iir tutorial 2

Information and Communication Networks

Siemens Atea

USE

CA

3GPP Security architecture

Bart VinckSiemens Atea

Information and communication networksCommunications on Air

[email protected]

IRR Fraud and Security Conference,London, March 9, 2000


2

USE

CA

Contents

Introduction Network access security� Authentication and key agreement

� User identity confidentiality

� Confidentiality and integrity

� Connection establishment

� Mobile equipment identity security

Network domain security Summary


Siemens Atea


3

USE

CA

IntroductionTechnical specifications

Principles, objectives and requirements� TS 33.120 Security principles and objectives� TS 21.133 Security threats and requirements

Architecture, mechanisms and algorithms� TS 33.102 Security architecture� TS 33.103 Integration guidelines� TS 33.105 Cryptographic algorithm requirements

Lawful interception� TS 33.106 Lawful interception requirements� TS 33.107 Lawful interception architecture and functions


4

USE

CA

IntroductionTechnical reports

Technical reports� TR 33.900 Guidelines for 3G security� TR 33.901 Criteria for cryptographic algorithm design� TR 33.902 Formal analysis of authentication


Siemens Atea


5

USE

CA

IntroductionSecurity architecture overview

Homestratum/ServingStratum

USIM HETE

Transportstratum

MT

SN

AN

Applicationstratum

User Application Provider Application

I. Network access securityII. Provider domain securityIII. User domain securityIV. Application security

III.

IV.

I.

I.I.

I.

I.

II.


6

USE

CA

Authentication and key agreementContents

� Introduction� Authentication using sequence numbers� Message flow for successful authentication� Message flow for re-synchronisation� Sequence numbers - fine details� An authenticated signalling channel HE → USIM� GSM-UMTS interoperation� World-wide cross standard roaming� Summary


Siemens Atea


7

USE

CA

Authentication and key agreementIntroduction - New security services

GSM AKA security services� User-to-network authentication SRES = A3Ki (RAND)

� Establishment of a 64 bit cipher key Kc = A8Ki (RAND)

Additional UMTS AKA security services� Establishment of longer cipher key CK = f3K (RAND)

� Establishment of integrity key IK = f4K (RAND)

� User assurance of key freshness

� (To some extent) network-to-user authentication

� Authenticated signalling channel HE → USIM


8

USE

CA

Authentication and key agreementAssurance of key freshness to the user

What is freshness assurance ?� The user is assured at AKA that the cipher/integrity keys are

fresh (i.e., have not been used before)� Not provided by GSM AKA � network (or intruder) can re-use

triplets (and for re-use of “insecure” cipher key)

Why have key freshness assurance ?� To limit the damage when a triplet is exposed or a cipher key

is broken

How to achieve key freshness assurance?� Option 1: mutual challenge/response� Option 2: authenticated challenge/response (preferred)


Siemens Atea


9

USE

CA

Authentication and key agreementSequence numbers - basics

User (USIM)� Stores

SQNMS = last accepted SQN

� Receives (RAND, SQN, MAC)

� ComputesXMAC = fK (RAND, SQN)

� Verifies that XMAC = MAC andSQN > SQNMS

� Updates SQNMS

Home network (AuC)� Stores

SQNHE = last generated SQN

� Selects next SQN > SQNHE

� ComputesMAC = f1K (RAND, SQN)

� Sends the user(RAND, SQN, MAC)

� Updates SQNHE

AuCUSIMRAND, SQN, MAC K

SQNHE

KSQNMS


10

USE

CA

Authentication and key agreement0/4: Prerequisites

USIM AuC

SQNHE KSQNMS K

VLR or SGSN

� AuC and USIM share secret key K� AuC maintains SQNHE = largest sequence number generated

by the AuC (for the subscriber) (will be enhanced further on)� USIM maintains SQNMS = largest sequence number received

and accepted by the USIM (will be enhanced further on)

K = Subscriber authentication keySQNMS = Sequence number counter in the MSSQNHE = Sequence number counter in the HE

USIM = UMTS Subscriber Identity ModuleVLR = Visitor Location RegisterSGSN = Serving GPRS Support NodeAuC = Authentication CentreMS = Mobile StationHE = Home Environment


Siemens Atea


11

USE

CA

Authentication and key agreement1/4: User-to-network authentication

USIM AuCVLR or SGSN

� AuC generates RAND and computes XRES� RAND is sent to the USIM; XRES is sent to the VLR/SGSN� USIM re-computes RES and sends RES to the VLR/SGSN� The VLR/SGSN verifies “RES = XRES?”

SQNHE KRANDXRES = f2K (RAND)

RANDRANDXRES

RES

XRES = RES ?

SQNMS KRANDRES = f2K (RAND)

RAND = Network challengeRES = User responseXRES = Expected response


12

USE

CA

Authentication and key agreement2/4: Cipher/integrity key establishment

USIM AuCVLR or SGSN

� AuC computes CK and IK from RAND and K� RAND is sent to USIM, CK and IK are sent to VLR or SGSN� USIM re-computes CK and IK from RAND and K

SQNHE KRANDXRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)

RAND

RANDXRESCK, IK

RES

XRES = RES ?

SQNMS KRANDRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)

CK = Cipher keyIK = Integrity key


Siemens Atea


13

USE

CA

Authentication and key agreement3/4: Network-to-user authentication

USIM AuCVLR or SGSN

� AuC generates fresh SQN > SQNHE, protects the integrity bymeans of MAC and sends AUTN = SQN | MAC to the USIM

� USIM verifies the data origin of SQN by “XMAC = MAC ?”� USIM verifies the freshness of SQN by “SQN > SQNMS”� Freshness + data origin verification = entity authentication

SQNHE KRAND SQNXRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)MAC = f1K (RAND | SQN)

RANDAUTN

RANDXRESCK, IKAUTN

RES

XRES = RES ?

SQNMS KRAND SQNRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)XMAC = f1K( RAND | SQN)XMAC = MAC ?SQN > SQNMS

AUTN = SQN | MAC

AUTN = Authentication tokenSQN = Sequence numberMAC = Message authentication code


14

USE

CA

Authentication and key agreement4/4: An authenticated signalling channel

USIM AuCVLR or SGSN

� AuC determines AMF� AMF is input to f1 and MAC, AMF is part of AUTN� USIM receives AMF as part of AUTN� USIM verifies authenticity of AMF via “MAC = XMAC ?"

SQNHE KRAND SQN AMFXRES = f2K (RAND)MAC = f1K (RAND | SQN | AMF)CK = f3K (RAND)IK = f4K (RAND)

RANDAUTN

RANDAUTNXRESCK, IK

RES

XRES = RES ?

SQNMS KRAND SQNRES = f2K (RAND)XMAC = f1K( RAND | SQN | AMF)XMAC = MAC ?SQN > SQNMS

CK = f3K (RAND)IK = f4K (RAND)

AUTN = SQN | AMF | MAC

AMF = Authentication Management FieldQ = Quintet

Quintet


Siemens Atea


15

USE

CA

Authentication and key agreementComposition of the quintet

Quintet� RAND Network challenge 128 bits� XRES Expected response 32-128 bits� CK Cipher key 128 bits� IK Integrity key 128 bits� AUTN Authentication token 128 bits

– SQN Sequence number 48 bits– AMF Authentication management field 16 bits– MAC(-A) Message authentication code 64 bits

Note� The standard allows the possibility to conceal SQN with an

anonymity key AK to ensure user identity confidentiality

Source: TS 33.102, Clause 6.3


16

USE

CA

Authentication and key agreementMessage flow for successful AKA

auth. data request

QuintetsQ = (RAND, XRES, CK, IK, AUTN)

RAND, AUTN

RES

Generate quintets

Verify MAC, SQNDerive CK, IK, RES

Start using CK, IK Start using CK, IK

XRES = RES ?


USIM AuCVLR or SGSN

Distribution ofquintets from HLR/AuCto VLR/SGSN

Over-the-airauthenticationand key agreement


Siemens Atea


17

USE

CA

Authentication and key agreementFailure cases

USIM determines that XMAC-A ≠≠≠≠ MAC-A (new!)� USIM: sends indication of integrity failure to VLR� VLR: request for identification or try other quintet or request

new quintets from HLR/AuC USIM determines that “SQN ≤≤≤≤ SQNMS” (new!)� USIM: sends indication of synchronisation failure to VLR,

computation of re-synchronisation token� VLR: request new quintets from HLR/AuC with indication of

synchronisation failure and re-synchronisation token VLR determines that XRES ≠≠≠≠ RES� VLR: reject the user that attempts to access the system

Note: same procedures apply for CS and PS, for VLR and SGSN



18

USE

CA

Authentication and key agreementRe-synchronisation mechanism

USIM AuCVLR or SGSN

� USIM determines that “SQN ≤ SQNMS” and computes MAC-S� USIM sends AUTS to VLR, VLR adds RAND� AuC verifies integrity and whether “SQNMS > c” and updates

SQNMS is necessary

SQNHE KRAND SQNXRES = f2K (RAND)XMAC-S = f1*K (RAND | SQNMS)IF “SQNMS > SQNHE” ANDMAC-S = XMAC-S SET SQNHE = SQN

RANDRANDAUTS

SQNMS KRAND SQNSQN ≤≤≤≤ SQNMSMAC-S = f1*K (RAND | SQNMS)

AUTS = SQNMS | AMF* | MAC-S

AUTS = Re-synchronisation tokenMAC-S = MAC for re-synchronisation

Quintet

AUTS


Siemens Atea


19

USE

CA

AKA: Re-synchronisation mechanism

Ind. of Sync. Failure AUTS

Auth. Data RequestAUTS, RAND

Quintets

Verify AUTS[Modify SQN-HE]

[Generate quintets]

SQN ≤≤≤≤ SQNMSCompute AUTS

RAND, AUTN

SQN now acceptable

(Continue as in successful AKA)


USIM AuCVLR or SGSN

Distribution of quintets from HLR/AuC to VLR/SGSN withindication of synchronisationfailure


20

USE

CA

Authentication and key agreementCauses of synchronisation failures

Re-use� VLR/SGSN (or intruder) attempts to re-use quintets� VLR/SGSN must not attempt to re-use quintets !!� SQNHE need not be modified

Out-of-order use� VLR/SGSN attempts to use quintets, while newer quintets

have been used already� SQN management shall allow out-of-order use (to a certain

extent) !! � one issue for enhanced SQN management� SQNHE need not be modified

Corruption of the counter in the AuC� SQNHE need be modified



Siemens Atea


21

USE

CA

Authentication and key agreementEnhanced sequence number management

SQN management shall ...� … allow out-of-order use of a quintet when it is among the 50

most recently generated quintets� Different mechanisms are available; the USIM keeps track of

history information on successful passed authentication events� … prevent lock-out of a USIM due to SQNMS reaching SQNmax

� SQN management shall limit the increment of SQNMS to amaximum value ∆ such that SQNmax / ∆ is sufficiently large

� … not compromise user anonymity� SQN can either be concealed with an anonymity key AK, or may

be (partially) clock-based (then no concealment is required)� … be able to recover from corruption of the AuC database

� SQN management shall support re-synchronisation procedureas defined before



22

USE

CA

Authentication and key agreementSuggested SQN generation at the AuC

Composition of SQN� SEQ1: individual part, # SQN2

cycles + # re-synchronisations� SEQ2: time-based part, GLC at

the SQN generation� INDEX: differentiates SQN

generated at the same GLCNote� GLC: Global Time Counter

Generation of new SQN� Usual case

SEQ1 = SEQ1HESEQ2 = GLC

� GLC wraps aroundinstead: SEQ1 = SEQ1HE + 1

� >1 batch per time unitinstead: SEQ2 = SEQ2HE +1

� several quintets in one batchassign INDEX = 0, 1, 2, ...

SEQ1 SEQ2 INDEX

SQNSEQ Storage in the AuC

� SEQHE = SEQ1HE || SEQ2HE

Source: TS 33.102, Annex C


Siemens Atea


23

USE

CA

Authentication and key agreementSuggested SQN verification at the USIM

Verification� If SEQ < SEQLO � reject

� If SEQ > SEQHI + ∆ � reject

� If ∃∃∃∃ i : SEQ = SEQMS(i)

IND > INDMS(i) � accept andupdate INDMS(i)

IND ≤ INDMS(i) � reject

�Otherwise � accept and add (SEQ, IND)

delete (SEQLO, INDLO)

SEQ1 SEQ2 INDEX

SQNSEQ

Storage in the USIM� Ordered list with

SQNMS(i) = SEQMS (i) || INDMS (i)with i ∈ {1, …, 50}withSEQMS (1) > … > SEQMS(50)

� SEQHI = SEQMS (1)

� SEQLO = SEQMS (50)

Source: TS 33.102, Annex C


24

USE

CA

Authentication and key agreementUse of authentication management field

Support for multiple algorithms and keys� key identifier, algorithm identifier

Optimisation memory consumption/re-synchronisation frequency� Modify list size (in the example: 50)

Optimise HE control/signalling efficiency� Modify how long cipher/integrity keys can be used before the

user triggers a new AKA Make user reject/allow unencrypted connections� Allow unencrypted connections only in networks in those

countries that do not allow encryption …

Source: TS 33.102, Annex F


Siemens Atea


25

USE

CA

Authentication and key agreementIntroduction - Comparison with GSM AKA

GSM AKA�Secret key cryptography�Two-way

challenge/response�Allows use of proprietary

authentication algorithms�No algorithms in serving

network�No real-time interaction

between user and homenetwork

�Triplets

UMTS AKA�Secret key cryptography�Two-way authenticated

challenge/response�Allows use of proprietary

authentication algorithms�No algorithms in serving

network�No real-time interaction

between user and homenetwork

�Quintets


26

USE

CA

Authentication and key agreementInteroperation between UMTS and GSM

R99+ VLR/SGSN

UTRAN GSM BSS

R99+ ME R98- ME

R98- VLR/SGSN

UMTS HLR/AuC

UICC with USIM and SIM application

CK, IK →→→→ Kc CK, IK →→→→ Kc CK, IK →→→→ Kc

CK, IK →→→→ Kc CK, IK →→→→ Kc

CK, IK →→→→ Kc

Quintet Triplet

[Kc][Kc][Kc]CK, IK

KcKcKcCK, IK

CK, IK Kc

ME

UMTS AKAR99+ VLR/SGSNand UICC

GSM AKAOtherwise

CK, IKUTRAN

KcOtherwise

Standard functionc3: CK, IK → Kc


Siemens Atea


27

USE

CA

Authentication and key agreementInteroperation between UMTS and GSM

R99+ VLR/SGSN

UTRAN GSM BSS

R99+ ME R98- ME

R98- VLR/SGSN

GSM HLR/AuC

GSM SIM

Kc →→→→ CK, IK

Kc →→→→ CK, IK

Triplet Triplet

[Kc][Kc][Kc]CK, IK

KcKcKcKc

CK, IK Kc

ME

UMTS AKAnever

GSM AKAalways

CK, IKUTRAN

KcOtherwise

Standard functionsc4: Kc → CKc5: Kc → IK


28

USE

CA

Authentication and key agreementWorld-wide cross-standard interoperation

Current situation� Good chance that TR- 45.2 (3GPP2) adopts 3GPP AKA� Adoption currently under discussion and subject to conditions� Would enable global roaming� Needs to be integrated in 3GPP2 specifications � AKA+

AKA+� global kernel = AKA

– Goal: establish secret keys between MS and VLR– Common to 3GPP and 3GPP2 � enables global roaming

� 3GPP2-specific local authentication (LA) mechanism– Goal: mutual authentication between MS and VLR when user is

registered– Remains within 3GPP2 � does not compromise global roaming


Siemens Atea


29

USE

CA

Authentication and key agreementWorld-wide cross-standard interoperation

AKALA

SMNLAGCUC

3GPP2 3GPP1

SMN: Security Mode Negotiation

GC: Global ChallengeUC Unique Challenge

MSC/VLR

HLR/AuC

MSC/VLR

UE UEUIM


30

USE

CA

Authentication and key agreementConclusions

� Additional security services– Establishment of integrity key– Network-to-user authentication, key freshness– Authenticated signalling channel HE → USIM

� Maximal compatibility and similarity with GSM AKA– Pre-distribution of authentication data (triplets → quintets)– No cryptographic algorithms in the VLR or SGSN– Allows

� True global roaming– GSM simple conversion functions– 3GPP2 probable adoption of UMTS AKA

� Provable security– Formal proofs of AKA as well as from the re-synchronisation

mechanism are available in TR 33.902


Siemens Atea


31

USE

CA

User identity confidentiality

� Attacks� TMSI mechanism� EMSI mechanism� Conclusion


32

USE

CA

User identity confidentialityAttacks

Eavesdropping attacks� Eavesdropping on the radio link and catching the IMSI that

are sent in clear textIMSI catching� Active attack whereby users are enticed to camp on a false

base station (IMSI catcher) and are then requested to sendthe IMSI in cleartext

IMSI probing� Active attacks whereby an intruder probes for the presence of

a certain user (or a number of users) in a certain area


Siemens Atea


33

USE

CA

User identity confidentialityTMSI mechanism

Mechanism� TMSI = Temporary Mobile Subscriber Identity� Usually ME and VLR share a TMSI� TMSI was generated by the VLR and sent to the ME after the

initiation of ciphering � TMSI is “secret”� When ME or VLR wants to establish a radio connection, the

TMSI is used� A new TMSI is then assigned after start of ciphering

Shortcoming� When no valid TMSI is available, VLR requests the user to

send the IMSI in cleartext � allows IMSI catching


34

USE

CA

User identity confidentialityEMSI mechanism (1st enhancement)

Mechanism� EMSI = Encrypted Mobile Subscriber Identity� Complementary to TMSI mechanism� Only used when IMSI is requested by the VLR� Instead of sending the IMSI in cleartext, the USIM generates

an EMSI and the ME sends the VLR the EMSI and theaddress of the UIDN = User Identity Decryption Node

� VLR sends the UIDN the EMSI, which decrypts the IMSI andsends the IMSI back to the VLR

Shortcoming� VLR still pages the user with the IMSI in cleartext � allows

IMSI paging (which is a kind of IMSI probing)


Siemens Atea


35

USE

CA

User identity confidentialityPMSI mechanism (2st enhancement)

Mechanism� PMSI = Encrypted Mobile Subscriber Identity� Enhancement of the EMSI mechanism� Provides the VLR with a paging identity (PMSI) to substitute

the use of the IMSI in paging requests� The PMSI is derived in the USIM when the IMSI is encrypted

(and then sent to the ME) and is derived in the UIDN whenthe EMSI is decrypted (and then stored and sent to the VLR)

� The VLR receives the PMSI together with the IMSI and is ableto request the PMSI from the UIDN at any time

Shortcoming� IMSI paging is prevented, but other IMSI probing attacks are

not prevented by this mechanism


36

USE

CA

User identity confidentialityConclusions

� Eavesdropping attacks– Rendered ineffective by TMSI mechanism (GSM/UMTS)

� IMSI catching– Prevented by EMSI mechanism (UMTS - optional)

� IMSI probing– Attempt to prevent it by PMSI mechanism (UMTS -optional)– But … cannot be prevented by cryptographic means

� Remaining questions– Is it useful to protect against IMSI catching without protecting

against IMSI probing ?– Cost/benefit balance of the enhancements ?– Is it useful to protect only UMTS-only customers ?


Siemens Atea


37

USE

CA

Confidentiality and integrityContent

� Key features� Ciphering mechanism� Integrity mechanism� Algorithm: KASUMI


38

USE

CA

Confidentiality and integrityKey features

Common to ciphering and integrity� Secret key cryptography� Key length 128 bits (GSM: 54-64 bits)� Public algorithms (GSM: secret algorithm)

Termination points� User side: Mobile equipment� Network side: Radio Network Controller

(GSM: base station)Applied to� Confidentiality signalling and user data� Integrity signalling data


Siemens Atea


39

USE

CA

Confidentiality and integrityEncryption mechanism (1/2)

Ciphering algorithm f8

CIPHERTEXTBLOCK

COUNT-CBEARER

DIRECTIONLENGTH

CK

PLAINTEXTBLOCK

f8

KEYSTREAMBLOCK

COUNT-CBEARER

DIRECTIONLENGTH

CK f8

KEYSTREAMBLOCK

PLAINTEXTBLOCK

SenderME or RNC

ReceiverME or RNC



40

USE

CA

Confidentiality and integrityEncryption mechanism (2/2)

� Ciphering in layer 2RLC sublayer non-transparent RLC mode (signalling, data)MAC sublayer transparent RLC mode (voice)

� Key input values to algorithm– CK 128 bits Cipher key– COUNT-C 32 bits Ciphering sequence number

RLC sublayer HFNRLC + SNRLC (SNRLC is transmitted)MAC sublayer HFNMAC + CFNMAC (CFNMAC is transmitted)

� Further input values– BEARER 4 bits Bearer identity– DIRECTION 1 bit Uplink/downlink– LENGTH 16 bits Length of keystream block



Siemens Atea


41

USE

CA

Confidentiality and integrityIntegrity mechanism (1/2)

� Integrity algorithm f9

COUNT- IMESSAGE

DIRECTIONFRESH

IK f9

MAC- I

COUNT- IMESSAGE

DIRECTIONFRESH

IK f9

XMAC- I

SenderME or RNC

ReceiverME or RNC

MESSAGEMAC- I

MAC- I = XMAC- I ?



42

USE

CA

Confidentiality and integrityIntegrity mechanism (2/2)

� Integrity protection: layer 2– RRC sublayer

� Key input values– IK 128 bits Integrity key– COUNT-I 32 bits Integrity sequence number

• consists of HFNRRC + SNRRC (SNRRC is transmitted)– FRESH 32 bits Network-side nonce– MESSAGE Signalling message

� Further input values– DIRECTION 1 bit Uplink/downlink

� Output values– MAC-I 32 bits message authentication code– XMAC-I 32 bits expected MAC



Siemens Atea


43

USE

CA

Confidentiality and integrityAlgorithms - KASUMI

KASUMI� Design authority: SAGE� Based on the block cipher MISTY (Mitsubishi)� KASUMI is Japanese for “MIST”� Two modes of operation

– f8 for encryption– f9 for data integrity protection

� Externally reviewed by three teams of experts� Reviews were unanimously positive� Soon to be published


44

USE

CA

Confidentiality and integrityConclusions

� Additional security services– Explicit data integrity protection for signalling messages– Termination point moved away from the border of the network

towards the radio network controller

� Increased security– Longer key lengths– Reviews by three independent teams of experts

� Increased trust– Algorithms expected to be published soon


Siemens Atea


45

USE

CA

Connection establishmentContent

� Initiation of ciphering and integrity� Triggering AKA versus local authentication� Negotiation of ciphering/integrity mode� Re-authentication during an ongoing connection� Periodic in-call authentication


46

USE

CA

Connection establishmentOverview

ME/USIM RNC VLR/SGSN

Connection Establishment RRCRRC1.

IMSI Interrogation MMMM3.

Authentication and key agreement MMMM4.

Security mode command RANAP5.

Security mode command RRC6.

Security mode responseRRC7.

Security mode completeRANAP8.

Response to initial L3 message MM9.

TMSI allocation MMMM10.

Initial L3 message2. MMMM


Siemens Atea


47

USE

CA

Connection establishmentInitiation of ciphering/integrity

Three parameters� START 32 bits initial hyperframe number

– Used to initialise COUNT-C and COUNT-I– Assures the user that MAC-I are fresh– START is stored/update in the ME and the USIM

� CKSN 3 bits cipher key sequence number– Indicates the key set that is stored in the ME/USIM– When START exceeds a certain threshold, CKSN can be used

by the user to trigger a new AKA� FRESH 32 bits network nonce

– Nonce generated by the RNC– Assures the network that MAC-I are fresh


48

USE

CA

Connection establishmentInitiation of ciphering/integrity


Connection Establishment→→→→ START →→→→ 1.

Security mode commandCK, IK5.

Start of integrity protection

Start of ciphering/decipheringStart of integrity protectionStart of ciphering/deciphering

Authentication and key agreement4.

Initial L3 message CKSN

2.

Decide AKA / No AKA

Security mode commandFRESH6. (first integrity protected message)

Security mode response7. (first ciphered message)


Siemens Atea


49

USE

CA

Connection establishmentTriggering AKA versus local authentication

AKA is performed when ...� … the user enters a new SN� … the user indicates that a new AKA is required (i.e., when

the amount of data ciphered with CK has exceeded a certainTHRESHOLD value, set by the USIM)

� … the serving network decides to (the SN should ensure thatCK/IK sets are replaced at least once every 24 hours)

Otherwise: Integrity-key based authentication� connection establishment (without AKA) provides mutual

authentication between UE and SN, through the mandatoryuse of integrity protection and the mandatory execution of thesecurity mode command/response procedure

�� Secure reduction of the frequency of AKA


50

USE

CA

Connection establishmentNegotiation of cipher/integrity modes


Connection Establishment→→→→ UEAMS, UIAMS →→→→ 1.

Security mode commandUEACN, UIACN, CK, IK5.

Security mode commandUEA, UIA, UEAMS, UIAMS

6.

Security mode response7.

Security mode completeUEA, UIA8.

RNC selects UEA and UIAStart of integrity protection

Start of ciphering/decipheringStart of integrity protectionStart of ciphering/deciphering


Siemens Atea


51

USE

CA

Connection establishmentNegotiation of cipher/integrity modes

Security� User is assured that network has received accurate

information on UEAMS and UIAMS

Encryption is recommended� “0000”: no encryption� “0001”: Kasumi

Integrity is mandatory� “0001”: Kasumi

Negotiation built on user preference� UEAMS and UIAMS list supported modes in order of preference� RNC selects UEA and UIA supported by both sides and most

preferred by the user


52

USE

CA

(Connection establishment)Re-authentication during ongoing connection


Authentication and key agreement4.

Security mode commandCK, IK

5.

Security mode complete8.

Application new IK

Application new IKApplication new CK

Application new IKApplication new CK

Security mode command6. (first message integrity protected with new IK)

Security mode response7. (first message ciphered with new CK)

Re-authentication request2.


Siemens Atea


53

USE

CA

(Connection establishment)Re-authentication during on-going connection

Purpose� re-authenticate during long connections (especially PS

connections) Applicability� PS connections (where need is highest)� CS connections

Initiation� VLR/SGSN

– when it detects that CK/IK set is in use for too long a time� UE (may be moved to release ‘00)

– when it detects that CK/IK set is in use for too much data, i.e.,the largest COUNT-C parameter exceeds a threshold value setbut the USIM in the ME


54

USE

CA

Connection establishmentConclusions

� Additional security services– Secure cipher/integrity mode negotiation– Re-authentication during an on-going connection– User-control over the lifetime of a cipher/integrity key set

� Additional home environment / user control– Selection of ciphering/integrity mode based on user preferences– Lifetime of cipher/integrity key sets


Siemens Atea


55

USE

CA

Mobile equipment identity security

� IMEI is not properly secure in many GSM terminals� IMEI mechanism remains the same� New requirement (also on new GSM ME) once the mobile

equipment leaves the factory, it will be “impossible” to modifythe mobile equipment identity

� Additional improvement: the mobile equipment identity - whensent over the radio link - shall be integrity protected

� The cost of more enhanced mechanisms was to high to theenvisaged benefit

IMEI = international Mobile Equipment Identity


56

USE

CA

Network domain securityIntroduction

Purpose� Provide security services for signalling within the core

network, within one network, or between several networksServices� Entity authentication� Key establishment� Data integrity protection� Confidentiality

Protocols� MAP� GTP

MAP = Mobile Application PartGTP = GPRS Transport Protocol


Siemens Atea


57

USE

CA

Network domain securityOverview

Network X

KACX

NEX(1)

NEX(2)

NEX(3)

Network Y

KACY

NEY(1)

NEY(2)

NEY(3)

Layer 1Key establishment

Layer 2

Key distribution

Layer 3

Transport security

KAC = Key administration CentreNE = Network entity


58

USE

CA

Network domain securityDiscussion of the different layers

Layer 1 - key establishment� Public key cryptography� KAC stores public/private key pairs� Establishes symmetric cipher/integrity keys� R’00

Layer 2 - key distribution� KAC distributes symmetric cipher/integrity keys to NE� To be standardised by SA-5 by mid-June (R’99 / R’00)

Layer 3 - transport security� NE apply symmetric cipher/integrity keys to protect signalling� Should be standardised by CN-2 by mid-March (R’99 / R’00)


Siemens Atea


59

USE

CA

Conclusions

� Enhanced security– Protection against false base station attacks through enhanced

authentication and key agreement and integrity protection

– Stronger encryption through longer keys and strongeralgorithms; increased trust through public algorithms

– Encryption beyond the base station further into the network

– Mechanisms to secure core network signalling

� Interoperability and evolution from with GSM

� Interoperability with 3GPP2 system

iir tutorial 2

Documents