*1NAS : The functional layer in the Universal
Mobile Telecommunications System (UMTS)protocol stack between the core network and the UE.
*2AS : The functional layer in the UMTS proto-col stack between the eNB (see *3) and the UE.
*3eNB : A base station for the LTE radio access
system.
*4Compromised : A security relevant item
(such as a key) is compromised, if it is known to or can be accessed by an unauthorized party.
Special Articles on SAE Standardization Technology
Access Security Authentication Encryption
1.Introduction
The Long Term Evolution (LTE)architecture design is greatly different from the scheme used by the existing FOMA network (3G). That difference brings with it a need to adapt and improve the security functions. The most important requirement is that at least the same level of security as exists in the 3G network must be guaranteed in LTE. The main changes and addi-tions made to satisfy that requirement are listed below [1][2].
?Introduction of a hierarchical key system in which keys can be changed for different purposes
?Separation of the security functions
for the Non-access Stratum (NAS)*1
,
in which processing is done for communication between a core net-work node and a mobile terminal (UE), from those functions for the Access Stratum (AS)*2
, which encompasses
communication
between the network edge (evolved Node B (eNB)*3
) and the UE.?Introduction of the concept of for-ward security, which limits the scope of harm when a compromised *4
key is used
?Addition of security functions for interconnection between a 3G net-work and an LTE network In this article, we describe the main
new security functions for LTE to which NTT DOCOMO contributed in 3GPP Service and System Aspects (SA) WG3: introduction of a key hier-archy, separation of the NAS security functions from AS security and expan-sion of forward security functions for handover.
2.LTE Security Requirements
Currently, the security functions for 3G services [3] are in wide use, provid-ing the 3G network with confidentiality of user IDs, authentication, confiden-tiality of the User Plane (U-Plane)*5
and the Control Plane (C-Plane)*6
as well as C-Plane integrity protection *7at a secu-rity level in conformance with other
Security Technology for SAE/LTE
Alf Zugenmaier Hiroshi Aono
For a smooth transition from 3G to 4G, we have studied the requirements for new security functions to be introduced for LTE. Of those, security functions that have the same level as in the previous 3G or higher and functions for defense against current attacks from the Internet are particularly important. We therefore introduced a key hierarchy, separat-ed security into an access stratum and a non-access stratum,and expanded the forwarding security functions during hand-over as the main new security functions for LTE.
DOCOMO Communications Laboratories Europe
GmbH
Services & Solutions Development Department
Security Technology for SAE/LTE
international standards.
There are four main requirements for security functions in LTE:?Provide at least the same level of security as the 3G network without affecting user convenience.?Provide defense against current attacks from the Internet.
?The security functions provided by LTE shall not affect the step-wise transition from 3G to LTE.?Allow continued used of the Uni-versal Subscriber Identity Module (USIM)*8.
The latter two are satisfied by re-using the 3GPP Authentication and Key Agreement (3GPP AKA)*9mechanism.
The security requirements for the evolved packet core, i.e., the LTE core network, can be satisfied by applying Network Domain Security (NDS)*10on the IP layer as standardized in TS33.210 [4], in the same way as for 3G.
However, because some of the Radio Network Controller (RNC) func-tions are integrated into the eNB in LTE, the 3G security architecture can-not be re-used as-is for the radio access network in LTE. Specifically, eNB stores the key for encryption and integrity protection only while the UE is in the connected state. Thus, for example, the key for acting on the sig-nal message is not stored when the UE is not connected, unlike in 3G.
Furthermore, the eNBs in LTE may be installed in exposed locations to ensure coverage for indoor areas such
as offices and sufficient wireless capac-
ity, a measure that is expected to
increase the risk of unauthorized access
to eNB. Therefore, the measures
described below are specified to mini-
mize the harm that may result when a
key is stolen from an eNB.
3.Key Hierarchy
For data encryption, LTE uses a
stream encryption method in which
data is encrypted by taking an exclusive
OR (XOR)*11of the data and key
stream*12in the same way as is done in
3G. It is very important in that method
that the key stream will never be re-
used. The algorithms used in 3G and
LTE [5][6] generate a key stream of
finite length. Therefore, to prevent re-
use of the key stream, the key used to
generate the key stream is changed reg-
ularly, e.g. when connecting to a net-
work or during handovers, etc. In the
3G network, execution of AKA is nec-
essary to generate that key. Executing
AKA may take several hundreds of mil-
liseconds for key computation on the
USIM and for connection to the Home
Subscriber Server (HSS)*13, so a func-
tion that allows key updating without
executing AKA must be added to
achieve a higher data rate as in LTE.
In addition, to minimize the harm
that may result if one of the keys used
for encryption or integrity protection
becomes compromised, it is desirable
that the same key isn’t stored and used
at multiple locations on the network. To
solve that issue in LTE, we introduced
a hierarchical key system (Figure 1).
In the same way as for the 3G net-
work, the USIM and Authentication
Center (AuC)*14share secret informa-
tion (key K) in advance.
?When AKA is executed for mutual
*5U-Plane: The protocol for transmitting user data.
*6C-Plane: The protocol for transmitting control signals.
*7Integrity protection: Security technology against communication data tempering.*8USIM: An application on an IC card to persis-
tently store subscriber information such as con-
figuration and authentication data as well as sub-
scriber defined information such as phone num-
bers.
*93GPP AKA: A 3GPP protocol for mutually
authenticating network and USIM and for shar-
ing temporary keys for encryption and integrity
protection.
*10NDS: Security between the nodes within a net-
work domain.
*11XOR: A logical computational operation in which the value of the given input is taken as true when there is an odd number of true bits and false when there is an even number of true bits. *12Key stream: In stream encryption, encryption is done by performing a bit-wise XOR of the
plaintext data with a pseudo-random number.
The pseudo-random number generated by
stream encryption is called a key stream.
*13HSS: A subscriber information database in a
3GPP mobile communication network; it man-
ages authentication information and network
visiting information.
*14AuC: A logical node in 3GPP for storing user
authentication data and other data related to
security.
*15MME: A logical node for mobility manage-
ment and control.
authentication by the network and
user, key CK for encryption and key IK for integrity protection are generated and respectively passed from USIM to Mobile Equipment (ME) and from AuC to HSS.?ME and HSS generate K
ASME
from the key pair CK and IK using a key generation function that is based on the ID of the visited network. By establishing the correspondence of that key, HSS guarantees that this
K
ASME
can be used only by the visit-
ed network. K
ASME
is transferred from the HSS to the Mobility Man-agement Entity (MME)*15of the visited network to serve as basic information on the key hierarchy.
?The K
NASenc
key for NAS protocol encryption between the UE and the
MME and the K
NASint
key for integri-ty protection are generated from the
K
ASME
.
?When the UE is connected to the
network, MME generates the K
eNB
key and passes it to the eNB. From
this K
eNB , the K
UPenc
key for U-
Plane encryption, the K
RRCenc
key for
Radio Resource Control (RRC)
encryption and the K
RRCint
key for integrity protection are generated.
4.Separation of AS and
NAS Security Functions
Because it is assumed that a large volume of data can be transmitted only when the UE is connected, the LTE net-work establishes security associations*16between the UE and eNB only for UEs
that are connected. Accordingly, for
UEs in idle mode, there is no need to
preserve state in an eNB. Because NAS
messages are exchanged with idle mode
UEs, NAS security associations are
established between the UE and core
network nodes, i.e. the MME.
After UE authentication, the MME
retains the K
ASME
, which is the topmost
key of the key hierarchy in the visited
network. The NAS security mode com-
mand negotiates the encryption and
integrity protection algorithms for NAS
communication using K
NASenc
and K
NASint
keys. At this point, the MME must
determine from which UE the authenti-
cation request message arrived in order
to find the correct keys to use for
decryption and to verify the data
integrity. However, the UE ID (Interna-
tional Mobile Subscriber Identity
(IMSI)) should be protected in the radio
area, so a temporary ID called the
Global Unique Temporary Identity
(GUTI)*17was introduced in the LTE to
identify the UE instead of using the
IMSI. This GUTI is changed periodi-
cally, so it is not possible to trace which
GUTI the UE is using.
As soon as the UE enters the con-
nected state, the eNB switches on the
AS protection functions with the AS
security mode command. Afterwards,
AS security is applied to all communi-
cation between the UE and the eNB.
The algorithm used for AS is negotiated
independently from the algorithm used
for NAS. In countries that do not allow
encryption, it is possible to negotiate a
mode that does not provide security
through encryption.
In the LTE, encryption and integrity
protection algorithms based on Snow
3G*18and Advanced Encryption Stan-
dard (AES)*19are standardized. While
those two algorithms each provide full
security, two standard algorithms that
differ in basic structure are used in
3GPP so that even if one algorithm is
broken, the other can be used for con-
tinued secure use of the LTE system.
5.Handover Security
Installation of an eNB in an
exposed location creates a high risk of
unauthorized access to it, so adequate
security is required. To achieve that, the
concept of forward security was intro-
duced to LTE. Here, forward security
means that, without knowledge of
K
ASME
, even with knowledge of the K
eNB
that is shared by the UE and the current
eNB, computational complexity pre-
vents guessing the future K
eNBs
which
will be used between the UE and eNBs
to which the UE will connect in the
future. Thus, the encryption will not be
broken.
The model for key transmission at
handover in LTE is shown in Figure 2.
When the initial AS security context is
shared by UE and eNB, MME and UE
must respectively generate the K
eNB
and
the Next-hop parameter*20(hereinafter
referred to as “NH”). K
eNB
and NH are
Security Technology for SAE/LTE
generated from K
ASME
, and there is a
K
eNB
and NH for each NH Chaining Counter (NCC)*21. Those respective
K
eNB
are generated from the NH value
for each NCC. In the initial setting, K
eNB is generated directly from K
ASME
and the NAS uplink COUNT, resulting in an NCC=0 key chain. With the initial set-ting, the derived NH value is also used for a key chain of NCC=1 or less.
K
eNB
is used as the base key for securing communication between UE and eNB. For handover directly
between eNBs, K
eNB
, the new key, is
generated from the active K
eNB
or from the NH. In the figure, a horizontal key
derivation depicts generation of K
eNB
from the existing K
eNB
,; vertical key
derivation depicts generation of K
eNB
from the NH. In handovers using verti-
cal key derivation, K
eNB
is generated from NH with additional inputs of the connection’s E-UTRAN Absolute Radio
Frequency Channel Number-Down
Link (EARFCN-DL) and its target
Physical Cell Identity (PCI). In hand-
over using horizontal key derivation,
the K
eNB
is generated from current K
eNB
using the target PCI and its EARFCN-
DL as additional parameters.
Because NH can be calculated only
by UE and MME, this use of NH pro-
vides a method that achieves forward
security in handovers across multiple
eNBs. In that case, the n-hop forward
security at the time of vertical key
delivery means that the future K
eNB
to be
used when UE connects to another eNB
after n (where n is 1 or 2) or more hand-
overs cannot be guessed because of
computational complexity. This func-
tion can limit the scope of harm, even if
a key is leaked, because future keys will
be generated without using the current
K
eNB
in case of vertical key delivery.
6.Conclusion
LTE security functions must provide
at least the same level of security as
provided by 3G security functions, and
still minimize the effect on the previous
architecture. The current 3GPP Release
8 has standardized the security func-
tions that satisfy those requirements. In
the future, we will continue to develop
new security functions such as Home
eNB security and Machine to Machine
(M2M) security for standardization in
Release 9.
References
[1]3GPP TS33.401 V8.4.0: “3GPP System
Architecture Evolution (SAE); Security
architecture,”2009.
[2]3GPP TR33.821 V8.0.0: “Rationale and
track of security decisions in Long Term
Evolution (LTE) RAN / 3GPP System Archi-
tecture Evolution (SAE),”2009.
[3]3GPP TS33.102 V8.3.0: “3G security;
Security architecture,”2009.
[4]3GPP TS33.210 V8.3.0: “3G Security;
Network Domain Security; IP network
layer security,”2009.
[5]3GPP TS35.201 V8.0.0: “Specification of
the 3GPP confidentiality and integrity
algorithm; Document 1: f8 and f9 specifi-
cation,”2008.
[6]3GPP TS35.216 V8.0.0: “Specification of
the 3GPP confidentiality and integrity
algorithm; Document 1: UEA2 and UIA2
specification,”2008.
*16Security association: Establishes a secure communication path by exchanging or sharing information such as encryption methods and encryption keys before communication begins. *17GUTI: A temporary ID used to distinguish users in SAE/LTE.*18Snow 3G: A stream encryption method used
in LTE.
*19AES: A symmetric key encryption method that
has been adopted as a new encryption standard
by the U.S.A. It is also one of the cryptosys-
tems used in 3GPP.
*20Next-hop parameter: A key generated by
UE and MME to implement forward security.
It’s value is changed when NCC (see *21) is
incremented.
*21NCC: The next-hop counter, which is incre-
mented when a vertical handover is executed.