Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TR 33.863
Study on Battery efficient Security
for Very Low Throughput Machine Type Communication (MTC) Devices

3GPP‑Page   fToC   Partial Content
V14.2.0 (Wzip)  2017/06  109 p.
Rapporteur:
Mr. Evans, Tim P.
VODAFONE Group Plc

full Table of Contents for  TR 33.863  Word version:  14.2.0

each clause number in 'red' refers to the equivalent title in the Partial Content
Here   Top
1Scope  p. 8
2References  p. 8
3Definitions, symbols and abbreviations  p. 10
3.1Definitions  p. 10
3.2Symbols  p. 10
3.3Abbreviations  p. 10
4Background and key objectives  p. 12
4.0Motivation  p. 12
4.1Architectural assumptions  p. 12
4.2Clarification of "device to enterprise security" term  p. 13
4.3"Device to enterprise" user plane protection  p. 14
4.4"Device to HPLMN" user plane protection  p. 14
4.5Battery usage challenges  p. 15
4.6Cellular IoT traffic model  p. 15
5Key issues  p. 16
5.1Issue 1: N-PDU data tampering and eavesdropping  p. 16
5.1.1Issue description  p. 16
5.1.2Threat description  p. 16
5.1.3Security requirements  p. 16
5.2Issue 2: Efficient user data protection challenges  p. 16
5.2.1Issue description  p. 16
5.2.2Threat description  p. 17
5.2.3Security requirements  p. 17
5.3Issue 3: "VPLMN Specific Needs"  p. 17
5.3.1Issue description  p. 17
5.3.2Threat description  p. 17
5.3.3Security requirements  p. 17
5.4Issue 4: End-to-end security  p. 17
5.4.1Issue description  p. 17
5.4.2Threat description  p. 18
5.4.3Security requirements  p. 18
6Candidate solutions  p. 18
6.0General  p. 18
6.1Solution #1: "UE to HPLMN" security solutions based on UMTS/EPS AKA enhancements.  p. 18
6.1.1Introduction  p. 18
6.1.2Solution description  p. 19
6.1.2.1"UE to HPLMN" security solution with HSE context establishment procedure  p. 19
6.1.2.2"UE to HPLMN" security solution with HLR push procedure - Alternative  p. 21
6.1.2.3"UE to HPLMN" security solution with HSE pull procedure  p. 22
6.1.2.4Key derivation rules  p. 24
6.1.2.5Solution variant: End to Middle Key Server  p. 25
6.1.2.6Solution variant: key derivation on the ME (EPS AKA only)  p. 25
6.1.3Solution evaluation  p. 26
6.2Solution #2: "End-to-middle security based on AKA"  p. 26
6.2.1Introduction  p. 26
6.2.2Solution description  p. 26
6.2.2.1End-to-middle security solution based on AKA  p. 26
6.2.2.2Key derivation rules  p. 27
6.2.2.3Usage of e2m security  p. 27
6.2.3Solution evaluation  p. 28
6.3Solution #3: "Independent VPLMN and e2m security associations"  p. 28
6.3.1Introduction  p. 28
6.3.2Solution description  p. 28
6.3.2.1Independent VPLMN and e2m security associations  p. 28
6.3.3Solution evaluation  p. 29
6.4Solution #4: "Security policies"  p. 29
6.4.1Introduction  p. 29
6.4.2Solution description  p. 30
6.4.2.1Authentication and key usage policy  p. 30
6.4.2.2Algorithm policy  p. 30
6.4.2.3VPLMN Specific Algorithm policies  p. 30
6.4.3Solution evaluation  p. 30
6.5Solution #5: "End-to-end security solution"  p. 31
6.5.1Introduction  p. 31
6.5.2Solution Description  p. 31
6.5.2.1Specific e2e security association  p. 31
6.5.2.2Derivation of e2eKEYSET  p. 31
6.5.2.3Triggering the key derivation  p. 31
6.5.2.4Setting the timer  p. 32
6.5.2.5Interfaces of the EESE  p. 32
6.5.3Solution Evaluation  p. 32
6.6Solution #6: Bearer protection  p. 32
6.6.1Introduction  p. 32
6.6.2Solution description  p. 32
6.6.3Solution evaluation  p. 33
6.7Solution #X: "End-to-end" for solutions 1 and 2  p. 33
6.7.1Introduction  p. 33
6.7.2Solution #1 and #2 in End-to-End case  p. 33
6.7.3Solution Evaluation  p. 33
6.8Solution #8: Complete end to middle solution  p. 34
6.8.1Introduction  p. 34
6.8.2Solution description  p. 35
6.8.2.1Proposed Architecture  p. 35
6.8.2.2Service Discovery and Negotiation  p. 35
6.8.2.3Ability to enable and disable the BEST service  p. 39
6.8.2.4End to Middle Security User Plane and Signalling Plane  p. 40
6.8.2.4.1Data transport  p. 40
6.8.2.4.2End to Middle Secured Data Protocol (EMSDP)  p. 40
6.8.2.4.3EMSDP general structure  p. 40
6.8.2.4.3aEMSDP Counter Schemes  p. 42
6.8.2.4.4EMSDP Integrity protection  p. 42
6.8.2.4.5EMSDP Encryption  p. 43
6.8.2.4.6EMSDP Commands  p. 44
6.8.2.7Key Agreement and Refreshing  p. 45
6.8.2.7.1Overview  p. 45
6.8.2.7.2Key setup messaging between HSE and UE  p. 45
6.8.2.7.3BEST key derivation mechanism  p. 48
6.8.2.8Starting a BEST service session  p. 49
6.8.2.8.1UE initiated BEST session  p. 49
6.8.2.8.2HSE initiated BEST session  p. 50
6.8.2.9Resuming a BEST session following a power cycle at the UE or a re-attach  p. 50
6.8.2.10BEST service session operation  p. 50
6.8.2.11Ending a BEST service session  p. 50
6.8.3Solution Evaluation  p. 50
6.9Solution #9: Complete end to end solution  p. 51
6.9.1Introduction  p. 51
6.9.2Solution description  p. 52
6.9.2.1Proposed Architecture  p. 52
6.9.2.2Service Discovery and Negotiation  p. 53
6.9.2.3Ability to Enable and Disable the BEST service  p. 53
6.9.2.4End to Middle Security User Plane and Signalling Plane  p. 53
6.9.2.4.1Data transport  p. 53
6.9.2.4.2End to Middle Secured Data Protocol (EMSDP)  p. 53
6.9.2.4.3EMSDP general structure  p. 54
6.9.2.4.3AEMSDP Counter Schemes  p. 54
6.9.2.4.4EMSDP Integrity protection  p. 54
6.9.2.4.5EMSDP Encryption  p. 54
6.9.2.4.6EMSDP Commands  p. 54
6.9.2.7Key Agreement and Refreshing  p. 57
6.9.2.7.1Overview  p. 57
6.9.2.7.2Key setup messaging between HSE and UE  p. 57
6.9.2.7.3BEST key derivation mechanism  p. 60
6.9.2.8Starting a BEST service session  p. 62
6.9.2.8.1UE initiated BEST session  p. 62
6.9.2.8.2HSE initiated BEST session  p. 63
6.9.2.9Resuming a BEST session following a power cycle at the UE or a re-attach  p. 63
6.9.2.10BEST service session operation  p. 64
6.9.2.11Ending a BEST service session  p. 64
6.9.3Solution Evaluation  p. 64
6.10Solution #10: "AKA-based session key generation for application protocols"  p. 64
6.10.1Introduction  p. 64
6.10.2Solution description  p. 65
6.10.2.1Features  p. 65
6.10.2.2Interface between EMKS and EMSE  p. 68
6.10.2.2.1Introduction  p. 68
6.10.2.2.2Procedures over the RESTful HTTP reference point  p. 68
6.10.2.3Example use of solution 10: information flow using pre-shared key DTLS  p. 69
6.10.3Solution evaluation  p. 71
6.11Solution #11: A method for IoT service layer security bootstrapping solution  p. 71
6.11.1Introduction  p. 71
6.11.2Solution description  p. 72
6.11.2.1Proposed architecture  p. 72
6.11.2.2Security boostrapping and key refreshing  p. 72
6.11.2.2.1Overview  p. 72
6.11.2.2.2Key agreement and boostrapping with HSS deriving master session key  p. 72
6.11.2.2.3Key refreshing  p. 75
6.11.3Solution evaluation  p. 76
6.12Solution #12: A method for IoT service layer security bootstrapping solution  p. 76
6.12.1Introduction  p. 76
6.12.2Solution description  p. 76
6.12.2.1Proposed architecture  p. 76
6.12.2.2Security boostrapping and key refreshing  p. 77
6.12.2.2.1Overview  p. 77
6.12.2.2.2Key agreement and boostrapping  p. 77
6.12.2.2.3Key refreshing  p. 80
6.12.3Solution evaluation  p. 81
7Conclusions  p. 82
7.1Issues identified  p. 82
7.2Solution evaluation summary  p. 82
7.3Recommendation for normative work  p. 86
A AKA procedures assessment in very low data throughput environment  p. 87
A.1Introduction  p. 87
A.2UMTS AKA  p. 87
A.3DTLS handshake for ECDHE-ECDSA configuration  p. 89
A.3.1DTLS handshake procedure measurement  p. 89
A.3.2TLS Record and Handshake message measurement  p. 91
A.4DTLS record header overhead description for ciphered data  p. 95
A.4.1DTLS record header measurement  p. 95
A.5TLS handshake session resumption  p. 96
A.5.1TLS handshake session resumption procedure measurement  p. 96
A.5.2TLS Record and Handshake message measurement  p. 96
A.6GBA bootstrapping procedure  p. 99
A.6.1Bootstrapping procedure description measurement  p. 99
A.6.2PSK-TLS procedure measurement in GBA case.  p. 101
B Review of security standardization efforts in other SDOs  p. 105
B.0Introduction  p. 105
B.1(D)TLS optimization efforts in IETF  p. 105
B.1.1Background  p. 105
B.1.2Existing and evolving TLS optimizations  p. 105
B.1.3Making the full handshake lighter  p. 106
B.1.4Resuming existing connection  p. 106
CProposed normative changes  p. 107
C.1Introduction  p. 107
C.2Proposed changes to 3GPP TS 33.401  p. 107
C.2.1Overview of changes  p. 107
C.3Proposed changes to 3GPP TS 43.020  p. 108
$Change History  p. 109

Up   Top