LTE R di I t LTE Radio Interface f and its Security Mechanism
Content • Comparison of 2G,3G and LTE Packed Domain • EPS EPS • LTE Requirements • Main Characteristics of LTE Physical Layer Main Characteristics of LTE Physical Layer • The MME • LTE and SAE ID´ s • LTE and SAE ID s • Latency Considerations • DL Resource Elements • DL Resource Elements • Keys in LTE • Security for Voice over LTE • Security for Voice over LTE • Future Herbert Koblmiller, 26. November 2010 Deepsec 2010 2
Comparison of 2G, 3G, LTE – PACKET DOMAIN 2G 2G BTS BSC Serving Gateway GPRS GPRS 3G Support Support Node Node Internet NodeB RNC LTE PDN Serving eNodeB Gateway Gateway Herbert Koblmiller, 26. November 2010 Deepsec 2010 3
EPS – Evolved Packet System E-UTRAN EPC (LTE) (SAE) S6a Home Mobility Subscriber Management Server Server Entity Entity eNodeB Internet S 1-MME S11 X2 X2 S1-U S 5 PDN Serving eNodeB eNodeB Gateway Gateway G Gateway U User plane l Contrrol plane Herbert Koblmiller, 26. November 2010 Deepsec 2010 4
LTE Requirements Services Internet Telephony Mobility up to 250km/ h Broadcast (eg MBMS) High Data Rates Up to >100 Mbit/ s DL (2x2 Ant) Up to >100 Mbit/ s DL (2x2 Ant) Up to >300 Mbit/ s DL (4x4 Ant) Up to >50 Mbit/ s UL Higher spectral Efficiency than R6 PS Services only User plane latency <10ms Control plane latency < 100ms Herbert Koblmiller, 26. November 2010 Deepsec 2010 5
Main characteristics of LTE Physical Layer Air Interface DL: OFDMA DL: OFDMA UL: SC-FDMA Bandwith: Scalable Bandwith: Scalable 20, 10, 5, 3, 1.4 MHz Smart Antenna Technology: MIMO, AAS Low Complexity No BSC or RNC No Soft(er) Handover Less Protocol overhead Self organizing network Herbert Koblmiller, 26. November 2010 Deepsec 2010 6
The MME MME Other NAS Signalling Mobilit y y • EPS bearer management Management - QOS control Entity • Generation of Paging S10 • Idle State Mobility managemant - UE tracking U g Home S6a Subscriber S 1-MME eNodeB Inter CN node Signalling Inter CN node Signalling Server Server • Selection of Serving GW and S11 MME/ SGSN (Handover) • Roaming Serving Gateway Gateway S 3 Security managemant • Authentication Serving • Ciphering + Integrity Protection GPRS GPRS of NAS signalling Support Node Herbert Koblmiller, 26. November 2010 Deepsec 2010 7
LTE and SAE ID´ s Network PLMN ID ( MCC + MNC) 24 bit EPS BE EPS BEarer ID ID User Equipment Network Entities IMSI 60bit IMEI = MMEGI +MMEC 16 + 8 bit S-TMSI = MMEC + M-TMSI GUMMEI = MCC + MNC + MMEI IMEI 60bit Physical Cell ID 9bit GUTI GUMMEI M TMS GUTI = GUMMEI + M-TMS I I TAI = MCC + MNC + TAC 32bit E-UTRAN E UTRAN C-RNTI 16 bit RA-RNTI 16bit SI-RNTI 16bit P-RNTI 16bit TPC-PUCCH-RNTI 16bit TPC-PUSCH-RNTI 16bit Random Value 4bit Random Value 4bit Herbert Koblmiller, 26. November 2010 Deepsec 2010 8
User Plane Latency S1-U Serving eNodeB eNodeB G t Gateway 0 5ms 0.5ms 1-15ms 1 15ms 1ms 1ms 1ms 1ms 1ms 1ms data data up to 8ms HARQ 5ms to 20ms Herbert Koblmiller, 26. November 2010 Deepsec 2010 9
Control Plane Latency compared to 3G ca 270ms ca 200ms CELL_F ACH 3G RRC_IDLE CELL_DCH ca 460ms LTE LTE EMM-Registered EMM-Registered and and RRC_IDLE RRC_IDLE 51.5ms to 77.5ms Herbert Koblmiller, 26. November 2010 Deepsec 2010 10
DL Spectrum Layout - OFDMA Pilots at predefined Pilots at predefined DC Subcarrier subcarrier numbers E f Lower Upper Guard Guard Guard Guard Band Band Bandwith = N * f N variable 1.4-20MHz Herbert Koblmiller, 26. November 2010 Deepsec 2010 11
DL Resource Element and Resource Blocks t 1 Resource Block T( l t) 0 5 T(slot) = 0.5ms f 7 OFDMA DC Symbols Lower Upper = 0.5ms Guard Guard G ard Guard Band Band 12 Subcarrier = 180kHz Herbert Koblmiller, 26. November 2010 Deepsec 2010 12
Keys in LTE Ki AMF SQN RAND USIM, AuC AK XRES CK IK HSS K(ASME) MME MME K(eNodeB) eNodeB K(NASenc) K(NASint) K(UPenc) K(RRCint) K(RRCenc) Herbert Koblmiller, 26. November 2010 Deepsec 2010 13
Cryptographic Key Separation Purpos Differenciate User Traffic from Signalling Keys stored in different locations Key Renewal (Key change on the fly) Variable Security More Independence of Radio Interface More Independence of Radio Interface Negotiations 2 mandatory sets of Security • 128-EEA1 and 128-EIA1 based ond SNOW 3G • 128-EEA2 and 128-EIA2 based on FIPS 197 Supported by all UE eNodeB and MME Supported by all UE, eNodeB and MME Algorithm negotiated separately between UE and eNodeB Algorithm negotiated separately between UE and MME (eg. NAS level) UE Security Capabilities sent in Setup procedure Algorithm can only change during Handover Herbert Koblmiller, 26. November 2010 Deepsec 2010 14
Security for Voice over LTE Methods for voice over LTE Methods for voice over LTE IMS over LTE • IP Multimedia Subsystem is an independent service control architecture Circuit Switched Fallback (CSFB) • this provides voice service by fallback from LTE to 3G or 2G (3GPP2-defined networks) S S b ubscriber Authentication in IMS ib A th ti ti i IMS SIP-layer Authentication Access-Network bundled Authentication Trusted Node Authentication Trusted Node Authentication Herbert Koblmiller, 26. November 2010 Deepsec 2010 15
Flow for Registration with IMS AKA Home Serving Proxy UE Subscriber CSCF CSCF Server Server Register Register Cx-AuthDataRequ Unprotected Protected by NDS/ IP y Protected by NDS/ IP Auth_Challenge: RAND,AUTN Cx-AuthDataResp Unprotected p Protected by NDS/ IP Protected by NDS/ IP Auth Challenge: Auth_Challenge: RAND,AUTN,CK,IK Create Protected by NDS/ IP IPsec SAs Register: Register: Digest-Resp(RES, Digest-Resp(RES, RAND) Protected By Auth RAND) Protected ) IPsec SA IPsec SA Cx-Put + Cx-Pull C P t C P ll Check Ch k by NDS/ IP Protected by NDS/ IP 200 OK 200 OK Protected by NDS/ IP Protected By Cx-PutResp + Cx-PullResp Cx PutResp + Cx PullResp IPsec SA Protected by NDS/ IP Herbert Koblmiller, 26. November 2010 Deepsec 2010 16
Security for Home Base Station Deployment Mobility Management Entity Unsecure S 1-MME Network S11 Home S1-U Security Serving eNodeB Gateway y Gateway y Device Autentication mandatory U User plane l Contrrol plane Herbert Koblmiller, 26. November 2010 Deepsec 2010 17
Security for Relay Node Architecture Mobility Mobility Management Entity S S 1 MME 1-MME S11 Serving S1-U Relay Donor Gateway Node eNodeB Still under study to prevent possible threats ll d d bl h U User plane l Contrrol plane Herbert Koblmiller, 26. November 2010 Deepsec 2010 18
Speaker Dipl.-Ing. Herbert Koblmiller M bil N Mobile Network Planning k Pl i Optimisation & Network Performance A1 Telekom Austria AG Obere Donaustraße 29 1020 Wien herbert.koblmiller@ a1telekom.at Herbert Koblmiller, 26. November 2010 Deepsec 2010 19
Recommend
More recommend