LTE R di I t LTE Radio Interface f and its Security Mechanism - - PowerPoint PPT Presentation

lte r di i t lte radio interface f
SMART_READER_LITE
LIVE PREVIEW

LTE R di I t LTE Radio Interface f and its Security Mechanism - - PowerPoint PPT Presentation

Dec 08, 2023 38 likes •230 views

LTE R di I t LTE Radio Interface f and its Security Mechanism Content Comparison of 2G,3G and LTE Packed Domain EPS EPS LTE Requirements Main Characteristics of LTE Physical Layer Main Characteristics of LTE Physical

slide-1
SLIDE 1

LTE R di I t f LTE Radio Interface

and its

Security Mechanism

slide-2
SLIDE 2

Content

  • Comparison of 2G,3G and LTE Packed Domain
  • EPS

EPS

  • LTE Requirements
  • Main Characteristics of LTE Physical Layer

Main Characteristics of LTE Physical Layer

  • The MME
  • LTE and SAE ID´ s
  • LTE and SAE ID s
  • Latency Considerations
  • DL Resource Elements
  • DL Resource Elements
  • Keys in LTE
  • Security for Voice over LTE
  • Security for Voice over LTE
  • Future

Deepsec 2010 2 Herbert Koblmiller, 26. November 2010

slide-3
SLIDE 3

Comparison of 2G, 3G, LTE – PACKET DOMAIN

2G

BTS

2G

BSC

3G

Serving GPRS Support Gateway GPRS Support NodeB RNC Node Node Internet

LTE

eNodeB Serving Gateway PDN Gateway

Deepsec 2010 3 Herbert Koblmiller, 26. November 2010

slide-4
SLIDE 4

EPS – Evolved Packet System

E-UTRAN EPC (LTE) (SAE)

Home Subscriber Server Mobility Management Entity S6a Internet eNodeB X2 Server S 1-MME Entity S11 eNodeB PDN Gateway Serving G X2 S1-U S 5 eNodeB Gateway Gateway U l

Deepsec 2010 4 Herbert Koblmiller, 26. November 2010

User plane Contrrol plane

slide-5
SLIDE 5

LTE Requirements

Internet Services Telephony Mobility up to 250km/ h Broadcast (eg MBMS) Up to >100 Mbit/ s DL (2x2 Ant) High Data Rates Up to >100 Mbit/ s DL (2x2 Ant) Up to >300 Mbit/ s DL (4x4 Ant) Up to >50 Mbit/ s UL Higher spectral Efficiency than R6 PS Services only User plane latency <10ms Control plane latency < 100ms

Deepsec 2010 5 Herbert Koblmiller, 26. November 2010

slide-6
SLIDE 6

Main characteristics of LTE Physical Layer

DL: OFDMA Air Interface DL: OFDMA UL: SC-FDMA Bandwith: Scalable 20, 10, 5, 3, 1.4 MHz Bandwith: Scalable MIMO, AAS Smart Antenna Technology: No BSC or RNC Low Complexity No Soft(er) Handover Less Protocol overhead Self organizing network

Deepsec 2010 6 Herbert Koblmiller, 26. November 2010

slide-7
SLIDE 7

The MME

MME NAS Signalling Other Mobilit y

  • EPS

bearer management

  • QOS control
  • Generation of Paging
  • Idle State Mobility managemant
  • UE tracking

y Management Entity S10 eNodeB Home Subscriber Server S 1-MME S6a

U g

Inter CN node Signalling Serving Gateway Server S11

  • Selection of Serving GW and

MME/ SGSN (Handover)

  • Roaming

Inter CN node Signalling Gateway

  • Authentication
  • Ciphering + Integrity Protection

Security managemant Serving GPRS S 3

  • f NAS signalling

GPRS Support Node

Deepsec 2010 7 Herbert Koblmiller, 26. November 2010

slide-8
SLIDE 8

LTE and SAE ID´ s

PLMN ID ( MCC + MNC) 24 bit EPS BE ID Network Network Entities EPS BEarer ID User Equipment IMEI = MMEGI +MMEC 16 + 8 bit GUMMEI = MCC + MNC + MMEI Physical Cell ID 9bit IMSI 60bit S-TMSI = MMEC + M-TMSI IMEI 60bit GUTI GUMMEI M TMS I TAI = MCC + MNC + TAC 32bit GUTI = GUMMEI + M-TMS I E-UTRAN C-RNTI 16 bit RA-RNTI 16bit SI-RNTI 16bit E UTRAN P-RNTI 16bit TPC-PUCCH-RNTI 16bit TPC-PUSCH-RNTI 16bit Random Value 4bit

Deepsec 2010 8 Herbert Koblmiller, 26. November 2010

Random Value 4bit

slide-9
SLIDE 9

User Plane Latency

Serving G t eNodeB S1-U Gateway eNodeB data 0 5ms 1-15ms 1ms 1ms 1ms data 0.5ms 1 15ms 1ms 1ms 1ms up to 8ms HARQ 5ms to 20ms

Deepsec 2010 9 Herbert Koblmiller, 26. November 2010

slide-10
SLIDE 10

Control Plane Latency compared to 3G

CELL_F ACH ca 270ms ca 200ms

3G

RRC_IDLE CELL_DCH ca 460ms

LTE

EMM-Registered and RRC_IDLE

LTE

EMM-Registered and RRC_IDLE 51.5ms to 77.5ms

Deepsec 2010 10 Herbert Koblmiller, 26. November 2010

slide-11
SLIDE 11

DL Spectrum Layout - OFDMA

Pilots at predefined

DC Subcarrier

Pilots at predefined subcarrier numbers

E

Lower Guard Upper Guard

f

Guard Band Guard Band

Bandwith = N * f N variable  1.4-20MHz

Deepsec 2010 11 Herbert Koblmiller, 26. November 2010

slide-12
SLIDE 12

DL Resource Element and Resource Blocks

t 1 Resource Block T( l t) 0 5 T(slot) = 0.5ms f Lower Guard Upper G ard 7 OFDMA Symbols = 0.5ms DC Guard Band Guard Band 12 Subcarrier = 180kHz

Deepsec 2010 12 Herbert Koblmiller, 26. November 2010

slide-13
SLIDE 13

Keys in LTE

Ki AMF SQN RAND AK XRES

USIM, AuC

CK IK

HSS

K(ASME)

MME

K(eNodeB)

MME eNodeB

K(NASenc) K(NASint) K(RRCint) K(UPenc) K(RRCenc)

Deepsec 2010 13 Herbert Koblmiller, 26. November 2010

slide-14
SLIDE 14

Cryptographic Key Separation

Differenciate User Traffic from Signalling Purpos Keys stored in different locations Key Renewal (Key change on the fly) Variable Security More Independence of Radio Interface More Independence of Radio Interface Negotiations 2 mandatory sets of Security

  • 128-EEA1 and 128-EIA1 based ond SNOW 3G
  • 128-EEA2 and 128-EIA2 based on FIPS 197

Supported by all UE eNodeB and MME Supported by all UE, eNodeB and MME Algorithm negotiated separately between UE and eNodeB Algorithm negotiated separately between UE and MME (eg. NAS level) UE Security Capabilities sent in Setup procedure Algorithm can only change during Handover

Deepsec 2010 14 Herbert Koblmiller, 26. November 2010

slide-15
SLIDE 15

Security for Voice over LTE

Methods for voice over LTE IMS over LTE

  • IP Multimedia Subsystem is an independent

service control architecture Methods for voice over LTE Circuit Switched Fallback (CSFB)

  • this provides voice service by fallback from

LTE to 3G or 2G (3GPP2-defined networks) S b ib A th ti ti i IMS SIP-layer Authentication Access-Network bundled Authentication Trusted Node Authentication S ubscriber Authentication in IMS Trusted Node Authentication

Deepsec 2010 15 Herbert Koblmiller, 26. November 2010

slide-16
SLIDE 16

Flow for Registration with IMS AKA

Proxy CSCF UE Serving CSCF Home Subscriber Server Server Register

Unprotected

Register

Protected by NDS/ IP

Cx-AuthDataRequ

y Protected by NDS/ IP

Cx-AuthDataResp

Protected by NDS/ IP

Auth Challenge: Auth_Challenge: RAND,AUTN

Unprotected

Create IPsec SAs

Protected by NDS/ IP

Auth_Challenge: RAND,AUTN,CK,IK

Protected by NDS/ IP p

Register: Digest-Resp(RES, RAND) Protected By

IPsec SA

Register: Digest-Resp(RES, RAND) Protected Auth Ch k C P t C P ll

IPsec SA

)

by NDS/ IP

Check Cx-Put + Cx-Pull

Protected by NDS/ IP

Cx-PutResp + Cx-PullResp 200 OK

Protected by NDS/ IP

200 OK

Protected By

Deepsec 2010 16 Herbert Koblmiller, 26. November 2010

Cx PutResp + Cx PullResp

Protected by NDS/ IP IPsec SA

slide-17
SLIDE 17

Security for Home Base Station Deployment

Mobility Management Entity S11

Unsecure Network

S 1-MME Home eNodeB Serving Gateway Security Gateway S1-U y y U l

Device Autentication mandatory

Deepsec 2010 17 Herbert Koblmiller, 26. November 2010

User plane Contrrol plane

slide-18
SLIDE 18

Security for Relay Node Architecture

Mobility Mobility Management Entity S 1 MME S11 S 1-MME Relay Node Serving Gateway Donor eNodeB S1-U

ll d d bl h

U l

Still under study to prevent possible threats

Deepsec 2010 18 Herbert Koblmiller, 26. November 2010

User plane Contrrol plane

slide-19
SLIDE 19

Speaker

Dipl.-Ing. Herbert Koblmiller M bil N k Pl i Mobile Network Planning Optimisation & Network Performance A1 Telekom Austria AG Obere Donaustraße 29 1020 Wien herbert.koblmiller@ a1telekom.at

Deepsec 2010 19 Herbert Koblmiller, 26. November 2010