Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.926  Word version:  17.6.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   O…   P…

 

A  Aspects specific to the network product class MMEp. 30

A.1  Network product class description for the MMEp. 30

A.1.1  Introductionp. 30

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.

A.1.2  Minimum set of functions defining the MME network product classp. 30

According to TR 33.916, a network product class is a class of products that all implement a common set of 3GPP-defined functionalities. Therefore, in order to define the MME network product class it is necessary to define the common set of 3GPP-defined functionalities that is constitutive for an MME. As part of the MME network product, it is expected that the MME contains MME application, a set of running processes (typically more than one) executing the software package for the MME functions and OAM functions that are specific to the MME network product model. Functionalities specific to the MME network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.116.
Up

A.2  Assets and threats specific to the MMEp. 30

A.2.1  Critical assetsp. 30

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the MME to be protected are:
  • MME Application;
  • Mobility Management data: e.g. subscriber's identities (e.g. IMSI), subscriber keys (I.e. KNASenc, KNASint, NH), authentication parameters, address of serving eNB, APN name, data related to mobility management like UE status, UE's IP address, etc., session management like PDN type, QoS and so on, or node selection and routing selection, e.g. IP address of UE related S/P-GW, selected routing connection based on UE's identity, etc.
  • The interfaces of MME to be protected and which are within SECAM scope: for example
    • Console interface, for local access: local interface on MME
    • OAM interface, for remote access: interface between MME and OAM system
  • MME Software: binary code or executable code
Up

A.2.2  Threats related to AKA proceduresp. 31

A.2.2.1  Access to 2Gp. 31

  • Threat name: Access to 2G
  • Threat Category: Tampering of Data, Repudiation, Information Disclosure, Denial of Service
  • Threat Description: If access to 2G is allowed, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised.
  • Threatened Asset: User account data and credentials

A.2.2.2  Resynchronizationp. 31

  • Threat name: Resynchronization
  • Threat Reference: Denial of Service
  • Threat Description: If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.
  • Threatened Asset: Sufficient Processing Capacity

A.2.2.3  Failed Integrity check of Attach messagep. 31

  • Threat name: Failed integrity check of Attach message
  • Threat Category: Denial of Service
  • Threat Description: If integrity check of attach message fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system.
  • Threatened Asset: Sufficient Processing Capacity

A.2.2.4  Forwarding EPS authentication data to SGSNp. 31

  • Threat name: Forwarding EPS authentication data to SGSN
  • Threat Category: Denial of Service
  • Threat Description: If EPS authentication data is forwarded to SGSN, the SGSN is not expecting the data and does not know how to handle this data. This can cause processing error on the SGSN and negatively impact system performance.
  • Threatened Asset: Sufficient Processing Capacity

A.2.2.5  Forwarding unused EPS authentication data between different security domainsp. 31

  • Threat name: Forwarding unused EPS authentication data between different security domains
  • Threat Category: Denial of Service
  • Threat Description: If unused EPS authentication data is forwarded between security domains, system resources will be wasted thus requiring HSS to regenerate new EPS authentication data. This can result in waste of system resources for the receiving system to store the data as well as wasting resources in sending the data.
  • Threatened Asset: Sufficient Processing Capacity
Up

A.2.3  Threats related to security mode command procedurep. 32

A.2.3.1  Bidding Downp. 32

  • Threat name: Bidding down
  • Threat Category: Tampering of Data, Information Disclosure, Denial of Service
  • Threat Description: If SMC does not include replayed UE security capabilities of the UE, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.
  • Threatened Asset: User account data and credentials
Up

A.2.3.2  NAS integrity selection and usep. 32

  • Threat name: NAS integrity selection and use
  • Threat Category: Tampering of data, Information Disclosure, Denial of Service
  • Threat Description: If NAS does not use the highest priority algorithm to protect SMC, SMC risks being exposed and/or modified. This can cause the system to turn off security, making the system easily attacked and/or compromised.
  • Threatened Asset: Sufficient Processing Capacity
Up

A.2.3.3  NAS NULL integrity protectionp. 32

  • Threat name: NAS NULL integrity protection
  • Threat Category: Elevation of Privilege
  • Threat Description: If NAS NULL integrity protection is not used correctly, an attacker can initiated unauthenticated non-emergency calls.
  • Threatened Asset: Sufficient Processing Capacity

A.2.3.4  NAS confidentiality protectionp. 32

  • Threat name: NAS confidentiality protection
  • Threat Category: Tampering of Data, Information Disclosure, Denial of Service
  • Threat Description: If security mode complete message is not confidentiality protected, the MME cannot be certain that the SMC is executed correctly. This can result in waste of system resources and deny a legitimate user access to the system.
  • Threatened Asset: Sufficient Processing Capacity
Up

A.2.4  Threats related to security in Intra-RAT mobilityp. 32

A.2.4.1  Bidding down on X2-Handoverp. 32

  • Threat name: Bidding down on X2-Handover
  • Threat Category: Tampering of Data, Information Disclosure
  • Threat Description: If MME cannot verify EPS security capabilities received from eNB are the same as the UE security capabilities that the MME has stored, the UE may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised.
  • Threatened Asset: User account data and credentials
Up

A.2.4.2  NAS integrity protection algorithm selection in MME changep. 33

  • Threat name: NAS integrity protection algorithm selection in MME change
  • Threat Category: Tampering of Data, Information Disclosure
  • Threat Description: If the highest priority NAS integrity protection is not able to be selected by the new MME in MME change, the new MME could end up using a weaker algorithm forcing the system into a lowered security level making the system easily attacked and/or compromised.
  • Threatened Asset: User account data and credential
Up

A.2.5  Threats related to security in Inter-RAT mobilityp. 33

A.2.5.1  2G SIM access via idle mode mobilityp. 33

  • Threat name: 2G SIM access via idle mode mobility
  • Threat Category: Tampering of Data, Information Disclosure
  • Threat Description: If access to 2G is allowed during idle mode mobility, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM
  • Threatened Asset: User account data and credentials
Up

A.2.5.2  2G SIM access via handoverp. 33

  • Threat name: 2G SIM access via handover
  • Threat Category: Tampering of Data, Information Disclosure
  • Threat Description: If access to 2G is allowed during handover, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM.
  • Threatened Asset: User account data and credentials
Up

A.2.5.3  2G SIM access via SRVCCp. 33

  • Threat name: 2G SIM access via handover
  • Threat Category: Tampering of Data, Information Disclosure
  • Threat Description: If access to 2G is allowed during SRVCC, an attacker can force the system into 2G mode and use smaller key size, weaker algorithm, etc. to make the system easily attacked and/or compromised. The attacker can also illegally obtain LTE service via 2G SIM.
  • Threatened Asset: User account data and credential
Up

A.2.6  Threats related to release of non-emergency bearerp. 34

  • Threat name: Release of non-emergency bearer.
  • Threat Category: Denial of Service.
  • Threat Description: If authentication fails in the MME and the non-emergency bearer is not released, the UE can continue receiving unauthorized call, wasting valuable system resources.
  • Threatened Asset: Sufficient Processing Capacity.

Up   Top   ToC