Data Rates

Up to >100 Mbit/s DL (2x2 Ant)Up to >300 Mbit/s DL (4x4 Ant)Up to >50 Mbit/s ULHigher spectral Efficiency than R6

PS Services only

User plane latency <10msControl plane latency < 100ms


Main characteristics of LTE Physical Layer

DL: OFDMAAir Interface

DL: OFDMAUL: SC-FDMA

Bandwith: Scalable

20, 10, 5, 3, 1.4 MHz

Bandwith: Scalable

MIMO, AAS

Smart Antenna Technology:

No BSC or RNC

Low Complexity

No Soft(er) HandoverLess Protocol overhead Self organizing network


The MMEMME

NAS SignallingOther Mobility

•EPS bearer management - QOS control

•Generation of Paging•Idle State Mobility managemant- UE tracking

yManagementEntity

S10

eNodeB

HomeSubscriber

ServerS1-MME

S6a

U g

Inter CN node Signalling

Serving Gateway

ServerS11•Selection of Serving GW and

MME/SGSN (Handover)•Roaming

Inter CN node Signalling

Gateway

•Authentication•Ciphering + Integrity Protection

Security managemantServing GPRS

S3

of NAS signalling GPRSSupportNode


LTE and SAE ID´s

PLMN ID ( MCC + MNC) 24 bitEPS BE ID

Network

Network Entities

EPS BEarer ID

User Equipment

IMEI = MMEGI +MMEC 16 + 8 bitGUMMEI = MCC + MNC + MMEIPhysical Cell ID 9bit

IMSI 60bitS-TMSI = MMEC + M-TMSIIMEI 60bitGUTI GUMMEI M TMSITAI = MCC + MNC + TAC 32bit GUTI = GUMMEI + M-TMSI

E-UTRANC-RNTI 16 bitRA-RNTI 16bitSI-RNTI 16bit

E UTRAN

P-RNTI 16bitTPC-PUCCH-RNTI 16bitTPC-PUSCH-RNTI 16bitRandom Value 4bit


Random Value 4bit

User Plane Latency

Serving G t eNodeB

S1-UGateway eNodeB

data 0 5ms 1-15ms 1ms 1ms 1msdata 0.5ms 1 15ms 1ms 1ms 1msup to 8ms

HARQ

5ms to 20ms


Control Plane Latency compared to 3G

CELL_FACHca 270ms ca 200ms

3GRRC_IDLE CELL_DCH

ca 460ms

LTEEMM-Registered

andRRC_IDLE

LTEEMM-Registered

andRRC_IDLE

51.5ms to 77.5ms


DL Spectrum Layout - OFDMA

Pilots at predefined DC Subcarrier

Pilots at predefined subcarrier numbersE

LowerGuard

UpperGuard

f

GuardBand

GuardBand

Bandwith = N * fN variable 1.4-20MHz


DL Resource Element and Resource Blockst

1 Resource Block

T( l t) 0 5T(slot) = 0.5ms

f

LowerGuard

UpperG ard

7 OFDMASymbols= 0.5ms

DC

GuardBand

GuardBand

12 Subcarrier= 180kHz


Keys in LTE Ki AMF SQN RAND

AK

XRES

USIM, AuC

CK IK

HSS

K(ASME)

MME

K(eNodeB)

MME

eNodeBK(NASenc) K(NASint)

K(RRCint)K(UPenc) K(RRCenc)


Cryptographic Key Separation

Differenciate User Traffic from SignallingPurpos

Keys stored in different locationsKey Renewal (Key change on the fly)Variable SecurityMore Independence of Radio InterfaceMore Independence of Radio Interface

Negotiations2 mandatory sets of Security•128-EEA1 and 128-EIA1 based ond SNOW 3G•128-EEA2 and 128-EIA2 based on FIPS 197

Supported by all UE eNodeB and MME Supported by all UE, eNodeB and MME Algorithm negotiated separately between UE

and eNodeBAlgorithm negotiated separately between UE

and MME (eg. NAS level)UE Security Capabilities sent in Setup procedureAlgorithm can only change during Handover


Security for Voice over LTE

Methods for voice over LTEIMS over LTE• IP Multimedia Subsystem is an independent

service control architecture

Methods for voice over LTE

Circuit Switched Fallback (CSFB)• this provides voice service by fallback from

LTE to 3G or 2G (3GPP2-defined networks)

S b ib A th ti ti i IMSSIP-layer AuthenticationAccess-Network bundled AuthenticationTrusted Node Authentication

Subscriber Authentication in IMS

Trusted Node Authentication


Flow for Registration with IMS AKA

Proxy CSCF

UEServing CSCF

HomeSubscriber

ServerServerRegister

Unprotected

Register

Protected by NDS/IP

Cx-AuthDataRequy

Protected by NDS/IP

Cx-AuthDataRespProtected by NDS/IPAuth Challenge:

Auth_Challenge:RAND,AUTNUnprotected

CreateIPsec SAs

Protected by NDS/IPAuth_Challenge:RAND,AUTN,CK,IKProtected by NDS/IP

p

Register:Digest-Resp(RES,RAND) Protected By IPsec SA

Register:

Digest-Resp(RES,RAND) Protected Auth

Ch k C P t C P llIPsec SA )by NDS/IP Check Cx-Put + Cx-Pull

Protected by NDS/IP

Cx-PutResp + Cx-PullResp

200 OKProtected by NDS/IP

200 OKProtected By


Cx PutResp + Cx PullRespProtected by NDS/IP

IPsec SA

Security for Home Base Station Deployment

MobilityManagementEntity

S11UnsecureNetwork S1-MME

HomeeNodeB

Serving Gateway

SecurityGateway

S1-U

yy

U l

Device Autentication mandatory



Security for Relay Node Architecture

MobilityMobilityManagementEntity

S1 MME

S11

S1-MME

RelayNode

Serving GatewayDonor

eNodeB

S1-U

ll d d bl h

U l

Still under study to prevent possible threats



Speaker

Dipl.-Ing. Herbert KoblmillerM bil N k Pl iMobile Network PlanningOptimisation & Network Performance

A1 Telekom Austria AGObere Donaustraße 29 1020 Wien

[email protected]


lte r di i t flte radio interface - deepsec · pdf filelte r di i t flte radio interface and...

Documents