Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

4 LTE Security. SIM/USIM Subsystem

4.1. LTE security

It is necessary to ensure that Long Term Evolution (LTE) security measures provide the level of security required without impacting the user as this could drive users away. LTE must provide authentication, ciphering, encryption and identity protection.

With the level of sophistication of security attacks becoming increasingly imaginative, it is necessary to ensure that LTE security allows users to operate freely and without fear of attack from hackers. In addition, the network must also be organized in such a way that it is secure against a variety of attacks.

– LTE security had to provide at least the same level of security that was provided by second generation (2G) and third generation (3G) services.

– The LTE security measures should not affect user convenience.

– The LTE security measures taken must provide defense from attacks from the Internet.

– The security functions provided by LTE should not affect the transition from existing 3G services to LTE.

– The Universal Subscriber Identity Module (USIM) currently used for (3G) services should still be used.

Security has to take into account some functions outside the core operation of LTE:

– lawful interception of sessions and signaling in the core network;

– emergency calls management with mobiles that are unable to be authenticated, thus the session has no ciphering nor integrity control;

– broadcasted warning messages, e.g. tsunami or earthquake advice.

LTE security is developed into all areas of the system from the user equipment (UE) to the core network.

– A new hierarchical key system has been introduced in which keys can be changed for different purposes.

– The LTE security functions for the non-access stratum (NAS) and access stratum (AS) have been separated. The NAS functions are those functions for which the processing is accomplished between the core network and the mobile terminal or UE. The AS functions encompass the communications between the network edge, i.e. the eNodeB, and the UE.

– The concept of forward security has been introduced for LTE security.

– LTE is facing the issue of the dramatic increase of the number of interfaces, Internet Protocol (IP), interfaces with multiple technologies, roaming with hundreds of operators (more than 800 MNO in more than 200 countries, according to GSMA).

– An issue is also coming from the convergence of the operating system (OS) toward Linux, making them “known” environments. It is the same for mobiles, with more than 50% of smartphones based on the android and iPhone OS.

4.1.1. Principles of LTE security

LTE is a flat IP system, no longer having a circuit domain. Communications are routed to Internet multimedia subsystem (IMS), the Internet and private networks.

No longer intermediate radio controller, base stations eNodeB are interconnected (X2 interface), and they are directly connected to the core network.

LTE carries the subscribers’ sessions via General Packet Radio Service (GPRS) Tunneling Protocol (GTP) for the management of mobility.

LTE interfaces with Universal Mobile Telecommunications System (UMTS) and Global System for Mobile communication (GSM), which makes it compulsory to have a USIM card. It also interfaces with other networks, especially CDMA2000. The mobility there is managed with mobile IP.

Figure 4.1. LTE needs a layered security

Figure 4.2. Layered security model

4.1.2. LTE EPC security

LTE is reusing the UMTS authentication based on a USIM card inserted into the mobile UE and mutual authentication with the Home Subscriber Server (HSS). This mutual authentication produces two derived keys: Ck and Ik.

From Ck and Ik, LTE generates a master key KASME for the LTE-evolved packet core (EPC), which is differentiated from mobile country code (MCC) and mobile network code (MNC) network identifiers.

High level signaling protection is provided with special attention to NAS signaling (management of mobility and sessions), end-to-end security (from UR to Mobility Management Entity (MME) (MME)). LTE applies there integrity control and ciphering.

The protection of the radio interface applies on packet data control plane (PDCP) frames. The user session is encrypted. Radio signaling of the Radio Resource Control (RRC) has an integrity control and is encrypted.

Figure 4.3. LTE eUTRAN protocole stack

4.1.2.1. Derivation of successive keys

HMAC-SHA-256 is used for the derivation of successive keys.

K being the authentication key of the subscriber, it is supposed to be valid for 3 to 10 years.

K_ASME, which is the master key for LTE/EPC sessions, has a lifetime of a few hours, eventually a few days.

K_NAS for NAS signaling has the same lifetime as K_ASME.

K_RRC for RRC radio signaling has a lifetime of a few seconds, up to a few hours; same for K_UP which encrypts session data.

eNodeB keys are renewed at every antenna change. Recalculation of UP and RRC keys is done by successive eNodeB.

Diversification parameter NH is managed by the MME with the same level of quality as NAS keys.

Figure 4.4. Derivation of successive keys

4.1.2.2. Handover security

Each time an active UE moves to a new LTE cell, new K_eNB and (K_RRCenc/int, K_UPenc) are computed. This process offers backward security (that was established with previous eNodeB) as well as forward security (will be established with forthcoming eNodeB). So, a compromised eNodeB has almost no security impact on the communication.

Figure 4.5. LTE keys hierarchy as in 3GPP TS 36.300

K_eNB recomputation depends on handover type (S1 or X2) and on fresh data provided by MME to the source eNodeB.

Renewal of radio keys also occur when intra-eNodeB handover, intracell handover are made.

4.1.2.3. EPS security

Figure 4.6. EPS security

4.1.2.4. Security levels and algorithms

Authentication key K is 128 bits, like for GSM.

K_ASME and the keys derivation function: 256 bits and public algorithm can be easily replaced by a full 256 bits system.

Ciphering and integrity control; 128 bits keys and public algorithms:

– ciphering algorithms for NAS and PDCP: EEA0, EEA1 (SNOW 3G), EEA2 (AES-CTR), EEA3 (ZUC);

– integrity control algorithms for NAS and PDCP: EIA1 (SNOW3G, MAC mode), EIA2 (AES-CMAC), EIA3 (ZUC, MAC mode).

To date, there have been no realistic attacks on SNOW3G, AES and ZUC.

All terminals, eNodeB and MME must support EEA0? SNOW3G and AES. ZUC also in China.

Nevertheless, some weaknesses may be found in certain procedures or implementations with the acceptation of replay for the initialization vector, with known initialization vectors (padding and signaling messages) – and of course when there are software bugs or corrupted memory.

4.1.3. Interfaces protection

LTE interfaces are accessible:

– from an antenna: X2 and S1;

– from other access networks: core network interfaces when applying IP mobility (MIPv4, DSMIPv6 and PMIP). Issue with trusted/untrusted interface concept;

– from public IP network: roaming interfaces (DIAMETER messages to HSS; signaling messages to MME; GTP sessions to packet data network (PDN)-gateway).

The only solution is to use IPsec ESP and IKEv2 (exchange of certificates between network equipments; Extensible Authentication Protocol (EAP) and USIM between mobiles and network equipments).

Figure 4.7. IPsec

4.1.4. Femtocells and relays

Miniaturized eNodeB manage user sessions without encryption, allowing eavesdropping. They have no access to high-level signaling (NAS), which eliminates fraud. They have access to eNodeB signaling (S1-AP and X2-AP).

Femtocells connect to the core network via the Internet (ADSL or other access). The protection of the wired access is ensured by IPsec.

Relays connect to eNodeB via a wideband LTE radio connection. They multiplex users’ sessions in one single session. They may be mobile.

Neither femtocells nor relays encrypt users’ sessions, so IPsec would be recommended between eNodeB and core network.

All these pieces of equipment must be checked the software development quality and system security.

4.1.5. Specifications

http://www.3gpp.org/specification-numbering

– TS 43.020: GSM and GPRS security;

- TS 33.102: UMTS security;

- TS 33.210 and TS 33.310: core network security;

- TS 33.401: LTE and EPC security;

- TS 33.402: security of non-3rd generation partnership project (3GPP) accesses to EPC;

- TS 33 series: security;

- TS 35 series: cryptography;

- TS 24 series: signalling between mobile and core network;

- TS 45 series: GSM and GPRS access network;

- TS 25 series: UMTS access network;

- TS 36 series: LTE access network;

– TS 31 series: (U)SIM cards.

4.2. SIM card

At first sight, a subscriber identity module (SIM)/USIM card generally shows some logo from the issuing operator as well as a printed number, in France it is called “numéro de série de carte externe” (NSCE) and is made by a row of 14 digits, which identify the card.

Figure 4.8. (U)SIM cards as released by the operator

The SIM card (ETSI/3GPP TS 51.011) was one of the very important innovations of GSM. It was the first worldwide mobile system where the mobile terminal is split in two subsystems:

– the UE providing all the telecommunication functions, especially the management of the radio access and the follow-up of communications;

– the SIM holding the identity of the customer as well as the keys and processes for authentication. The SIM (or USIM) is provided by one single operator (or mobile virtual network operator (MVNO)).

The access to its content is protected by a pin code of 4 to 8 digits. But this pin may be deactivated.

SIM cards are used by the GSM family of standards (GSM, UMTS and LTE). CDMA 2000 and the Japanese PDC optionally use SIM cards.

Figure 4.9. Structure of the UICC electronic chip

SIM bears a microelectronic component with a microcontroller and memory. It contains specific data related to the subscriber and the subscribed network. It also contains data and applications provided by the user, the network or other sources.

The major information stored in the SIM is the subscriber’s identifier, called international mobile subscriber identity (IMSI) and the identity of the subscribed network, given by its MCC and its MNC. The SIM is issued by a mobile network operator (MNO) or by an MVNO (which has no real network deployed in the country).

Today, the SIM card system is split in three subsystems:

– universal integrated circuit card (UICC): the UICC covers the hardware of the card and electronic chip, the OS of the microcomputer. UICC has a role in the management of authentication. UICC can also execute applications, which are based on the (U)SIM application toolkit and a Java Card environment. UICC is described in the standard ETSI TS 102 221;

– USIM is the UMTS and LTE telecommunication application. USIM follows 3GPP TS 21.111 and TS 21.1112 standards (USIM card requirements) and 3GPP TS 31.102 USIM application.

– IP Multimedia Services Identity Module (ISIM) is a set of non-telecommunication applications provided by third parties.

The vocable “SIM” is now covering only the GSM application, which is described in 3GPP TS 51.0111.

The SIM/USIM: UICC device provides:

– a safe element to store identifiers and the connection data of the subscriber;

– a removable element; this particularity allows us to personalize a new mobile set with the data of the subscriber. It is now possible to dissociate the choice of the operator (network operator or MVNO having no physical network in the field) from the choice of the terminal;

– a space to store personal data of the subscriber;

– a space where the operator can store its applications;

– a space to store the personalization of the terminal, e.g. for voice mail management. In particular, the operator will implement on the UICC specific (proprietary) application with the SIM toolkit (or USIM toolkit) with a JAVA Card environment. In JAVA Card, executable are installed on the UICC. The SIM/USIM works in that case like a virtual machine.

4.2.1. SIM-lock

The European operators in the early 1990s decided to sell the mobile terminals at a subsidized price. In order to avoid cheating from dishonest customers, they urged the mobile manufacturers to implement an application binding the UE to the SIM/USIM. This is called SIM-lock. In this process, the SIM/USIM has no active part, it just provides the IMSI to the UE and the UE checks if this IMSI is accepted. Generally, the SIM-lock only checks the MCC–MNC couple, but in some cases it has been more restrictive. The calculation done by the mobile set makes use of the international mobile equipment identity (IMEI) number implemented in the device by the manufacturer which identifies the mobile and that is available when typing *#06# on the mobile. From government directive, the operator must provide a de-SIM-lock process. This process is to enter a series of digits in the mobile touchpad.

4.2.2. Electronic component of the UICC

Due to the fast increase of electronic chip capabilities, the electronic component of the card has been drastically improved since the introduction of the SIM in 1990. There are three constraints:

– size of the chip: since the card may be extracted from the mobile equipment (ME for GSM or UE for LTE), it is not possible to insert chips larger than 5 × 5 mm. Bigger chips are at risk of being broken;

– power consumption: no way to insert such chips as PC Intel powerful chips need 1 W or more. The technology has evolved from 5 V components to 3 V, then 1.8 V and the increased capabilities of the UICC do not carry along energy consumption.

– cost: the SIM cannot be as expansive as the mobile, which compels the chip to stay in the range of one euro or lower.

The memory technology is now mainly Flash NAND, with relatively high capacity (up to around 1 MB).

4.2.3. Form factor

The UICC is manufactured along four different shapes (from left to right on the images hereafter):

– standard SIM (ID-1), following the requirements established for credit cards no longer in use;

– mini SIM (2 form factor (FF) or ID-000), made necessary by the size of hand portable terminals;

– micro SIM (3FF, mini-UICC), in particular for connected tablets; used by the iPad of Apple;

– nano SIM (4FF), the last and the smallest sized component to date. It is used by Apple for the iPhone.

Figure 4.10. UICC form factors

The last avatars of UICC are FFs 1 and 2 (MFF 1 and MFF 2), designed for integration in various machine or robot cases. For example, the SIM installed in the dedicated “boxes” designed for the European emergency service and installed in vehicles.

Table 4.1. SIM/USI Applicable standard

The card is still delivered with the credit card size. Smaller devices are just to be pulled out.

Nano SIM has been introduced for the iPhone. Initially, Apple tried to embed the GSM/UMTS/LTE applications inside the ME/UE like it is with CDMA 2000, but accepted to use the SIM card with the reduced size.

4.2.4. SIM card physical interface

Figure 4.11. UICC contacts

The UICC physical interface provides eight contacts:

1) VCC (power supply);

2) RST (reset);

3) CLK (clock);

4) D+ (USB Inter-chip);

5) GND (ground);

6) VPP (voltage programming power);

7) I/O (input/output);

8) D-(USB Inter-chip).

4.2.5. UICC communication protocol

UICC and ME/UE exchange information following defined protocols.

The historic SIM-ME transmission, designed for bank card followed the T = 0 protocol:

– asynchronous;

– character mode;

– half duplex.

The newly standardized USB interface follows the ETSI TD 102.600. Using contacts C4 and C8, it is called the fast interface. Called USB interchip (IC), it provides 12 Mbps half duplex. To reduce energy consumption, the physical electrical interface has been modified from the standard USB. It offers three classes:

– integrated circuit card device (ICCD) emulates the original SIM-ME interface along ISO/IEC 7816-4;

– mass storage to emulate a storage key;

– Ethernet emulation mode (EEM) allows us to carry IP packets, thus supporting User Datagram Protocol (UDP)/IP and Transmission Control Protocol (TCP)/IP.

C6 is used to interface with a contactless module to provide NFC services. The suitable interfaces are described in standards TS 102.613 single wire protocol (SWP) and TS 102.622 (HCI). Its characteristics are:

– full duplex;

– upto 1.6 Mbps;

– packets transmission (bit oriented).

Figure 4.12. NFC applications of the UICC

The UICC is a very small computer including a microprocessor, memories and interfaces. The OS is proprietary. It is designed and maintained by the card producer. The capacity of the memory ranges from 64 kb upto 1024 kb and even more. Considering the decreasing cost of microelectronics, higher sizes will probably be available. The memory is organized with tables and files.

The UICC is engineered to resist all kinds of attacks, both software and hardware born. It has an OS, e.g. JAVA, supporting the applications which are provided by the operator.

UICC memory technology is mainly Flash NAND. For multimedia applications an additional Flash card may be added for flexibility.

4.2.6. Operating system (OS) and virtual machines

UICC operates under the management of its OS. That OS is optimized for the relatively small size of the memory and the computing power of the module. Such OSs are proprietary and take benefit of the large experience of card manufacturers.

Figure 4.13. Example of UICC architecture

The memory is organized in directories and files. The rather simple file list of the GSM SIM is now enlarged to a very large number of items. (See further USIM directories).

Recent UICC includes virtual machines, generally designed in Java as specified by the Java Card Forum.

Figure 4.14. The complex structure of UICC applications in a modern device

4.2.7. (U)SIM authentication

The basic application manages the subscription and the rights of the customer. It is the reflection of the subscription data, which is registered in the HSS of the operator’s core network. The IMSI counts a maximum of 10 digits, beginning with MCC, then MNC, followed by the mobile subscriber identity number (MSIN) of maximum 10 digits (2 digits H1 identifying the home location register (HLR) holding the mobile subscriber’s information and up to 8 digits for H2 for the number of the subscription in the HLR). The HSS covers the functions of HLR, home location register and authentication center (AuC).

The basic SIM application provides identification of the subscriber with the IMSI, which is stored in its memory as well as the identity of the mobile operator holding the subscription. The operator edits the card. It is referenced with MCC + MNC with 3 digits, from 000 to 999 – 208 for France metro; MNC with 2 digits, from 00 to 99).

The basic SIM application manages authentication of the customer and then ciphering parameters of the communication, providing the necessary keys.

Added value services can be implemented on top of this basic application, such as the delivery of information updated by the network operator (e.g. weather forecast, stock data and location related data).

Due to the progress of microelectronics, with technology constantly improving, from the micron size transistor of the 1980s to nanotechnologies of the 2010s, the computing power of the UICC has drastically improved and offers new specificities:

– some specificities are improvements, e.g. the subscriber’s table of contact will be improved from a few telephone numbers to more than 250 contacts storing fixed and mobile telephone numbers as well as e-mail addresses;

– some specificities are related to the evolution of the system, better management of the subscriber’s identity;

– also with the evolution of the system stand evolutions of authentication, like EAP-SIM allowing secure communications both on LTE and Wi-Fi.

4.2.8. LTE USIM

One of the key elements within the security of GSM, UMTS and now LTE was the concept of the subscriber identity module, SIM. This card carried the identity of the subscriber in an encrypted fashion and this could allow the subscriber to keep his/her identity while transferring or upgrading phones.

With the transition from 2G – GSM to 3G – UMTS, the idea of the SIM was upgraded and a UMTS Subscriber Identity Module (USIM) – was used. This gave more functionality, had a larger memory, etc.

For LTE, only the USIM may be used – the older SIM cards are not compatible and may not be used. USIM standard is to be found in 3GPP TS 21.111 – USIM card requirements.

USIM includes a new authentication process: EAP SIM.

4.2.9. ISIM

ISIM stands for IP Multimedia Services Identity Module and is an application running on the UICC. ISIM is on the UICC the counterpart of the IMS. In particular, ISIM is the repository of the parameters, which identify and authenticate the user of IMS. The ISIM application coexists with USIM on the same UICC. With USIM and ISIM, the UICC provides the security parameters both for the mobile network and for the Internet

Figure 4.15. The complex links of (U)SIM with the LTE world as seen by Telenor

Figure 4.16. UICC structure with ISM

ISIM owns in its records the IP Multimedia Private Identity (IMPI), the home operator domain name, one or more IP Multimedia Public Identity (IMPU) and a long-term secret used to authenticate and calculate cipher keys. The first IMPU stored in the ISIM is used in emergency registration requests.

The detailed standard for ISIM is in TS31.103.

Figure 4.17. Example of ISIM application: digital right management, as seen by Telenor

4.2.10. Over the Air Activation (OTA)

An important feature is over the air activation (OTA). Initially, this feature had been necessary to ease subscriber’s activation. Now, OTA is used to modify and/or update the content of a number of files that are stored on the UICC.

The operator’s network can communicate with the SIM/USIM via:

– short message service (SMS);

– GPRS or EDGE and now LTE with the bearer independent protocol (BIP). Particularly useful to save the content of the SIM/USIM on a centralized memory in order to give it back in case of destruction of the card;

– USB IC offers the possibility of fast transfer of data between the card and the terminal.

OTA is also widely used for refreshing the data stored in the USIM and possibly the ISIM. It allows us to keep a copy of the subscriber’s information, such as the agenda and the address book/phonebook on a central server. If the USIM is damaged, the central repository will be able to feed the new UICC/USIM with the saved information.

The SIM toolkit can be associated with the OTA to provide flexible and powerful services.

4.2.11. Security services

The USIM provides the parameters, which are involved in the authentication of the customer as well as for encryption of the information on the radio path. This has been described before.

4.2.12. USIM directories

3GPP provides the description of UICC and USIM directories in documents 31102-C30 – Characteristics of the Universal Subscriber Identity Module (USIM) application – and 31111-C30 –(Universal Subscriber Identity Module (USIM) Application Toolkit (USAT). These two documents give the detail of all files in the USIM/UICC.

Figure 4.18. Example of OTA use for non-telecommunication applications

The structure of directories and identifiers in the UICC has been very precisely standardized, as follows:

NOTE 4.1.– Files under DF_TELECOM with shaded background are defined in TS 51.011 [18].

NOTE 4.2.– The value “6F65” under ADFUSIM was used in earlier versions of this specification, and should not be reassigned in future versions.

NOTE 4.3.– Files under DF_MMSS are defined in C.S0074-A [53].

Figure 4.19.

The USIM application makes use of the following directories and identifiers.

Figure 4.20.

Of course, this structure is far more complicated than the structure of GSM. Nevertheless, the USIM keeps the storage of the principal key K for the security of communications. When the subscriber registers to the network, the master key K, which is associated with the IMSI on the USIM, is sent to the HSS via the MME. The HSS in return sends a random number RAND as well as the expected response XRES, confidentiality and integrity keys Ck and Ik, respectively, and produces an authentication token (AUTN) for the network. From RAND and AUTN, the USIM calculates the response RES and the keys Ck and Ik. The MME verifies that RES is identical to XRES.

AUTN, Ck and Ik are combined with the serving network identity SNid to calculate the Kasme, master key for LTE/EPC sessions, using the HMAC-SHA-256 algorithm both in the UE and in the HSS. From Kasme, the UE and the MME calculate Knas enc, Knas int, Kenb and NH. The UE and the eNodeB calculate Kup enc, Krrc enc and Krrc int. Kenb and NH produce Kenb* through NCC. The keys for UP (key of the session), for RRC (radio signaling) and for eNB are recalculated by the successive eNodeB involved in the communication.

Relevant detailed description of the processes can to be found in the TS36 series, dealing with LTE/EPC access. Also in TS33.401, security of LTE and EPC access, completed with TS33.402, security of access to EPC by non-3GPP networks.

TS31 series is devoted to USIM.

4.2.13. The UICC/SIM/USIM/ISIM industry

To finish this general presentation, let us quote the most important actors in the business of the SIM/USIM. At the beginning are the manufacturers of microchips. For a SIM/USIM, the size of the chip is limited due to risks of breaking a “large” chip during the tough use of the mobile. ST Microelectronics is an important producer of those chips. Its advantage is the low consumption of its products. The German card manufacturers will use Infineon products. On distant markets, Samsung has a share. Nevertheless, the UICC does not implement the latest technology for cost reasons. Many UICC designs are still based on 100 nm technology (to be compared to 7 to 10 nm available for decoders).

On the component, the card maker will implement the OS and the applications.

The next step is to stick the microchip on a plastic support. Easy to express and difficult to realize. Silicon and plastic do not like to be married. On top of that comes the printing of logos and numbers, which is typically the skill of printers. Among the producers of cards, Gemalto is an important actor.

The last step is to personalize the card, with the introduction of network generated information personalizing each individual card. A very precise database must be kept of all that has been put in the UICC for further process in case of problem.

4.2.14. EAP-SIM and EAP

EAP is a universal mechanism for identification.

The protocol exchanges frames with a specific EAP format. At its origin, EAP has been designed to be carried by PPP (RFC-2284). It has been extended by RFC-3748 to be used on all wired networks. Nevertheless, it is mostly in use on wireless systems.

WPA and WPA2, well-known standards of Wi-Fi authentication have adopted EAP with five identification mechanisms:

EAT-TLS creates a secure tunnel with two certificates (one on the server side and the other on the client side) before authentication;

– EAP-TTLS/MSCHAPv2 is an IETF standard (EAP-tunneled transport layer security). It uses X-509 certificates solely on the server side. The certificate on the client side is optional;

– TEAPv0/EAP-MS-CHAPv2;

– PEAPv1/EAP-GTC, also an IETF standard (protected extensible authentication protocol (PEAP) or protected RAP) is similar to EAP-TTLS, they both use a public key infrastructure (PKI) only on the server side for the creation of a TLS encrypted tunnel that protects identification;

– EAP-SIM is an EAP method for subscribers of Wi-Fi and mobile systems like GSM, UMTS and LTE. It is described in RFC-4186. This protocol allows subscribers of mobile networks to access the Wi-Fi access of the high-speed Internet access provided by the same operator. The key length in EAP-SIM is 64 bits.

Another version, called lightweight extensible authentication protocol (LEAP) has been strongly promoted by CISCO. This protocol seems less secure than the others.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 4 LTE Security. SIM/USIM Subsystem

Create new playlist

Sign In

Sign Up

4

LTE Security. SIM/USIM Subsystem