LTE security architecture defines the security mechanism for both NAS layer and AS layer. No HO related security is covered in this document.
LTE Security Distribution
- Carried out for NAS messages and belongs to the scope of UE and MME.
- In this case NAS message communication between UE and MME are Integrity protected and Ciphered with extra NAS security header.
- Carried out for RRC and user plane data and belongs to the scope of UE and eNB.
- PDCP layer in UE and eNB side is responsible for the ciphering and integrity protection.
- RRC messages are integrity protected and ciphered but U-Plane data is only ciphered.
Different Security algorithms (integrity/ciphering)
- “0000″ EIA0 Null Integrity Protection algorithm
- “0001″ 128-EIA1 SNOW 3G
- “0010″ 128-EIA2 AES
- “0000″ EEA0 Null ciphering algorithm
- “0001″ 128-EEA1 SNOW 3G based algorithm
- “0010″ 128-EEA2 AES based algorithm
Pre Shared Keys
- UE Security Key – Configured in operator’s DB in Authentication center and USIM.
- AMF - Configured in operator’s DB in Authentication center and USIM.
- OP – This is optional and configured in operator’s DB in Authentication center and USIM.
- SQN – It is the 4 Octet sequence no which should be refreshed each time NW tries to re authenticate the UE. It is generated as below.
- RAND – It is the random no generated through some random no generation algorithm.
SQN1-n = SEQ1-n || IND1-n
SEQ is the Prefix with value in the range of 27 bits (0-2^27) and IND is the index of 5 bits (0-31).
If 0 If IND=0, generate SEQ using random rules (ex – modular addition)
Ex- SQN is generated using modular addition
SQN 1 =SEQ || IND
SQN 2 =SEQ+ 1 || IND
SQN 3 =SEQ+ 2 || IND
SQN 4 =SEQ+ 3 || IND
SQN 5 =SEQ+ 4 || IND
Derived Authentication vectors
- IK – Is the integrity key generated with input (K, RAND)->f4->IK. It is generated at authentication center and USIM.
- CK – It is the ciphering key generated with input (K, RAND)->f3->CK. It is generated at authentication center and USIM.
- AK – It is the anonymity key generated with input (K, RAND)->f5->AK. It is generated only at authentication center.
- XRES – Expected response generated with input (K, RAND)->f2->XRES. It is generated only at authentication center. Corresponding parameter RES is generated at USIM.
- MAC - Message authentication code generated with input (K, SQN, RAND, AMF)->f1->MAC. It is generated only at authentication center. Corresponding parameter XMAC is generated at USIM.
- AUTN - authentication token generated with AUTN = SQN * AK || AMF || MAC. It is generated only at authentication center.
When MME receives Attach Request from an UE to get the initial access to the network, MME send the authentication data request to AuC/HSS. After derivation of RAND, XRES, CK, IK, AUTN Authentication center combines them in to authentication vector (AV = RAND || XRES || CK || IK || AUTN) and sends it to MME with authentication data response.
These keys are derived using the key derivation function (KDF) = HMAC-SHA-256 (Key, S) where
Key = Input key
Input string S = FC || P0 || L0 || P1 || L1 || P2 || L2 || P3 || L3 ||… || Pn || Ln
FC= function code
P0 = parameter 0
L0 = length of parameter 0
- KASME – To calculate KASME following steps are required.
- KeNB - To calculate KeNB following steps are required.
- Algorithm Key generation function – It covers the derivation of Knas-int, Knas-enc, Krrc-int, Krrc-enc, Kup-enc.
Key = CK||IK
S = FC(0×10) || SN Id || Length of SN id || SQN AK || length of SQN AK
KASME = HMAC-SHA-256 (Key, S)
Key = KASME
S = FC(0×11) || UL NAS Count || Length of UL NAS Count
KeNB = HMAC-SHA-256 (Key, S)
Key = KASME/Kenb (KASME is for Knas-int, Knas-enc and KeNB is for Krrc-int, Krrc-enc, Kup-enc)
S = FC(0×15) || algorithm type distinguisher || length of algorithm type distinguisher || algorithm identity || length of algorithm identity
Knas-int/Knas-enc/Krrc-int/Krrc-enc/Kup-enc = HMAC-SHA-256 (Key, S)
State diagram for Authentication and key generation
Note: The above diagram shows only the messages related to the security.
- Attach request from UE.
- MME requests for the authentication vectors related to that particular IMSI by sending Authentication Data Request.
- AuC/HSS fetches the Pre shred keys (PSK) against IMSI and calculates the authentication vectors from PSK.
- AuC/HSS sends back the AV with Authentication Data Response.
- MME retrieves IK, CK, XRES, RAND and AUTN from AV
- MME sends AUTN and RAND with Authentication Request to UE.
- UE authenticates the NW by checking AUTN received
- Then calculates IK, CK, RES, XMAC from UE Security key, AMF, (OP), AUTN and RAND as described above.
- It sends the RES along with Authentication response.
- After receiving RES MME compares it with XRES if it matches then authentication is successful else MME Sends the Authentication failure to UE.
- MME will reset the DL NAS count
- Calculate KASME, KeNB, Knas-int, Knas-enc as described above.
- Sends NAS Security mode command (integrity algo, ciphering algo, NAS key set ID, UE Security capability) with integrity protected but not ciphered, using Knas-inc.
- After receiving NAS Security Mode Command UE will calculate KASME, KeNB, Knas-int, Knas-enc as described above.
- UE will send the NAS Security mode complete with integrity protected and ciphered.
- After receiving NAS security mode command from UE, MME Sends the KeNB to eNB with S1AP Initial Context Setup Request (Security key)
- After getting keNB eNB will calculate Krrc-int, Krrc-enc, Kup-enc from that as described above.
- Then it will send RRC Security mode Command with AS integrity algo and AS ciphering algo.
- After receiving RRC security mode command UE will calculate Krrc-int, Krrc-enc, Kup-enc as described above.
- UE will send RRC security mode complete to eNB
After all the above steps All the NAS and AS messages will be integrity protected and ciphered except user data which will be only ciphered.
LTE Security is very well described in LTE Security book by Günther Horn, Dan Forsberg, Wolf-Dietrich Moeller and Valtteri Niemi. This is a handy book with all the details related to security aspects of LTE.
Post your questions and suggestions in the comments section below for a healthy discussion on LTE Security.