3GPP SA3 status - PowerPoint PPT Presentation

About This Presentation
Title:

3GPP SA3 status

Description:

... (out of these 19) originated by ETSI SAGE, e.g. TS 35.202 'KASUMI specification' For Release 4 (frozen 2001), SA3 was kept busy with GERAN security while ETSI ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 23
Provided by: itu
Category:
Tags: 3gpp | kasumi | sa3 | status

less

Transcript and Presenter's Notes

Title: 3GPP SA3 status


1
3GPP SA3 status
ITU-T security workshop Geneva, Switzerland,
9-10 February 2009
  • Valtteri Niemi, SA3 Chairman
  • Nokia Research Center
  • Lausanne, Switzerland

2
Outline
  • Some history and background
  • SAE/LTE security some highlights
  • Home (e)NodeB security
  • Other work items

3
Some history and background
4
Some history (1/2)
  • For 3GPP Release 99 (frozen 2000), WG SA3 created
    19 new specifications, e.g.
  • TS 33.102 3G security Security architecture
  • 5 specifications (out of these 19) originated by
    ETSI SAGE, e.g. TS 35.202 KASUMI specification
  • For Release 4 (frozen 2001), SA3 was kept busy
    with GERAN security while ETSI SAGE originated
    again 5 new specifications, e.g.
  • TS 35.205-208 for MILENAGE algorithm set
  • Release 5 (frozen 2002) SA3 added 3 new
    specifications, e.g.
  • TS 33.203 IMS security
  • TS 33.210 Network domain security IP layer

5
Some history (2/2)
  • Release 6 (frozen 2005) SA3 added 17 new
    specifications, e.g.
  • TS 33.246 Security of MBMS
  • TS 33.220-222 Generic Authentication
    Architecture
  • Release 7 (frozen 2007) SA3 added 13 new
    specifications
  • ETSI SAGE created 5 specifications for UEA2
    UIA2 (incl. SNOW 3G spec) (TS 35.215-218, TR
    35.919)
  • Release 8 (frozen 2008) SA3 has added 5 new
    specifications, e.g.
  • TS 33.401 SAE Security architecture
  • TS 33.402 SAE Security with non-3GPP accesses
  • (1-2 more TRs maybe still be included in Rel-8)

6
SAE/LTE security (Rel-8) some highlights
7
SAE/LTE What and why?
  • SAE System Architecture Evolution
  • LTE Long Term Evolution (of radio networks)
  • LTE offers higher data rates, up to 100 Mb/sec
  • SAE offers optimized (flat) IP-based architecture
  • Technical terms
  • E-UTRAN Evolved UTRAN (LTE radio network)
  • EPC Evolved Packet Core (SAE core network)
  • EPS Evolved Packet System ( RAN EPC )

8
Implications on security
  • Flat architecture
  • All radio access protocols terminate in one node
    eNB
  • IP protocols also visible in eNB
  • Security implications due to
  • Architectural design decisions
  • Interworking with legacy and non-3GPP networks
  • Allowing eNB placement in untrusted locations
  • New business environments with less trusted
    networks involved
  • Trying to keep security breaches as local as
    possible
  • As a result (when compared to UTRAN/GERAN)
  • Extended Authentication and Key Agreement
  • More complex key hierarchy
  • More complex interworking security
  • Additional security for eNB (compared to
    NB/BTS/RNC)

9
Home (e) Node B security
10
Home (e)NB architecture
  • Figure from draft TR 33.820
  • One of the key concepts Closed Subscriber Group

11
Threats
  • Compromise of HeNB credentials
  • e.g. cloning of credentials
  • Physical attacks on HeNB
  • e.g. physical tampering
  • Configuration attacks on HeNB
  • e.g. fraudulent software updates
  • Protocol attacks on HeNB
  • e.g. man-in-the-middle attacks
  • Attacks against the core network
  • e.g. Denial of service
  • Attacks against user data and identity privacy
  • e.g. by eavesdropping
  • Attacks against radio resources and management

12
Other features in past releases of 3GPP
13
IMS (SIP) security (Rel-5)
authentication key agreement
network domain security
security mechanism agreement
integrity protection
R99 access security
14
Release 6 highlights
15
WLAN interworking in 3GPP
  • WLAN access zone can be connected to cellular
    core network
  • Shared subscriber database charging
    authentication (WLAN Direct IP access)
  • Shared services (WLAN 3GPP IP Access)
  • Service continuity is the next step

16
MBMS Security Architecture (node layout)
Content Server
Mobile Operator Network
BM-SC
Content Server
BSF
Internet
BGW
BM-SC can reside in home or visited network
17
Generic Authentication Architecture (GAA)
  • GAA consists of three parts (Rel-6)
  • TS 33.220 Generic Bootstrapping Architecture
    (GBA) offers generic authentication capability
    for various applications based on shared secret.
    Subscriber authentication in GBA is based on HTTP
    Digest AKA RFC 3310.
  • TS 33.221 Support of subscriber certificates PKI
    Portal issues subscriber certificates for UEs and
    delivers an operator CA certificates. The issuing
    procedure is secured by using shared keys from
    GBA.
  • TS 33.222 Access to Network Application Function
    using HTTPS is also based on GBA.

Figure from 3GPP TR 33.919
18
Release 7 8 highlights
19
Release 7 8 security enhancements
  • Key establishment for secure UICC-terminal
    channel (TS 33.110)
  • Applies, e.g. for secure UICC-terminal channel
    specified by ETSI SCP
  • Built on top of GBA
  • Key establishment between UICC hosting device and
    a remote device (TS 33.259)
  • Liberty-3GPP security interworking
  • GBA push (TS 33.223, Rel-8)
  • Applies to several OMA specified features (e.g.
    BCAST)
  • Network domain security Authentication Framework
    (TS 33.310) enhanced for TLS support
  • Withdrawal of A5/2 algorithm

20
Work in progress Rel-9
21
Rel-9 work items
  • SAE/LTE emergence call security
  • Media security
  • End-to-end and end-to-middle protection of media
    independently of access technology
  • Protection against unsolicited communications in
    IMS
  • Remote management of USIM/ISIM for
    machine-to-machine communications
  • Security of Earthquake and Tsunami Warning
    System

22
  • For more information
  • www.3gpp.org
Write a Comment
User Comments (0)
About PowerShow.com