Security Technology for SAE/LTE

Access Security Authentication Encryption

Special Articles on SAE Standardization Technology

†1 For a smooth transition from 3G to 4G, we have studied the DOCOMO Communications Laboratories Europe Alf Zugenmaier GmbH †0 requirements for new security functions to be introduced for Services & Solutions Development Department Hiroshi Aono LTE. Of those, security functions that have the same level as in the previous 3G or higher and functions for defense against current attacks from the Internet are particularly important. We therefore introduced a key hierarchy, separat- ed security into an access stratum and a non-access stratum, and expanded the forwarding security functions during handover as the main new security functions for LTE.

for the Non-access Stratum (NAS)*1, new security functions for LTE to 1. Introduction in which processing is done for which NTT DOCOMO contributed in The Long Term Evolution (LTE) communication between a core net- 3GPP Service and System Aspects architecture design is greatly different work node and a mobile terminal (SA) WG3: introduction of a key hier- from the scheme used by the existing (UE), from those functions for the archy, separation of the NAS security FOMA network (3G). That difference Access Stratum (AS)*2, which functions from AS security and expan- brings with it a need to adapt and encompasses communication sion of forward security functions for improve the security functions. The between the network edge (evolved handover. most important requirement is that at Node B (eNB)*3) and the UE. least the same level of security as exists ¥ Introduction of the concept of for- 2. LTE Security Requirements in the 3G network must be guaranteed ward security, which limits the scope Currently, the security functions for in LTE. The main changes and addi- of harm when a compromised*4 key 3G services [3] are in wide use, provid- tions made to satisfy that requirement is used ing the 3G network with confidentiality are listed below [1][2]. ¥ Addition of security functions for of user IDs, authentication, confiden- ¥ Introduction of a hierarchical key interconnection between a 3G net- tiality of the User Plane (U-Plane)*5 and system in which keys can be changed work and an LTE network the Control Plane (C-Plane)*6 as well as for different purposes C-Plane integrity protection*7 at a secu- ¥ Separation of the security functions In this article, we describe the main rity level in conformance with other

*1 NAS: The functional layer in the Universal UE. Mobile Telecommunications System (UMTS) *3 eNB: A base station for the LTE radio access protocol stack between the core network and system. the UE. *4 Compromised: A security relevant item *2 AS: The functional layer in the UMTS proto- (such as a key) is compromised, if it is known col stack between the eNB (see *3) and the to or can be accessed by an unauthorized party.

NTT DOCOMO Technical Journal Vol. 11 No. 3 27 Security Technology for SAE/LTE

international standards. ensure coverage for indoor areas such work or during handovers, etc. In the There are four main requirements as offices and sufficient wireless capac- 3G network, execution of AKA is nec- for security functions in LTE: ity, a measure that is expected to essary to generate that key. Executing ¥ Provide at least the same level of increase the risk of unauthorized access AKA may take several hundreds of mil- security as the 3G network without to eNB. Therefore, the measures liseconds for key computation on the affecting user convenience. described below are specified to mini- USIM and for connection to the Home ¥ Provide defense against current mize the harm that may result when a Subscriber Server (HSS)*13, so a func- attacks from the Internet. key is stolen from an eNB. tion that allows key updating without ¥ The security functions provided by executing AKA must be added to LTE shall not affect the step-wise 3. Key Hierarchy achieve a higher data rate as in LTE. transition from 3G to LTE. For data encryption, LTE uses a In addition, to minimize the harm ¥ Allow continued used of the Uni- stream encryption method in which that may result if one of the keys used versal Subscriber Identity Module data is encrypted by taking an exclusive for encryption or integrity protection (USIM)*8. OR (XOR)*11 of the data and key becomes compromised, it is desirable stream*12 in the same way as is done in that the same key isn’t stored and used The latter two are satisfied by re- 3G. It is very important in that method at multiple locations on the network. To using the 3GPP Authentication and Key that the key stream will never be re- solve that issue in LTE, we introduced Agreement (3GPP AKA)*9 mechanism. used. The algorithms used in 3G and a hierarchical key system (Figure 1). The security requirements for the LTE [5][6] generate a key stream of In the same way as for the 3G net- evolved packet core, i.e., the LTE core finite length. Therefore, to prevent re- work, the USIM and Authentication network, can be satisfied by applying use of the key stream, the key used to Center (AuC)*14 share secret informa- Network Domain Security (NDS)*10 on generate the key stream is changed reg- tion (key K) in advance. the IP layer as standardized in TS33.210 ularly, e.g. when connecting to a net- ¥ When AKA is executed for mutual [4], in the same way as for 3G. UE side Network side However, because some of the ¸ USIM KK¸ AuC Radio Network Controller (RNC) func- Shared by executing AKA tions are integrated into the eNB in CK, IK CK, IK LTE, the 3G security architecture can- ¹ º » ME ¹ HSS

not be re-used as-is for the radio access KASME KASME º MME network in LTE. Specifically, eNB KNASenc KNASenc NAS stores the key for encryption and KNASint KNASint integrity protection only while the UE is in the connected state. Thus, for KeNB KeNB » eNB

example, the key for acting on the sig- KUPenc KUPenc AS nal message is not stored when the UE KRRCenc KRRCenc is not connected, unlike in 3G. KRRCint KRRCint Furthermore, the eNBs in LTE may Figure 1 Hierarchical keys and method for key generation between entities in LTE be installed in exposed locations to

*5 U-Plane: The protocol for transmitting user *8 USIM: An application on an IC card to persis- authenticating network and USIM and for shar- data. tently store subscriber information such as con- ing temporary keys for encryption and integrity *6 C-Plane: The protocol for transmitting control figuration and authentication data as well as sub- protection. signals. scriber defined information such as phone num- *10 NDS: Security between the nodes within a net- *7 Integrity protection: Security technology bers. work domain. against communication data tempering. *9 3GPP AKA: A 3GPP protocol for mutually

28 NTT DOCOMO Technical Journal Vol. 11 No. 3 authentication by the network and between the UE and eNB only for UEs for NAS. In countries that do not allow user, key CK for encryption and that are connected. Accordingly, for encryption, it is possible to negotiate a key IK for integrity protection are UEs in idle mode, there is no need to mode that does not provide security generated and respectively passed preserve state in an eNB. Because NAS through encryption. from USIM to Mobile Equipment messages are exchanged with idle mode In the LTE, encryption and integrity (ME) and from AuC to HSS. UEs, NAS security associations are protection algorithms based on Snow *18 ¥ ME and HSS generate KASME from established between the UE and core 3G and Advanced Encryption Stan- the key pair CK and IK using a key network nodes, i.e. the MME. dard (AES)*19 are standardized. While generation function that is based on After UE authentication, the MME those two algorithms each provide full

the ID of the visited network. By retains the KASME, which is the topmost security, two standard algorithms that establishing the correspondence of key of the key hierarchy in the visited differ in basic structure are used in that key, HSS guarantees that this network. The NAS security mode com- 3GPP so that even if one algorithm is

KASME can be used only by the visit- mand negotiates the encryption and broken, the other can be used for con-

ed network. KASME is transferred integrity protection algorithms for NAS tinued secure use of the LTE system.

from the HSS to the Mobility Man- communication using KNASenc and KNASint agement Entity (MME)*15 of the keys. At this point, the MME must 5. Handover Security visited network to serve as basic determine from which UE the authenti- Installation of an eNB in an information on the key hierarchy. cation request message arrived in order exposed location creates a high risk of

¥ The KNASenc key for NAS protocol to find the correct keys to use for unauthorized access to it, so adequate encryption between the UE and the decryption and to verify the data security is required. To achieve that, the

MME and the KNASint key for integri- integrity. However, the UE ID (Interna- concept of forward security was intro- ty protection are generated from the tional Mobile Subscriber Identity duced to LTE. Here, forward security

KASME. (IMSI)) should be protected in the radio means that, without knowledge of

¥ When the UE is connected to the area, so a temporary ID called the KASME, even with knowledge of the KeNB

network, MME generates the KeNB Global Unique Temporary Identity that is shared by the UE and the current key and passes it to the eNB. From (GUTI)*17 was introduced in the LTE to eNB, computational complexity pre-

this KeNB, the KUPenc key for U- identify the UE instead of using the vents guessing the future KeNBs which

Plane encryption, the KRRCenc key for IMSI. This GUTI is changed periodi- will be used between the UE and eNBs Radio Resource Control (RRC) cally, so it is not possible to trace which to which the UE will connect in the

encryption and the KRRCint key for GUTI the UE is using. future. Thus, the encryption will not be integrity protection are generated. As soon as the UE enters the con- broken. nected state, the eNB switches on the The model for key transmission at 4. Separation of AS and AS protection functions with the AS handover in LTE is shown in Figure 2. NAS Security Functions security mode command. Afterwards, When the initial AS security context is Because it is assumed that a large AS security is applied to all communi- shared by UE and eNB, MME and UE volume of data can be transmitted only cation between the UE and the eNB. must respectively generate the KeNB and when the UE is connected, the LTE net- The algorithm used for AS is negotiated the Next-hop parameter*20 (hereinafter *16 work establishes security associations independently from the algorithm used referred to as “NH”). KeNB and NH are

*11 XOR: A logical computational operation in plaintext data with a pseudo-random number. visiting information. which the value of the given input is taken as The pseudo-random number generated by *14 AuC: A logical node in 3GPP for storing user true when there is an odd number of true bits and stream encryption is called a key stream. authentication data and other data related to false when there is an even number of true bits. *13 HSS: A subscriber information database in a security. *12 Key stream: In stream encryption, encryption 3GPP mobile communication network; it man- *15 MME: A logical node for mobility manage- is done by performing a bit-wise XOR of the ages authentication information and network ment and control.

NTT DOCOMO Technical Journal Vol. 11 No. 3 29 Security Technology for SAE/LTE

NAS uplink COUNT PCI PCI KeNB in case of vertical key delivery. EARFCN-DL EARFCN-DL NCC=0

(KeNB) KASME KeNB KeNB KeNB 6. Conclusion Initial ＊＊ KeNB KeNB LTE security functions must provide PCI PCI PCI at least the same level of security as EARFCN-DL EARFCN-DL EARFCN-DL NCC=1 provided by 3G security functions, and NH KeNB KeNB KeNB ＊＊＊ KeNB KeNB KeNB still minimize the effect on the previous architecture. The current 3GPP Release PCI PCI PCI EARFCN-DL EARFCN-DL EARFCN-DL 8 has standardized the security func- NCC=2 tions that satisfy those requirements. In NH KeNB KeNB KeNB ＊＊＊ KeNB KeNB KeNB the future, we will continue to develop Computation Output new security functions such as Home Figure 2 Key chain model for handover eNB security and Machine to Machine (M2M) security for standardization in

generated from KASME, and there is a connection’s E-UTRAN Absolute Radio Release 9.

KeNB and NH for each NH Chaining Frequency Channel Number-Down Counter (NCC)*21. Those respective Link (EARFCN-DL) and its target References [1] 3GPP TS33.401 V8.4.0: “3GPP System KeNB are generated from the NH value Physical Cell Identity (PCI). In hand- Architecture Evolution (SAE); Security for each NCC. In the initial setting, K over using horizontal key derivation, eNB architecture,” 2009. is generated directly from K and the the K ＊ is generated from current K ASME eNB eNB [2] 3GPP TR33.821 V8.0.0: “Rationale and NAS uplink COUNT, resulting in an using the target PCI and its EARFCN- track of security decisions in Long Term NCC=0 key chain. With the initial set- DL as additional parameters. Evolution (LTE) RAN / 3GPP System Archi- ” ting, the derived NH value is also used Because NH can be calculated only tecture Evolution (SAE), 2009. [3] 3GPP TS33.102 V8.3.0: “3G security; for a key chain of NCC=1 or less. by UE and MME, this use of NH pro- Security architecture,” 2009.

KeNB is used as the base key for vides a method that achieves forward [4] 3GPP TS33.210 V8.3.0: “3G Security; securing communication between UE security in handovers across multiple Network Domain Security; IP network and eNB. For handover directly eNBs. In that case, the n-hop forward layer security,” 2009. [5] 3GPP TS35.201 V8.0.0: “Specification of between eNBs, K ＊, the new key, is security at the time of vertical key eNB the 3GPP confidentiality and integrity

generated from the active KeNB or from delivery means that the future KeNB to be algorithm; Document 1: f8 and f9 specifi- the NH. In the figure, a horizontal key used when UE connects to another eNB cation,” 2008. ＊ [6] 3GPP TS35.216 V8.0.0: “Specification of derivation depicts generation of KeNB after n (where n is 1 or 2) or more hand- the 3GPP confidentiality and integrity from the existing K ,; vertical key overs cannot be guessed because of eNB algorithm; Document 1: UEA2 and UIA2 derivation depicts generation of K ＊ computational complexity. This func- eNB specification,” 2008. from the NH. In handovers using verti- tion can limit the scope of harm, even if

＊ cal key derivation, KeNB is generated a key is leaked, because future keys will from NH with additional inputs of the be generated without using the current

*16 Security association: Establishes a secure *18 Snow 3G: A stream encryption method used *20 Next-hop parameter: A key generated by communication path by exchanging or sharing in LTE. UE and MME to implement forward security. information such as encryption methods and *19 AES: A symmetric key encryption method that It’s value is changed when NCC (see *21) is encryption keys before communication begins. has been adopted as a new encryption standard incremented. *17 GUTI: A temporary ID used to distinguish by the U.S.A. It is also one of the cryptosys- *21 NCC: The next-hop counter, which is incre- users in SAE/LTE. tems used in 3GPP. mented when a vertical handover is executed.

30 NTT DOCOMO Technical Journal Vol. 11 No. 3