Just applying the 3GPP security

abusivetrainerΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

241 εμφανίσεις

1

© Nokia Siemens Networks 2012

Public

v1.2 / released


How to secure an LTE
-
network:

Just applying the 3GPP security
standards and that's it?

Telco Security Day @ Troopers 2012


Peter Schneider

Nokia Siemens Networks Research

2

© Nokia Siemens Networks 2012

Public

v1.2 / released

Intro / Agenda


answer the title question:



not only a simple “obviously not”



3GPP security architecture of the
Evolved Packet System
,

aka “(SAE/)LTE
-
network”, “4G mobile network”


IP network security, network element security for the EPS



many names:


3GPP: 3.Generation Partnership Project


LTE: Long Term Evolution


SAE: System Architecture Evolution


EPS: Evolved Packet System


4G Mobile Network

(List of 3GPP specific abbreviations at the end)


Peter Schneider / 2012
-
03
-
20

3

© Nokia Siemens Networks 2012

Public

v1.2 / released

4G Radio Access

Network

4G Mobile Core Network

(Evolved Packet Core)

The Evolved Packet System (4G Mobile Network)

Control plane

User plane

Control+user

plane

Trusted

Untrusted

Internet

Mobile

HSS

MME

Relay Node

PCRF

Charging

Systems

Trusted

Non
-
3GPP
Access
Network

Untrusted

Non
-
3GPP
Access
Network

3GPP AAA
Server

ePDG

Serv.GW

SAE
-
GW

PDN
-
GW

eNB

Corporate

IP Networks

IMS /

Operator

Services

SeGW

HeNB

SEG

Peter Schneider / 2012
-
03
-
20

4

© Nokia Siemens Networks 2012

Public

v1.2 / released

EPS Key Hierarchy and Radio Interface Security

Mobile

HSS

MME

K
ASME

K
ASME

K
ASME

K
NASint

K
NASenc

K
NASint

K
NASenc

eNB

K
eNB
-
RRCint

K
eNB
-
RRCenc

K
eN
-
UPenc

K
eNB
-
RRCint

K
eNB
-
RRCenc

K
eN
-
UPenc

K
eNB

K
eNB

K
eNB

NAS signaling integrity

NAS signaling encryption

RRC sign. integrity

RRC sign. encryption

user plane encryption

key transport

key derivation

key usage

USIM

AuC

The shared
long term
secret that never leaves the USIM or the
AuC

K

K

CK/IK

CK/IK

Peter Schneider / 2012
-
03
-
20

ASME

Access Security Mgmt. Entity

AuC

Authentication Centre

CK

Cipher Key

eNB

Evolved

Node

B

IK

Integrity Key

MME

Mobility Management Entity

NAS

Non Access Stratum

RRC

Radio Resource Control

USIM

UMTS Subscriber Identity
Module

5

© Nokia Siemens Networks 2012

Public

v1.2 / released

EPS Key Hierarchy and Radio Interface Security
(continued)


Authentication and Key Agreement
(AKA) based on long term shared
secrets (in USIM and
AuC
)


key hierarchy providing key separation


5 independent 128bit keys


binding of keys to serving network identities


integrity and confidentiality
protection of Non Access Stratum (NAS) and
Access Stratum (AS) signaling


strong algorithms
: SNOW 3G, AES, optionally ZUC


integrity protection mandatory, encryption recommended


no integrity for the user plane (issue with transmission errors)


user and terminal
identity confidentiality
(against passive attacks only)



a sound concept, assumed to be strong enough for the next decade

Peter Schneider / 2012
-
03
-
20

6

© Nokia Siemens Networks 2012

Public

v1.2 / released

Backhaul Link Security



IKEv2/
IPsec

with integrity and confidentiality protection mandatory
for all
traffic

(control/user/management plane)


well, not mandatory in all cases:


In case S1 and X2 user plane interfaces are trusted (e.g. physically
protected), the use of
IPsec
/IKEv2 based protection is not needed.

[
3GPP TS 33.401 V11.2.0 (2011
-
12)]

and this holds also for control and management traffic


S1

S1

eNB

User plane

Control plane

MME

eNB

X2

Serving GW

SEG

IPsec

Tunnels

Untrusted

Network

Peter Schneider / 2012
-
03
-
20

7

© Nokia Siemens Networks 2012

Public

v1.2 / released


profiling of IKEv2/
IPsec

specified; IKEv2 based on certificates


eNB

comes equipped with id, private/public key pair, manufacturer
certificate, can be integrated into the operator PKI via
certificate enrolment


“plug and play” solution


alternatively: pre
-
installed operator certificate for mutual authentication when
initially connecting to the core network


more secure and more expensive



a highly secure backhauling solution is specified

(but less secure ones are not excluded)

IPsec

Operator RA/CA


manufacturer root
certificate installed

Security Gateway


operator signed certificate
and operator root
certificate installed

eNB


manufacturer key pair
and manufacturer signed
certificate pre
-
installed

CMPv2

Backhaul Link Security (continued)

obtain operator signed
certificate and operator root
certificate via CMPv2

Peter Schneider / 2012
-
03
-
20

8

© Nokia Siemens Networks 2012

Public

v1.2 / released

Security for Core Interfaces

(NDS/IP


Network Domain Security for IP)


IKE/
IPsec

profiles
specified similar as for backhaul link (IKEv2 or v1, peer
authentication based on certificates,
IPsec

ESP in tunnel mode)


IPsec

mandatory to use for integrity protection of control traffic between
“security domains”


example: GTP
-
C traffic between serving network and home network when roaming


in specific cases, also encryption is mandatory


e.g. interface between core and 3G radio network controller, if they are in different
security domains


protects 3G radio interface keys sent to the controller


seems that this has been forgotten (?) for the interface between MME in serving
network and HSS in home network (S6a when roaming)


all other
IPsec

protection is optional


Security Gateways
(SEGs) to be used at security domain borders


terminate IKE/
IPsec


not specified: firewall functions (not required for interoperability)


standard gives hints
-

but in the end the operator has to decide where and
how to use NDS/IP


Peter Schneider / 2012
-
03
-
20

9

© Nokia Siemens Networks 2012

Public

v1.2 / released

Secure Environment

eNB

(4G Base Station) Security


Mobile

eNB

User plane encryption

NAS signaling

User plane

Radio interface

Control plane protection

SEG

User plane

Control plane

Management plane

Backhaul Link

IPsec

protection

Peter Schneider / 2012
-
03
-
20

10

© Nokia Siemens Networks 2012

Public

v1.2 / released

eNB

(4G Base Station) Security (continued)


performs the crypto specified for radio interface and backhaul link


has access to the
cleartext

in the user plane


may be exposed to
tampering

that can result in
compromise

-

and then:


eavesdrop/modify user traffic, send maliciously crafted PDUs to the core,
detach mobiles, discard traffic


mostly applicable to the local cell (possibly also to neighboring cells)


more to figure out …


3GPP requires a
secure environment
inside the
eNB


stores keys, executes crypto, helps to secure boot


preserves integrity and confidentiality of its content


only authorized access



standardized

requirements
, but no standardized
solution
for the secure
environment (not required for interoperability)


Peter Schneider / 2012
-
03
-
20

11

© Nokia Siemens Networks 2012

Public

v1.2 / released

HeNB

(4G
Femto

Cell) Security


relevant functions within the security architecture


like the regular
eNBs


even more exposed to
tampering

and
compromise

-

and can be easily set
up where required (increase transmission power if necessary)


targeted attack against victim users, e.g. “celebrity attack”: eavesdrop the
celebrity’s calls


plus attacks against the core network (see
eNB
)


3GPP requires


a
Trusted Environment
inside the
HeNB


built on a HW
-
based root of trust, secure boot, load only verified components


assure the
eNB

secure environment for crypto, key storage etc.



a device integrity check on boot (in case of failure no access to credentials)


standardized

strong requirements
, but no standardized
solution

(not relevant for interoperability)


a typical operator business case requires cheap
HeNBs
, low TCO


How secure will
HeNBs

be in practice?


Peter Schneider / 2012
-
03
-
20

12

© Nokia Siemens Networks 2012

Public

v1.2 / released

HeNB

(4G
Femto

Cell) Security (continued)


HeNB

may be in
closed mode
(can only be used by a CSG


Closed
Subscriber Group)


this can protect other subscribers (in
Rel

11)


mutual authentication
with IKEv2 when connecting to the core


optional hosting party authentication


IPsec

used to be mandatory for all communication with the core network
(in
Rel

9), but in
Rel

11 the standard says:

“If the operator chooses not to use
IPsec
, mutual authentication
between the H(e)NB device and the
SeGW

shall be performed and the
interface between the H(e)NB and
SeGW

shall be secured with a
mechanism that provides layer 2 security for confidentiality and
integrity protection of communications. This mechanism then shall also
bind this secure communications to device authentication ... “

[
3GPP TS 33.320 V11.4.0 (2011
-
12)
]


Would you like to implement it this way?


most of the above holds also for
3G
femto

cells


How secure do you consider today’s 3G
femto

cell deployments?



Peter Schneider / 2012
-
03
-
20

13

© Nokia Siemens Networks 2012

Public

v1.2 / released

Other EPS Security Mechanisms

cover


usage of relay nodes


non
-
3GPP access to the core network


mobility


intra LTE


between LTE and 2G/3G networks


between 3GPP and non
-
3GPP access
networks


security for the IP multimedia subsystem
(


voice over LTE)


generic bootstrapping architecture


and more



Buy you a good book to find out !


Peter Schneider / 2012
-
03
-
20

14

© Nokia Siemens Networks 2012

Public

v1.2 / released

Threat mitigation


3GPP addresses security of interfaces mainly


security specified for radio interface, backhaul link, core interfaces


protects
traffic

against
interception
,
modification
,
replay


subscriber authentication


protects against
theft of service
,
impersonation

of other subscribers,
fraud


there’s a new trend in 3GPP to cover also
platform

security



by
standardizing
requirements

(solutions are proprietary)



this leaves a lot to address otherwise:


flooding, crashing or compromising nodes by exploiting implementation flaws,
compromising network elements via weak O&M procedures, …


IP network security, network element security



out of scope here: physical site protection, organizational security
measures (e.g. malicious insider threat)

Peter Schneider / 2012
-
03
-
20

15

© Nokia Siemens Networks 2012

Public

v1.2 / released

EPS Traffic Separation Example

IMS

PDN
-
GW

Serv.GW

The
Internet

Corporate
IP network

LI
Gateway

LEA

Appl.

Server

HSS

PCRF

Untrusted non
3GPP access

ePDG

Mobile

Station

other PLMN / GRX

EPS

MME

eNB

backhaul

network

SEG

SAE
-
GW

Control Plane

Charging

O&M

User Plane

(intra PLMN)

GRX

LI

IP Services

Peter Schneider / 2012
-
03
-
20

16

© Nokia Siemens Networks 2012

Public

v1.2 / released

EPS Perimeter Security Example

IMS

PDN
-
GW

Serv.GW

The
Internet

Corporate
IP network

LI
Gateway

LEA

Appl.

Server

HSS

PCRF

Untrusted non
3GPP access

ePDG

Mobile

Station

other PLMN / GRX

EPS

MME

eNB

backhaul

network

SEG

SAE
-
GW

SGi

FW

ACLs

ACLs

S8
FW

ACLs

ACLs

Peter Schneider / 2012
-
03
-
20

17

© Nokia Siemens Networks 2012

Public

v1.2 / released

IP Network Security Measures


traffic separation


perimeter security


secure operation and maintenance (O&M)


secure operation of services/protocols like DNS, NTP, IP routing etc.



additional, enhanced security measures


if required to mitigate a specific threat scenario


if enhanced security is part of the service the MNO offers to the subscribers


examples:


enhanced packet inspection, intrusion detection and prevention


enhanced security support for IP based mobile stations (e.g. antivirus,
antiphishing
, parental control, health check etc.)



Peter Schneider / 2012
-
03
-
20

18

© Nokia Siemens Networks 2012

Public

v1.2 / released

Network Element Security


threat and risk analysis per network element


network element security architecture


secure coding


hardening


security testing


security audit


security vulnerability monitoring


process for timely patching







This is really essential!


but out of the scope of this presentation …



Peter Schneider / 2012
-
03
-
20

19

© Nokia Siemens Networks 2012

Public

v1.2 / released

Summary: How to Secure an LTE
-
Network?


Comply with the 3GPP recommendations

… and choose the good options!


D
o all the other stuff:


u
se IP network security mechanisms


u
se network elements designed and
implemented with security in mind


organizational security measures,
physical site protection, …


monitor your network


… security is a process!


Peter Schneider / 2012
-
03
-
20

20

© Nokia Siemens Networks 2012

Public

v1.2 / released

Some Abbreviations

3GPP

3. Generation Partnership Project

ASME

Access Security Management Entity

AuC

Authentication Centre

CA

Certificate Authority

CMP

Certificate Management Protocol

CK

Cipher Key

eNB

Evolved

Node

B

enc

Encryption

EPC

Evolved

Packet Core

ePDG

Evolved

Packet Data Gateway

EPS

Evolved

Packet System

ESP

Encapsulating Security Payload

GRX

GPRS Roaming
eXchange

Network

GTP
-
C

GPRS Tunneling Protocol
-

Control

GW

Gateway

HeNB

Home
eNB

HNB

Home Node B

HSS

Home Subscriber Server

IK

Integrity Key

IMS

IP Multimedia System


int

Integrity

K

Key

LEA

Law Enforcement Agency

LI

Lawful Interception

LTE

Long Term Evolution

MME

Mobility Management Entity

NAS

Non Access Stratum

PCRF

Policy

and

Charging

Rules
Function

PDN

Packet Data Network

PKI

Public Key Infrastructure

PLMN

Public Land Mobile Network

RA

Registration Authority

RRC

Radio Resource Control

SAE

System
Architecture

Evolution

SEG

Security Gateway

SeGW

Security Gateway

Serv.GW

Serving

Gateway

UMTS

Universal Mobile
Telecomunication

System

UP

User Plane

USIM

UMTS Subscriber Identity Module


Peter Schneider / 2012
-
03
-
20