Content for TR 33.816 Word version: 10.0.0
1 Scope p. 8
The present document provides an analysis of the security issues by including Relay Nodes (RN) into the LTE network. Furthermore it contains several solutions to provide security for the relay architecture chosen by the RAN groups. It also provides a comparison between those solution and the reasoning why a particular solution was chosen.
2 References p. 8
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 33.401: "3GPP System Architecture Evolution (SAE); Security architecture".
[3]
TS 33.320: "Security of Home Node B (HNB) / Home evolved Node B (HeNB)".
[4]
TS 36.300: "Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Overall description; Stage 2".
[5]
NIST Special Publication 800-56B: " Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography", August 2009.
[6]
RFC 5296 The Transport Layer Security (TLS) Protocol Version 1.2
[7]
TS 33.310: "Network Domain Security (NDS); Authentication Framework (AF)".
[8]
TS 33.110: "Key establishment between a UICC and a terminal".
[9]
TS 31.116: "Remote APDU Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications".
[10]
TS 24.301: "Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3".
[11]
TS 33.220: Generic Authentication Architecture (GAA); Generic bootstrapping architecture".
[12]
ETSI TS 102 484: "Secure channel between a UICC and an end-point terminal".
[13]
RFC 4366 Transport Layer Security (TLS) Extensions
[14]
TS 33.102: "3G Security; Security architecture".
[15]
TS 31.101: "UICC-terminal interface; Physical and logical characteristics".
[16]
TS 23.401: "General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access".
[17]
RFC 2560: "Online Certificate Status Protocol - OCSP".
[18]
RFC 5705 Keying Material Exporters for Transport Layer Security (TLS)
[19]
RFC 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
3 Definitions, symbols and abbreviations p. 9
3.1 Definitions p. 9
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
RN subscription authentication:
RN-UICC secure channel authentication:
This form of authentication is performed between the RN in its role as a UE and the MME-RN. It is performed using the EPS AKA protocol as defined in TS 33.401 and involves a USIM on a UICC inserted in the RN.
RN platform authentication:
This form of authentication is performed between a secure environment in the RN platform and a network entity. For the purpose of this definition, the RN platform encompasses both the ME functionality of the RN and the eNB functionality of the RN. As a result of this authentication the network entity (e.g. Donor eNB, HSS or MME-RN) has verified that the secure environment in the RN is in possession of a secret key associated with the RN. RN platform authentication is intended to additionally provide implicit proof of the integrity of the RN platform to the network entity. This is achieved by assuming that the secure environment in the RN engages in RN platform authentication only after a successful autonomous RN platform validation has been performed by the secure environment.
This is any authentication performed as part of the set up of a secure channel between an RN and a UICC, for example according to ETSI TS 102 484 "Smart cards; Secure channel between a UICC and an end-point terminal" where the "end-point terminal" is the RN. The RN-UICC secure channel terminates in the RN secure environment.
RN management authentication:
This form of authentication is performed between a secure environment in the RN platform and a network management entity. For the purpose of this definition, the RN platform encompasses the RN management functionality of the RN. As a result of this authentication a network management entity has verified that the secure environment in the RN is in possession of a secret key associated with the RN. RN management authentication is intended to additionally provide implicit proof of the integrity of the RN platform's management capability to a network management entity. This is achieved by assuming that a secure environment in the RN engages in RN management authentication only after a successful autonomous RN validation of the management capabilities has been performed by the secure environment.
RN authentication:
This term is an umbrella term for the above forms of RN authentication.
Platform Secure Environment:
This follows the definition and requirements as specified in 5.3.5 of TS 33.401.
3.2 Abbreviations p. 9
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
DeNB
Donor eNB
MME-RN
MME serving the RN
MME-UE
MME serving the UE
RN
Relay Node
P-GW-RN
P-GW serving the RN
S-GW-RN
S-GW serving the RN
