It is necessary to ensure that Long Term Evolution (LTE) security measures provide the level of security required without impacting the user as this could drive users away. LTE must provide authentication, ciphering, encryption and identity protection.
With the level of sophistication of security attacks becoming increasingly imaginative, it is necessary to ensure that LTE security allows users to operate freely and without fear of attack from hackers. In addition, the network must also be organized in such a way that it is secure against a variety of attacks.
Security has to take into account some functions outside the core operation of LTE:
LTE security is developed into all areas of the system from the user equipment (UE) to the core network.
LTE is a flat IP system, no longer having a circuit domain. Communications are routed to Internet multimedia subsystem (IMS), the Internet and private networks.
No longer intermediate radio controller, base stations eNodeB are interconnected (X2 interface), and they are directly connected to the core network.
LTE carries the subscribers’ sessions via General Packet Radio Service (GPRS) Tunneling Protocol (GTP) for the management of mobility.
LTE interfaces with Universal Mobile Telecommunications System (UMTS) and Global System for Mobile communication (GSM), which makes it compulsory to have a USIM card. It also interfaces with other networks, especially CDMA2000. The mobility there is managed with mobile IP.
LTE is reusing the UMTS authentication based on a USIM card inserted into the mobile UE and mutual authentication with the Home Subscriber Server (HSS). This mutual authentication produces two derived keys: Ck and Ik.
From Ck and Ik, LTE generates a master key KASME for the LTE-evolved packet core (EPC), which is differentiated from mobile country code (MCC) and mobile network code (MNC) network identifiers.
High level signaling protection is provided with special attention to NAS signaling (management of mobility and sessions), end-to-end security (from UR to Mobility Management Entity (MME) (MME)). LTE applies there integrity control and ciphering.
The protection of the radio interface applies on packet data control plane (PDCP) frames. The user session is encrypted. Radio signaling of the Radio Resource Control (RRC) has an integrity control and is encrypted.
HMAC-SHA-256 is used for the derivation of successive keys.
K being the authentication key of the subscriber, it is supposed to be valid for 3 to 10 years.
KASME, which is the master key for LTE/EPC sessions, has a lifetime of a few hours, eventually a few days.
KNAS for NAS signaling has the same lifetime as KASME.
KRRC for RRC radio signaling has a lifetime of a few seconds, up to a few hours; same for KUP which encrypts session data.
eNodeB keys are renewed at every antenna change. Recalculation of UP and RRC keys is done by successive eNodeB.
Diversification parameter NH is managed by the MME with the same level of quality as NAS keys.
Each time an active UE moves to a new LTE cell, new KeNB and (KRRCenc/int, KUPenc) are computed. This process offers backward security (that was established with previous eNodeB) as well as forward security (will be established with forthcoming eNodeB). So, a compromised eNodeB has almost no security impact on the communication.
KeNB recomputation depends on handover type (S1 or X2) and on fresh data provided by MME to the source eNodeB.
Renewal of radio keys also occur when intra-eNodeB handover, intracell handover are made.
Authentication key K is 128 bits, like for GSM.
KASME and the keys derivation function: 256 bits and public algorithm can be easily replaced by a full 256 bits system.
Ciphering and integrity control; 128 bits keys and public algorithms:
To date, there have been no realistic attacks on SNOW3G, AES and ZUC.
All terminals, eNodeB and MME must support EEA0? SNOW3G and AES. ZUC also in China.
Nevertheless, some weaknesses may be found in certain procedures or implementations with the acceptation of replay for the initialization vector, with known initialization vectors (padding and signaling messages) – and of course when there are software bugs or corrupted memory.
LTE interfaces are accessible:
The only solution is to use IPsec ESP and IKEv2 (exchange of certificates between network equipments; Extensible Authentication Protocol (EAP) and USIM between mobiles and network equipments).
Miniaturized eNodeB manage user sessions without encryption, allowing eavesdropping. They have no access to high-level signaling (NAS), which eliminates fraud. They have access to eNodeB signaling (S1-AP and X2-AP).
Femtocells connect to the core network via the Internet (ADSL or other access). The protection of the wired access is ensured by IPsec.
Relays connect to eNodeB via a wideband LTE radio connection. They multiplex users’ sessions in one single session. They may be mobile.
Neither femtocells nor relays encrypt users’ sessions, so IPsec would be recommended between eNodeB and core network.
All these pieces of equipment must be checked the software development quality and system security.
http://www.3gpp.org/specification-numbering
At first sight, a subscriber identity module (SIM)/USIM card generally shows some logo from the issuing operator as well as a printed number, in France it is called “numéro de série de carte externe” (NSCE) and is made by a row of 14 digits, which identify the card.
The SIM card (ETSI/3GPP TS 51.011) was one of the very important innovations of GSM. It was the first worldwide mobile system where the mobile terminal is split in two subsystems:
The access to its content is protected by a pin code of 4 to 8 digits. But this pin may be deactivated.
SIM cards are used by the GSM family of standards (GSM, UMTS and LTE). CDMA 2000 and the Japanese PDC optionally use SIM cards.
SIM bears a microelectronic component with a microcontroller and memory. It contains specific data related to the subscriber and the subscribed network. It also contains data and applications provided by the user, the network or other sources.
The major information stored in the SIM is the subscriber’s identifier, called international mobile subscriber identity (IMSI) and the identity of the subscribed network, given by its MCC and its MNC. The SIM is issued by a mobile network operator (MNO) or by an MVNO (which has no real network deployed in the country).
Today, the SIM card system is split in three subsystems:
The vocable “SIM” is now covering only the GSM application, which is described in 3GPP TS 51.0111.
The SIM/USIM: UICC device provides:
The European operators in the early 1990s decided to sell the mobile terminals at a subsidized price. In order to avoid cheating from dishonest customers, they urged the mobile manufacturers to implement an application binding the UE to the SIM/USIM. This is called SIM-lock. In this process, the SIM/USIM has no active part, it just provides the IMSI to the UE and the UE checks if this IMSI is accepted. Generally, the SIM-lock only checks the MCC–MNC couple, but in some cases it has been more restrictive. The calculation done by the mobile set makes use of the international mobile equipment identity (IMEI) number implemented in the device by the manufacturer which identifies the mobile and that is available when typing *#06# on the mobile. From government directive, the operator must provide a de-SIM-lock process. This process is to enter a series of digits in the mobile touchpad.
Due to the fast increase of electronic chip capabilities, the electronic component of the card has been drastically improved since the introduction of the SIM in 1990. There are three constraints:
The memory technology is now mainly Flash NAND, with relatively high capacity (up to around 1 MB).
The UICC is manufactured along four different shapes (from left to right on the images hereafter):
The last avatars of UICC are FFs 1 and 2 (MFF 1 and MFF 2), designed for integration in various machine or robot cases. For example, the SIM installed in the dedicated “boxes” designed for the European emergency service and installed in vehicles.
The card is still delivered with the credit card size. Smaller devices are just to be pulled out.
Nano SIM has been introduced for the iPhone. Initially, Apple tried to embed the GSM/UMTS/LTE applications inside the ME/UE like it is with CDMA 2000, but accepted to use the SIM card with the reduced size.
The UICC physical interface provides eight contacts:
UICC and ME/UE exchange information following defined protocols.
The historic SIM-ME transmission, designed for bank card followed the T = 0 protocol:
The newly standardized USB interface follows the ETSI TD 102.600. Using contacts C4 and C8, it is called the fast interface. Called USB interchip (IC), it provides 12 Mbps half duplex. To reduce energy consumption, the physical electrical interface has been modified from the standard USB. It offers three classes:
C6 is used to interface with a contactless module to provide NFC services. The suitable interfaces are described in standards TS 102.613 single wire protocol (SWP) and TS 102.622 (HCI). Its characteristics are:
The UICC is a very small computer including a microprocessor, memories and interfaces. The OS is proprietary. It is designed and maintained by the card producer. The capacity of the memory ranges from 64 kb upto 1024 kb and even more. Considering the decreasing cost of microelectronics, higher sizes will probably be available. The memory is organized with tables and files.
The UICC is engineered to resist all kinds of attacks, both software and hardware born. It has an OS, e.g. JAVA, supporting the applications which are provided by the operator.
UICC memory technology is mainly Flash NAND. For multimedia applications an additional Flash card may be added for flexibility.
UICC operates under the management of its OS. That OS is optimized for the relatively small size of the memory and the computing power of the module. Such OSs are proprietary and take benefit of the large experience of card manufacturers.
The memory is organized in directories and files. The rather simple file list of the GSM SIM is now enlarged to a very large number of items. (See further USIM directories).
Recent UICC includes virtual machines, generally designed in Java as specified by the Java Card Forum.
The basic application manages the subscription and the rights of the customer. It is the reflection of the subscription data, which is registered in the HSS of the operator’s core network. The IMSI counts a maximum of 10 digits, beginning with MCC, then MNC, followed by the mobile subscriber identity number (MSIN) of maximum 10 digits (2 digits H1 identifying the home location register (HLR) holding the mobile subscriber’s information and up to 8 digits for H2 for the number of the subscription in the HLR). The HSS covers the functions of HLR, home location register and authentication center (AuC).
The basic SIM application provides identification of the subscriber with the IMSI, which is stored in its memory as well as the identity of the mobile operator holding the subscription. The operator edits the card. It is referenced with MCC + MNC with 3 digits, from 000 to 999 – 208 for France metro; MNC with 2 digits, from 00 to 99).
The basic SIM application manages authentication of the customer and then ciphering parameters of the communication, providing the necessary keys.
Added value services can be implemented on top of this basic application, such as the delivery of information updated by the network operator (e.g. weather forecast, stock data and location related data).
Due to the progress of microelectronics, with technology constantly improving, from the micron size transistor of the 1980s to nanotechnologies of the 2010s, the computing power of the UICC has drastically improved and offers new specificities:
One of the key elements within the security of GSM, UMTS and now LTE was the concept of the subscriber identity module, SIM. This card carried the identity of the subscriber in an encrypted fashion and this could allow the subscriber to keep his/her identity while transferring or upgrading phones.
With the transition from 2G – GSM to 3G – UMTS, the idea of the SIM was upgraded and a UMTS Subscriber Identity Module (USIM) – was used. This gave more functionality, had a larger memory, etc.
For LTE, only the USIM may be used – the older SIM cards are not compatible and may not be used. USIM standard is to be found in 3GPP TS 21.111 – USIM card requirements.
USIM includes a new authentication process: EAP SIM.
ISIM stands for IP Multimedia Services Identity Module and is an application running on the UICC. ISIM is on the UICC the counterpart of the IMS. In particular, ISIM is the repository of the parameters, which identify and authenticate the user of IMS. The ISIM application coexists with USIM on the same UICC. With USIM and ISIM, the UICC provides the security parameters both for the mobile network and for the Internet
ISIM owns in its records the IP Multimedia Private Identity (IMPI), the home operator domain name, one or more IP Multimedia Public Identity (IMPU) and a long-term secret used to authenticate and calculate cipher keys. The first IMPU stored in the ISIM is used in emergency registration requests.
The detailed standard for ISIM is in TS31.103.
An important feature is over the air activation (OTA). Initially, this feature had been necessary to ease subscriber’s activation. Now, OTA is used to modify and/or update the content of a number of files that are stored on the UICC.
The operator’s network can communicate with the SIM/USIM via:
OTA is also widely used for refreshing the data stored in the USIM and possibly the ISIM. It allows us to keep a copy of the subscriber’s information, such as the agenda and the address book/phonebook on a central server. If the USIM is damaged, the central repository will be able to feed the new UICC/USIM with the saved information.
The SIM toolkit can be associated with the OTA to provide flexible and powerful services.
The USIM provides the parameters, which are involved in the authentication of the customer as well as for encryption of the information on the radio path. This has been described before.
3GPP provides the description of UICC and USIM directories in documents 31102-C30 – Characteristics of the Universal Subscriber Identity Module (USIM) application – and 31111-C30 –(Universal Subscriber Identity Module (USIM) Application Toolkit (USAT). These two documents give the detail of all files in the USIM/UICC.
The structure of directories and identifiers in the UICC has been very precisely standardized, as follows:
NOTE 4.1.– Files under DFTELECOM with shaded background are defined in TS 51.011 [18].
NOTE 4.2.– The value “6F65” under ADFUSIM was used in earlier versions of this specification, and should not be reassigned in future versions.
NOTE 4.3.– Files under DFMMSS are defined in C.S0074-A [53].
The USIM application makes use of the following directories and identifiers.
Of course, this structure is far more complicated than the structure of GSM. Nevertheless, the USIM keeps the storage of the principal key K for the security of communications. When the subscriber registers to the network, the master key K, which is associated with the IMSI on the USIM, is sent to the HSS via the MME. The HSS in return sends a random number RAND as well as the expected response XRES, confidentiality and integrity keys Ck and Ik, respectively, and produces an authentication token (AUTN) for the network. From RAND and AUTN, the USIM calculates the response RES and the keys Ck and Ik. The MME verifies that RES is identical to XRES.
AUTN, Ck and Ik are combined with the serving network identity SNid to calculate the Kasme, master key for LTE/EPC sessions, using the HMAC-SHA-256 algorithm both in the UE and in the HSS. From Kasme, the UE and the MME calculate Knas enc, Knas int, Kenb and NH. The UE and the eNodeB calculate Kup enc, Krrc enc and Krrc int. Kenb and NH produce Kenb* through NCC. The keys for UP (key of the session), for RRC (radio signaling) and for eNB are recalculated by the successive eNodeB involved in the communication.
Relevant detailed description of the processes can to be found in the TS36 series, dealing with LTE/EPC access. Also in TS33.401, security of LTE and EPC access, completed with TS33.402, security of access to EPC by non-3GPP networks.
TS31 series is devoted to USIM.
To finish this general presentation, let us quote the most important actors in the business of the SIM/USIM. At the beginning are the manufacturers of microchips. For a SIM/USIM, the size of the chip is limited due to risks of breaking a “large” chip during the tough use of the mobile. ST Microelectronics is an important producer of those chips. Its advantage is the low consumption of its products. The German card manufacturers will use Infineon products. On distant markets, Samsung has a share. Nevertheless, the UICC does not implement the latest technology for cost reasons. Many UICC designs are still based on 100 nm technology (to be compared to 7 to 10 nm available for decoders).
On the component, the card maker will implement the OS and the applications.
The next step is to stick the microchip on a plastic support. Easy to express and difficult to realize. Silicon and plastic do not like to be married. On top of that comes the printing of logos and numbers, which is typically the skill of printers. Among the producers of cards, Gemalto is an important actor.
The last step is to personalize the card, with the introduction of network generated information personalizing each individual card. A very precise database must be kept of all that has been put in the UICC for further process in case of problem.
EAP is a universal mechanism for identification.
The protocol exchanges frames with a specific EAP format. At its origin, EAP has been designed to be carried by PPP (RFC-2284). It has been extended by RFC-3748 to be used on all wired networks. Nevertheless, it is mostly in use on wireless systems.
WPA and WPA2, well-known standards of Wi-Fi authentication have adopted EAP with five identification mechanisms:
EAT-TLS creates a secure tunnel with two certificates (one on the server side and the other on the client side) before authentication;
Another version, called lightweight extensible authentication protocol (LEAP) has been strongly promoted by CISCO. This protocol seems less secure than the others.