Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.821  Word version:  9.0.0

Top   Top   Up   Prev   Next
0…   4…   6…   8…
6 User Plane Security7 Control Plane Security

 

6  User Plane Securityp. 33

6.1  Consequences of (not) applying user plane integrity protectionp. 33

6.2  Track of Decisionp. 35

7  Control Plane Securityp. 35

7.1  MAC, RLC and RRC layer securityp. 35

7.1.1  Conclusionsp. 36

7.2  SAE/LTE AKAp. 36

7.2.1  Requirements on SAE/LTE AKAp. 36

7.2.1.1  Generalp. 36

7.2.1.2  Non-3GPP accessp. 37

7.2.1.3  LTE accessp. 37

7.2.1.4  3GPP non-LTE accessp. 38

7.2.1.5  UE Attach in LTEp. 38

7.2.2  Comparison of UMTS AKA or EAP AKAp. 38

7.2.2.1  High level itemsp. 38

7.2.2.2  Particular EAP featuresp. 40

7.2.2.3  Detailed impacts (outstanding standardization work)p. 42

7.2.2.4  Analysis overviewp. 43

7.2.3  RAND and 256-bit keys in E-UTRANp. 44

7.2.4  Migration path to enable 256-EPS AKAp. 46

7.2.4.1  Track of decisionp. 47

7.3  Security set-up procedurep. 47

7.3.1  Security Mode Commandp. 47

7.3.1.1  Separated Modep. 47

7.3.1.2  Combined Modep. 47

7.3.2  Alternative not using Security Mode Command (SMC)p. 49

7.3.2.1  Validity of the security associationp. 49

7.3.2.2  Start of Encryption and the Encryption of NAS message contentsp. 49

7.3.3  Establishment of a security contextp. 49

7.4  Key handlingp. 51

7.4.1  UMTS AKAp. 51

7.4.2  Serving Network Authentication for LTEp. 51

7.4.2.1  Introductionp. 51

7.4.2.2  Threatsp. 52

7.4.2.3  Countermeasuresp. 53

7.4.2.4  Conclusionsp. 54

7.4.3  Key derivationp. 55

7.4.3.1  Key generation during initial accessp. 55

7.4.3.2  Key distribution during handover in inter-RATp. 56

7.4.4  Key management aspects for LTE/UMTS interworkingp. 56

7.4.5Void

7.4.6  Key identities in LTE/SAEp. 57

7.4.7  Hierarchy of user-related keys in SAE/LTEp. 59

7.4.7.1  Generalp. 59

7.4.7.2  Proposed hierarchy of user-related keys in SAE/LTEp. 59

7.4.7.3  Justification of proposed key hierarchyp. 61

7.4.7.3.1  Binding of a context to a key:p. 61
7.4.7.3.2  Top-level key in the systemp. 61
7.4.7.3.3  Binding CK, IK to SAEp. 61
7.4.7.3.4  Binding top-level key for access network to PLMN and RATp. 63
7.4.7.3.5  Binding keys to traffic type in LTEp. 63
7.4.7.3.6  Binding keys to cryptographic algorithms in LTEp. 64
7.4.7.3.7  Binding keys to identities of eNBs in LTEp. 64
7.4.7.3.8  Binding keys to temporary identities of the UEp. 64

7.4.7.4  Storage of KASMEp. 64

7.4.8  Use of AMF for SAE bindingp. 66

7.4.8.1  Backgroundp. 66

7.4.8.2  SAE binding with AMFp. 67

7.4.9  Key handling on active to idle and idle to active transitions in SAEp. 68

7.4.9.1  Generalp. 68

7.4.9.2  Idle to active transitionp. 68

7.4.9.3  Active to idle transitionp. 68

7.4.10  Key handling on mobility within an SAE/LTE network and between two different SAE/LTE networksp. 69

7.4.11  K_eNB refresh at state transitionsp. 69

7.4.12  Key handling on idle mode mobilityp. 70

7.4.12.1  Within one SAE/LTE networkp. 70

7.4.12.2  Between different SAE/LTE networksp. 71

7.4.12.3  Proposed procedurep. 71

7.4.12.4  Key handling on idle mode mobility from UTRAN to E-UTRANp. 72

7.4.12.5  Integrity protection of Attach and TAU messagep. 73

7.4.13  Key handling on active mode mobilityp. 75

7.4.13.1  Overview on alternatives for key handling on handoverp. 75

7.4.13.2  Key handling on handover within one SAE/LTE networkp. 76

7.4.13.2.1  The necessity of forward security for KeNB derivationp. 76
7.4.13.2.2  AS key Handling Propertiesp. 77
7.4.13.2.3  Key refresh on Intra eNB handoverp. 78
7.4.13.2.4  Key refresh on Inter eNB, intra MME handoverp. 78
7.4.13.2.5  Key refresh on Inter MME handoverp. 80

7.4.13.3  Alternatives for key handling on handover between different SAE/LTE networksp. 84

7.4.13.4  Summary of evaluation of alternativesp. 84

7.4.13.5  Key handling on handover from UTRAN to E-UTRANp. 84

7.4.14  Security algorithm negotiation and Security mode command in SAE/LTE networksp. 88

7.4.14.1  Generalp. 88

7.4.14.2  Background: algorithm selection in UMTSp. 88

7.4.14.3  Requirements for algorithm selection in SAE/LTEp. 88

7.4.14.4  Alternatives for security mode command and algorithm selection in SAE/LTEp. 89

7.4.14.4.1  Security mode command and algorithm selection at initial attachment or in transitions to active modep. 89
7.4.14.4.2  Security mode command and algorithm selection on idle mode mobilityp. 95
7.4.14.4.3  Security mode command and algorithms selection on handoverp. 95
7.4.14.4.4  Algorithms selection on handover to and from 2G/3Gp. 96

7.4.15  Key-change-on-the-flyp. 97

7.4.15.1  Serving network operator restricts the KASME lifetimep. 97

7.4.15.2  Serving network operator restricts the ECM-CONNECTED lifetimep. 97

7.4.15.3  NAS COUNT reaches maximump. 97

7.4.15.4  After Inter-RAT handover from UTRAN/GERAN to LTEp. 97

7.4.15.5  Intra LTE Inter-operator Handoverp. 98

7.4.15.6  KeNB sequence numbers are about to wrap around.p. 98

7.4.16  Independence of keys at different eNodeBsp. 99

7.5  START value transferp. 99

7.5.1  Why does START value have to transfer from UE to CNp. 99

7.5.2  How does START transfer from UE to CNp. 99

7.5.3  How many START value should be usedp. 100

7.6  Security algorithmsp. 100

7.6.1  Choice of algorithmsp. 100

7.6.2  Terminal supportp. 101

7.6.3  Network supportp. 101

7.6.4  Algorithm inputp. 101

7.6.4.1  Input parameters to RRC signalling ciphering algorithmp. 101

7.6.4.2  Input parameters to NAS signalling ciphering algorithmp. 102

7.6.4.3  Input parameters to UP ciphering algorithmp. 103

7.6.4.4  Input parameters to RRC signalling Integrity algorithmp. 104

7.6.4.5  Input parameters to NAS signalling Integrity algorithmp. 104

7.6.5  Algorithm IDs in EPSp. 105

7.6.6  KDF negotiationp. 106

7.6.6.1  Overview on the use of KDF functions for EPSp. 106

7.6.6.2  Effects on the security of overview of the use of KDF functionsp. 106

7.6.6.2.1  Can a KDF be broken ?p. 106
7.6.6.2.2  What is the impact if the KDF is broken?p. 107

7.6.6.3  Possible solutions for KDF negotiation and their requirementsp. 107

7.6.6.3.1  (A) One common KDF is negotiated by MME and UEp. 108
7.6.6.3.2  (B) eNB-KDF, MME-KDF, HSS-KDF are negotiated by MME and UEp. 108
7.6.6.3.3  (C) eNB, MME and HSS respectively negotiates an appropriate KDF with UEp. 108
7.6.6.3.3.1  eNB-KDF and MME-KDF negotiationp. 108
7.6.6.3.3.2  HSS-KDF negotiation Alternative 1p. 109
7.6.6.3.3.3  HSS-KDF negotiation Alternative 2p. 109
7.6.6.3.4  (D) eNB-KDF and MME-KDF are negotiated by MME and UE, HSS-KDF is negotiated by HSS and UEp. 110
7.6.6.3.5  (E) KDF negotiation between UE and eNB & MME could be implicitp. 111

7.6.6.4  Attacks on KDF negotiation solutions and requirements for secure solutions.p. 111

7.6.6.4.1  Requirements and resistance to bidding down attacks.p. 111
7.6.6.4.2  Resistance to bidding down attacks for HSS-KDF negotiation solutionsp. 111

7.6.6.5  Summary and decision made for Rel-8p. 112

7.7  Rationale for approach to security handling in inter-RAT mobility proceduresp. 112

7.7.1  Idle mode mobility from utran to e-utran using mapped contextp. 112

7.7.2  Idle mode mobility from utran to e-utran using cached contextp. 113

7.7.3  Handover from utran to e-utran using mapped contextp. 113

7.7.4  TAU after handover from UTRAN to E-UTRAN using cached contextp. 114

7.8  Track of decisionp. 114

7.8.1  MAC, RLC, and RRC layer securityp. 114

7.8.2  LTE AKA requirementsp. 115

7.8.3  NAS level signalling securityp. 115

7.8.4  Key handlingp. 116

7.8.5  Security proceduresp. 116

7.8.6  Security Algorithmsp. 117

Up   Top   ToC