3gpp security hot topics - etsi€¦ · · 2010-01-203gpp security hot topics home base station...
TRANSCRIPT
![Page 1: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/1.jpg)
3GPP security hot topicsHome base station &
IMS media plane securityIMS media plane security
Valtteri NiemiNokia Research Center, Lausanne,
SwitzerlandBengt Sahlin,
Ericsson NomadicLab, Jorvas, Finland
© ETSI 2009. All rights reserved5th ETSI Security Workshop
![Page 2: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/2.jpg)
Some history
![Page 3: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/3.jpg)
Some history (1/2)� For 3GPP Release 99 (frozen 2000), WG SA3 created 19 new
specifications, e.g. � TS 33.102 “3G security; Security architecture”� 5 specifications (out of these 19) originated by ET SI SAGE, e.g.
TS 35.202 “KASUMI specification”� For Release 4 (frozen 2001), SA3 was kept busy with
GERAN security while ETSI SAGE originated again 5 new specifications, e.g.� TS 35.205-208 for MILENAGE algorithm set� TS 35.205-208 for MILENAGE algorithm set
� Release 5 (frozen 2002): SA3 added 3 new specifications, e.g.:� TS 33.203 “IMS security”
� Release 6 (frozen 2005): SA3 added 17 new specifications, e.g.:� TS 33.220-222 “Generic Authentication Architecture”
� Release 7 (frozen 2007): SA3 added 13 new specifications� ETSI SAGE created 5 specifications for UEA2 & UIA2 (incl.
SNOW 3G spec) (TS 35.215-218, TR 35.919)
![Page 4: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/4.jpg)
Some history (2/2)� Release 8 (frozen 2008): SA3 added 7 new specifications,
e.g.:� TS 33.401 “SAE: Security architecture”
� Release 9 (frozen end of 2009 ): SA3 added 6 new specifications (one more TR still to be included):� TS 33.224 “Generic Push layer”� TS 33.328 “IMS media plane security”� TS 33.328 “IMS media plane security”� TS 33.320 “Security Aspects of Home NodeB/eNodeB”� TRs:
• 33.937 “Protection against Unsolicited Communicatio n for IMS”• 33.924 “Identity Management and 3GPP Security Inter working”• 33.812 “Feasibility Study on the Security Aspects o f Remote
Provisioning and Change of Subscription for M2M Equ ipment”
![Page 5: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/5.jpg)
Home (e)Node B securityHome (e)Node B security
![Page 6: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/6.jpg)
Configuration of eNB
� Communication between the remote/local O&M systems and the eNB mutually authenticated.
� The eNB shall be able to ensure that software/data change attempts are authorized
� Confidentiality and integrity of software transfer towards the eNB ensured.eNB ensured.
� etc.
(see TS 33.401)
![Page 7: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/7.jpg)
Secure environment inside eNB
� Secure storage of sensitive data, e.g. long term cr yptographic secrets and vital configuration data.
� The secure environment shall support the execution of sensitive functions, e.g. use of long term secrets in authentication protocols.
� The secure environment shall support the execution of � The secure environment shall support the execution of sensitive parts of the boot process.
� Only authorised access shall be granted to the secu re environment.
� etc.
(see TS 33.401)
![Page 8: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/8.jpg)
Home base stations: new architecture
UE H(e)NB SeGWinsecure link
Operator’s core network
H(e)NB-GW
AAA Server/HSS
� Concept of Closed Subscriber Group introduced� Applies also to HSPA base stations
H(e)MSH(e)MS
![Page 9: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/9.jpg)
Security mechanisms for Home base stations
� Device Integrity Check upon booting, based on Trusted Environment (TrE)
� secured Clock synchronization� Device authentication
� Mutual authentication between H(e)NB and SeGW� Based on IKEv2 and certificates
� IPsec tunnel between H(e)NB and SeGW� Optionally Hosting Party authentication, based on UICC� Location verification
![Page 10: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/10.jpg)
Base stations and Lawful interception
� Usually lawful interception is not applied in base stations� However, current (Release 10) work for Local IP Access and
Selective IP Traffic Offload may change the situation
![Page 11: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/11.jpg)
IMS media plane security
![Page 12: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/12.jpg)
Goals of IMS media security
1. to provide security for media usable across all a ccess networks2. to provide an end-to-end media security solution to satisfy major
user categories3. to provide end-to-end media security for importan t user groups
like enterprises, National Security and Public Safe ty (NSPS) organizationsorganizations
![Page 13: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/13.jpg)
Mechanisms for IMS media security
The media stream is protected by SRTP (RFC 3711)
Three solutions for key managementEnd to access edge (e2ae)
���� SDES (RFC 4568) between IMS terminal and P -CSCF (first SIP proxy) ���� SDES (RFC 4568) between IMS terminal and P -CSCF (first SIP proxy) to provide keys
end-to-end (e2e)� SDES between two IMS terminals to exchange keys���� specific Key Management Service with GBA authentication (or a proprietary
authentication mechanism) and MIKEY-TICKET protocol (draft-mattsson-mikey-ticket)
![Page 14: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/14.jpg)
SDES e2e case: Originating side
P-CSCF S-CSCF
1. SDP Offer
2. SDP Offer
Originating Network
3. SDP Offer)
UE A
Terminating Network
4. SDP Answer
5. SDP Answer
6. SDP Answer
7. Completion of session setup and bearer setup procedures
e2e protected media
![Page 15: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/15.jpg)
SDES e2e case: Terminating side
P-CSCF UE B
1. SDP Offer
2. SDP Offer
Terminating Network
3. SDP Offer
S-CSCF
Originating Network
4. SDP Answer
5. SDP Answer
6. SDP Answer
7. Completion of session setup and bearer setup procedures
Media
![Page 16: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/16.jpg)
KMS originating side
P-CSCF S-CSCF
2. SDP Offer
3. SDP Offer
Originating Network
4. SDP Offer)
UE A
Terminating Network
1. Interactions with KMS
5. SDP Answer
6. SDP Answer
7. SDP Answer
8. Completion of session setup and bearer setup procedures
e2e protected media
![Page 17: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/17.jpg)
KMS terminating side
P-CSCF UE B
1. SDP Offer
2. SDP Offer
Terminating Network
3. SDP Offer
S-CSCF
Originating Network
5. SDP Answer
6. SDP Answer
7. SDP Answer
8. Completion of session setup and bearer setup procedures
Media
4. Interactions with KMS Reference figure in 6
![Page 18: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/18.jpg)
Key management for MIKEY TICKET
![Page 19: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/19.jpg)
MIKEY TICKET messages
![Page 20: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/20.jpg)
IMS media security LI issues
� e2e security and LI do not go well together� For SDES and KMS, keys are delivered to LEA – we are OK� IETF prefers DTLS-SRTP, based on Diffie-Hellman key exhange� On the other hand, LI must not be detectable to the target� Three potential solutions (but all problematic for undetectability)� Three potential solutions (but all problematic for undetectability)
� Network plays man-in-the-middle� Key hidden in protocol messages� Terminals disclose keys to network
![Page 21: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/21.jpg)
Summary
� Home (e)NB security� New architecture with more exposed locations of NB’ s� New types of threats� Many new countermeasures needed
� IMS media plane securityTwo methods for IMS media e2e protection� Two methods for IMS media e2e protection
• SDES for major user categories• MIKEY-TICKET for special user groups
� One e2ae method for IMS media protection• SDES
![Page 22: 3GPP security hot topics - ETSI€¦ · · 2010-01-203GPP security hot topics Home base station & IMS media plane security ... Node B security. ... Selective IP Traffic Offload](https://reader031.vdocuments.net/reader031/viewer/2022022010/5affead57f8b9ad85d8bd77a/html5/thumbnails/22.jpg)
For more information:www.3gpp.org