LTE Security I: Concept and Authentication

July 31, 2013 | By Netmanias ([email protected])

Online viewer:

HTML

PDF Viewer (paper file)

PDF Viewer (ppt file)

SUMMARY
The LTE Security technical document consists of two companion documents:
this first document (Part I LTE Security I) and the second document (Part II
LTE Security II) that follows. These documents will cover the following three
topics: LTE authentication (in Part I) and NAS security and AS security (in Part
II). In Part I, an overview of LTE security explaining the concept of the three
topics and the relationship among them will be given, followed by a detailed
description of LTE authentication procedure.

Table of Contents
I. Introduction
II. LTE Security Concept
III. LTE Authentication Procedure
IV. Closing
References

I. Introduction
Wireless communication, in its nature, is always at a risk of eavesdropping or
manipulation because data originally sent from/to a user may be received and
unlawfully used by an unintended user. Locations or traveling routes of a user can also
be easily tracked by tracing to which cells the user is connected or through which cells
the user is travelling. And this can result in privacy infringement. Mobile
communication networks provide security features to ensure data transferred across

radio links is not manipulated, prevent unauthorized access by an unintended user to

the data received, and protect the privacy of users.
The LTE Security document describes basic security features offered by LTE networks,
including LTE authentication, NAS (Non Access Stratum) security and AS (Access
Stratum) security. LTE authentication is the process of determining whether a user is
an authorized subscriber to the network that he/she is trying to access, while NAS
security and AS security are features required to securely deliver user data that
travels through LTE radio links at NAS and AS levels.
The LTE Security document consists of the following two companion documents: Part
I, LTE Security I, and Part II, LTE Security II. Part I will explain the concept of LTE
security and the detailed procedure of LTE authentication, and Part II will discusses
NAS and AS security setup.
Part I is organized as follows: In Chapter II, the scope of these two companion
documents will be defined and a conceptual overview will be given. Chapter III will
focus on the detailed procedure of LTE authentication and Chapter IV will summarize
the LTE authentication and the LTE authentication-related keys.

II. LTE Security Concept

2.1 Scope and Concept of LTE Security
Figure 1 below shows the scope and overall concept of the LTE Security documents.
The scope of these documents will include the following three areas:
LTE Authentication: performs mutual authentication between a UE and a
network.
NAS Security: performs integrity protection/verification and ciphering
(encryption/decryption) of NAS signaling between a UE and an MME.
AS Security
performs integrity protection/verification and ciphering of RRC signaling
between a UE and an eNB.
performs ciphering of user traffic between a UE and an eNB.

Figure 1. Scope and concept of LTE security

LTE Authentication
In mobile communication networks, authentication refers to the process of
determining whether a user is an authorized subscriber to the network that he/she is
trying to access. Among various authentication procedures available in such networks,
EPS AKA (Authentication and Key Agreement) procedure is used in LTE networks for
mutual authentication between users and networks.
The EPS AKA procedure consists of two steps. First, an HSS (Home Subscriber Server)
generates EPS authentication vector(s) (RAND, AUTN, XRES, KASME) and delivers them
to an MME. Then in the second step, the MME selects one of the authentication vectors
and uses it for mutual authentication with a UE and shares the same authentication
key (KASME) each other. Mutual authentication is the process in which a network and a

user authenticate each other. In LTE networks, since the ID of the user's serving
network is required when generating authentication vectors, authentication of the
network by the user is performed in addition to authentication of the user by the
network.
ASME (Access Security Management Entity) is an entity that receives top-level key(s),
from an HSS, to be used in an access network. In EPS, an MME serves as ASME and
KASME is used as the top-level key to be used in the access network. The MME, on
behalf of an HSS, conducts mutual authentication with a UE using KASME. Once
mutually authenticated, the UE and MME get to share the same KASME as an
authentication key.
To avoid any possible eavesdropping or manipulation of data across radio links, KASME is
not delivered to the UE via E-UTRAN. Instead, the MME delivers part of authentication
vector to the UE, which uses it to authenticate the network and generates K ASME as
the HSS does.

NAS Security
NAS security, designed to securely deliver signaling messages between UEs and MMEs
over radio links, performs integrity check (i.e., integrity protection/verification) and
ciphering of NAS signaling messages. Different keys are used for integrity check and
for ciphering. While integrity check is a mandatory function, ciphering is an optional
function. NAS security keys, such as integrity key (KNASint) and ciphering key (KNASenc),
are derived by UEs and MMEs from KASME.

AS Security
AS security is purposed to ensure secure delivery of data between a UE and an eNB
over radio links. It conducts both integrity check and ciphering of RRC signaling
messages in control plane, and only ciphering of IP packets in user plane. Different
keys are used for integrity check/ciphering of RRC signaling messages and ciphering
of IP packets. Integrity check is mandatory, but ciphering is optional.
AS security keys, such as KRRCint, KRRCenc and KUPenc, are derived from KeNB by a UE and
an eNB. KRRCint and KRRCenc are used for integrity check and ciphering of control plane
data (i.e., RRC signaling messages), and KUPenc is used for ciphering of user plane data
(i.e., IP packets). Integrity check and ciphering are performed at the PDCP (Packet
Data Convergence Protocol) layer.
A UE can derive KeNB from KASME. However, since KASME is not transferred to an eNB, an
MME instead generates KeNB from KASME and forwards it to the eNB.

2.2 Overview of LTE Security Procedure

Figure 2 shows the overview of LTE security procedure.

displays LTE authentication

procedure while
and
demonstrate security setup procedures for NAS and AS
respectively. A brief description of each procedure will be given below first. Then, a
detailed explanation on the LTE authentication procedures and NAS and AS security
setup procedures will be given in Chapter III hereof and again in Part II, LTE Security
II, that follows.

Figure 2. Overview of LTE security procedure

LTE Authentication
When a user requests for access to a LTE network, mutual authentication between the
user and the network is conducted using EPS AKA procedure. An MME, upon receipt of
such request, identifies the user using his/her IMSI and requests authentication
vector(s) (AVs) from an HSS1. The HSS then generates AV(s) using EPS AKA
algorithm, AV={RAND, XRES, AUTNHSS, KASME}, and forwards them to the MME.

After storing the AVs, the MME selects one of them and uses it to perform mutual
authentication with the UE2. The MME forwards RAND and AUTNHSS to the UE, which
then computes RES, AUTNUE and KASMEusing EPS AKA algorithm. The UE now compares
its own AUTNUE and AUTNHSS received from the MME for network authentication. Once
authenticated, RES is forwarded to the MME, which then compares the XRES received
from the HSS and the RES received from the UE for user authentication. If the UE and
network have authenticated each other, they share the same key KASME (KASME is not
transferred between UE and MME, though).

NAS Security
Once the UE and MME have authenticated each other and the same key KASME is
shared, NAS security setup procedure begins. In this procedure, NAS security keys to
be used when delivering NAS signaling messages are derived from KASME for secure
delivery of these messages. This procedure consists of a round trip of NAS signaling
messages (Security Mode Command and Security Mode Completemessage), and
begins when the MME delivers a Security Mode Command message to the UE.
First, the MME selects NAS security algorithms (Alg-ID: Algorithm ID) and uses them
to create an integrity key (KNASint ) and a ciphering key (KNASenc) from KASME. Then, it
applies KNASint to the Security Mode Command message to generate an NAS
message authentication code (NAS-MAC, Message Authentication Code for NAS for
Integrity). The MME then delivers the Security Mode Commandmessage including
the selected NAS security algorithms and the NAS-MAC to the UE. As the UE does not
know the selected encryption algorithm yet, this message is integrity protected only
but not ciphered.
Upon receiving the Security Mode Command message, the UE verifies the integrity
thereof by using the NAS integrity algorithm selected by the MME and uses NAS
integrity/ciphering algorithm to generate NAS security keys (KNASint and KNASenc) from
KASME. Then it ciphers the Security Command Completemessage with KNASenc and
generates a message authentication code, NAS-MAC with KNASint to the ciphered
message. Now it forwards the ciphered and integrity protected message to the MME
with the NAS-MAC included.
Once the MME successfully verifies the integrity of the received Security Mode
Complete message and has them decrypted using the NAS security keys (KNASint and
KNASenc), the NAS security setup procedure is completed.
Once the NAS security is set up, NAS signaling messages between the UE and the
MME are ciphered and integrity protected by the NAS security keys and then securely
delivered over radio links.

AS Security
After NAS security setup is finished, AS security setup procedure between a UE and an
eNB begins. In this procedure, AS security keys to be used when delivering RRC
signaling messages and IP packets are derived from KeNB for secure delivery of these
data. This procedure consists of a round trip of RRC signaling messages (Security
Mode Command and Security Mode Complete message), and begins when an eNB
delivers Security Mode Command message to the UE.
First, the MME calculates KeNB from KASME and delivers it to the eNB, which uses it to
perform the AS security setup procedure. The eNB selects AS security algorithms (AlgID: Algorithm ID) and uses them to create an integrity key (KRRCint) and a ciphering
key (KRRCenc), from KeNB. to be used for RRC signaling messages, and a ciphering key
(KUPenc) to be used in the user plane. Then, it applies KRRCint to the Security Mode
Command message to generate a message authentication code (MAC-I, Message
Authentication Code for Integrity). The eNB now delivers the Security Mode
Command message including the selected AS security algorithms and the MAC-I to
the UE.
Upon receiving the Security Mode Command message from the eNB, the UE verifies
the integrity thereof by using the AS integrity algorithm selected by the eNB and uses
AS integrity/ciphering algorithm to generate AS security keys (KRRCint, KRRCenc and
KUPenc). Then it generates a message authentication code, MAC-I, with the RRC
integrity key to the Security Command Complete message, and then forwards the
message including the MAC-I to the eNB.
When the eNB successfully verifies the integrity of the received Security Mode
Complete message by using the AS integrity key, the AS security setup procedure is
completed.
After the AS security is set up, RRC signaling messages between the UE and the eNB
are ciphered and integrity protected by the AS security keys, and user IP packets are
encrypted and then securely delivered over radio links.

III. LTE Authentication Procedure

The LTE authentication procedure briefly described in Chapter II will be further
discussed below. Figure 3 shows the EPS AKA-based LTE authentication procedure that
is performed when a UE attaches to the LTE network. On the USIM and in the
HSS/AuC are stored a permanent key, LTE key (K), and IMSI3. These LTE key (K) and

IMSI are stored on the USIM card when UE is being manufacturing, and provisioned in
the SS/AuC when a user begins subscription to his/her operators network.

Figure 3. LTE authentication procedure

3.1 Authentication Request by UE

[UE MME] Request by UE for Network Registration
When a UE attempts to access the network for initial attach, it delivers Attach
Request (IMSI, UE Network Capability, KSIASME=7) message to an MME. And this
triggers EPS AKA procedure. The following information elements are included in
the Attach Request message:

IMSI: International Mobile Subscriber Identity, a unique identifier associated with

the user

UE Network Capability: security algorithms available to UE

KSIASME=7: indicates UE has no authentication key

UE network capability informs the MME of what kinds of capability the UE has related
to EPS, and indicates which NAS and AS security algorithms, i.e., EPS Encryption
Algorithms (EEA) and EPS Integrity Algorithms (EIA) are supported by the UE. Each of
them has a value of 1 bit that is presented as on (supported) or off (not supported)
(e.g. EEA0=on, EEA1=on, EEA2=off, , EIA1=on, EIA2=on, ). Table 1 lists some of
UE network capability information, specifically ciphering and integrity protection
algorithms defined in [3].
Table 1. UE network aapability information EEA and EIA [3]
EEA

EIA

EEA0

Null ciphering algorithm

EIA04

Null integrity protection algorithm

128-EEA1

SNOW 3G

128-EIA1

SNOW 3G

128-EEA2

AES

128-EIA2

AES

128-EEA3

ZUC

128-EIA3

ZUC

KSIASME identifies KSIASME for te UE and the MME. It is 3 bits and has values ranging
from 0 ('000') to 7 ('111'), where 7 ('111') indicates the UE has no K ASME available.

3.2 Authentication Data Exchange between MME and HSS

[MME HSS] Request by MME for Authentication Data

The MME recognizing the UE has no KASME available initiates LTE authentication
procedure to get new authentication data by sending an Authentication Information
Request (IMSI, SN ID, n, Network Type) message to the HSS. Message parameters
used for this purpose are as follows:

IMSI: a unique identifier associated with the user

SN ID (Serving Network ID): refers to the network accessed by the user. Consists
of PLMN ID (MCC+MNC).

n (number of Authentication Vectors): No. of authentication vectors that MME

requests

Network Type: type of the network accessed by UE (E-UTRAN herein)

Upon receipt of the Authentication Information Request message from the MME,
the HSS generates RAND and SQN, and creates XRES, AUTN, CK and IK using EPS
AKA algorithm with LTE key (K), SQN and RAND. Thereafter, using CK, IK, SQN and
SN ID, it derives a top-level key (KASME) of the access network, from Key Derivation
Function (KDF), to be delivered to the MME. KDF is a one-way has function. Since SN
ID is required when deriving KASME, KASME is derived again if the serving network is
changed. After KASME is derived, the HSS forms authentication vectors AVi=(RANDi,
AUTNi, XRESi, KASMEi), i=0..n.

[MME HSS] Response by HSS to the Authentication

Data Request
THe HSS forms as many AVs as requested by the MME and then delivers
an Authentication Information Answer (AVs) message to the MME.

3.3 Mutual Authentication by UE and MME

The MME stores the AVs received from the HSS, and selects one of them to use in LTE
authentication of the UE. In Figure 3, the MME selected ith AV (AVi). KASME is a base
key of MME and serves as a top-level key in the access network. It stays within EPC
only and is not delivered to the UE through E-UTRAN, which is not secure. The MME
allocates KSIASME, an index for KASME, and delivers it instead of KASME to the UE so that
the UE and the MME can use it as a substitute for KASME (in Fig. 3, KSIASME=1).

[UE MME] Request by MME for User Authentication

The MME keeps KASMEi and XRESi in AVi but delivers KSIASMEi, in substitution for KASMEi,
RANDi and AUTNias included in the Authentication Request (KSIASMEi, RANDi, AUTNi)

message to the UE. XRESi is used later in

authenticating the user.

when

The UE, upon receiving the Authentication Request message from the MME,
delivers RANDi and AUTNito USIM. USIM, using the same EPS AKA algorithm that the
HSS used, derives RES, AUTNUE, CK and IK with the stored LTE key (K) and RANDi and
SQN generated from the HSS5. The UE then compares AUTNUE generated using EPS
AKA algorithm and AUTN received from MME (AUTNi in Fig. 3) to authenticate the LTE
network (the serving network).

[UE MME] Response by UE to User Authentication

Once the UE completes the network authentication, it delivers an Authentication
Response (RES) including RES generated using EPS AKA algorithm to MME. If the

network authentication using AUTN fails in

, UE sends
an Authentication Failure (CAUSE) message that contains a CAUSE field stating
reasons for such failure.
When the MME receives the Authentication Response message from the UE, it
compares RES generated by the UE and XRESi of the AV received from the HSS to
authenticate the user.
USIM delivers CK and IK to the UE after its network authentication is completed. The
UE derives KASMEusing Key Derivation Function (KDF) with CK, IK, SQN and SN ID and
stores it using KSIASME received from the MME as its index. Thereafter, KSIASME is used
instead of KASME during the NAS security setup between the UE and the MME.

IV. Closing
We have discussed the LTE authentication, one of the LTE security topics. As seen so
far, LTE authentication is mutual authentication performed by and between a user and
a network based on EPS AKA procedure. An MME in the serving network performs
mutual authentication with a UE on behalf of an HSS, and as a result, KASME is shared
by the UE and the MME. Table 2 summarizes the LTE authentication-related keys
covered herein. In Part II, LTE Security II, that follows, NAS and AS security setup
procedures based on KASME discussed herein will be further explained.
Table 2. LTE security keys: authentication
Key

Length

Location

Derived from

Description

128 bits

USIM, HSS/AuC

LTE key

CK

128 bits

USIM, HSS/AuC

Cipher key

IK

128 bits

USIM, HSS/AuC

Integrity key

KASME

256 bits

UE, HSS, MME

CK, IK

MME base key

References

[1] Netmanias Technical Document, LTE Security II: NAS and AS Security, August
2013.
[2] 3GPP TS 24.301, Non-Access-Stratum (NAS) Protocol for Evolved Packet System
(EPS); Stage 3.
[3] 3GPP TS 33.401, 3GPP System Architecture Evolution (SAE); Security
Architecture.
[4] NMC Consulting Group Internal Report, E2E LTE Network Design, August 2010.

Footnotes
1 MME may request for more than one authentication vectors.
2 In general, UE consists of USIM and ME. USIM handles mutual authentication and
ME delivers authentication information between MME and USIM. Once the network is
successfully authenticated, USIM calculates CK and IK and delivers them to ME, which
then calculates KASME based on them. USIM and ME are collectively referred to as UE
herein for the sake of convenience unless it is required to refer to USIM specifically.
3 LTE key (K) is stored in AuC (Authentication Center) in operator's network and in
USIM in UE. In Figures herein, AuC and HSS are collectively referred to as HSS, and
USIM and ME as UE for the sake of convenience.
4 EIA0 is allowed in an unauthorized emergency call only.
5 SQN is concealed in AUTNi.