移动网络安全LTE安全标准与协议.ppt

2019/5/22,1,移动 网络安全标准与协议,2019/5/22,2,主要内容,EPS 安全综述 EPS AKA与S.M.C过程 EPS MM程与HO过程中的安全 EPS KDF EPS EEA1/2/3与EIA/1/2/3算法,2019/5/22,3,安全系统的两大基本问题,密钥的管理与安全算法的管理独立进行,安全密钥的管理,安全算法的管理,产生,传递,更新,存贮,新鲜性,AKA HO,加密算法的选择,完整性算法选择,算法的更新,算法的存贮,新鲜性,SMC 及 HO,2019/5/22,4,EPS 安全目标,双向认证 防止中间人攻击 网络将UE的安全能力通过I.P.方式传递给UE，UE检验是否受到修改。 多安全算法 安全隔离 足够强度的密钥长度 目前定义为128位，但可容易更新到256位。 向下兼容，但要有更高的安全强度 支持USIM卡，但不支持SIM卡 保持Key的新鲜性 COUNT不允许反转 两套安全上下文以支持ISR USIM与ME同时支持两套安全上下文,2019/5/22,5,EPS的最新特性：安全隔离,保证非安全的影响最小化，当一个局部出现不安全时，不影响其它部分的安全性 不同算法之间的安全隔离 多安全算法，当一个算法不安全时，启用另一个安全算法。 不同的PLMN之间安全隔离 Kasme的计算需要PLMN-Id 当PLMN发生改变，所有的Key及AV全部更新 不同的MME之间的安全隔离 当MME发生改变时，NAS S.C.可更新 不同的ENB之间的安全隔离 当ENB发生改变时，AS S.C.全部更新 不同的S.C.的安全隔离 在LTE内，当一个S.C.成为Current，原来的Current S.C.就删除，不再使用。 在LTE内，当创建一个新的S.C.则覆盖Non-Current S.C. 当UE从GERAN/UTRAN切换到LTE后，一进入Idle或Detach，则旧RAT的S.C.删除。 所有Key的计算都是单向函数 当一个Key被破解了，其父Key不位被破解。,2019/5/22,6,LTE/EPS加密与完整性保护,NAS,RRC,UE,ENB,S-GW,MME,加密与完整性保护,加密与完整性保护,加密或不加密，没有完整性保护,NDS/IP (TS33.210),用户平面,2019/5/22,7,LTE/EPS加密与完整性保护,NAS的加密（可选） KNASCenc：NAS Ciphering Algorithm NAS的完整性保护 KNASint：NAS Integrate Protection Algorithm RRC的加密（可选） KRRCenc：RRC Ciphering Algorithm RRRC的完整性保护 KRRCint：RRC Integrate Protection Algorithm UP的加密（可选） KUPenc：UP(=RRC) Ciphering Algorithm,2019/5/22,8,2019/5/22,9,ME及USIM卡的能力,E-UTRAN不能使用，因此不能接入到LTE系统中，也就是2G的SIM卡不能用于LTE的UE中。 只可实现GERAN与UTRAN之间的移动性 E-UTRAN可以使用，因此可实现GERAN、UTRAN与E-UTRAN之间的移动性 E-UTRAN可以使用，因此可实现GERAN、UTRAN与E-UTRAN之间的移动性,SIM,ME,GERAN,UTRAN,E-UTRAN,USIM,ME,GERAN,UTRAN,E-UTRAN,E-USIM,ME,GERAN,UTRAN,E-UTRAN,EMM S.C.,能够存放EMM S.C.的USIM为E-USIM,2019/5/22,10,USIM,ME及EPS S.C.,USIM产生的CK,IK传递给ME，ME产生EPS S.C.（如Kasme等） ME产生的EPS S.C.是在Votile Memeory中，进入Detach时，将Kasme, Knasenc, Knasint, NAS Count, eKSI写入到ME中的Non-Votile Memeory中。 USIM产生的CK,IK传递给ME，ME产生EPS S.C.（如Kasme等） ME产生的EPS S.C.是在Votile Memeory中，进入Detach时，将Kasme, Knasenc, Knasint, NAS Count, eKSI写入到E-USIM中的Non-Votile Memeory中。,USIM,ME,CK,IK,E-USIM,ME,EMM S.C.,EPS S.C.,CK,IK,EPS S.C.,2019/5/22,11,删除ME中存储的EPS S.C.,(E-)USIM,ME,EPS S.C.,当ME中有EPS S.C.，当下面的情形出现时，则ME中的EPS S.C.与卡中的数据均出现冲突。 开机状态下：卡被拨出， 关机状态下：换上另一张（E-）USIM卡时， 关机状态下：卡被拨出 为了解决上面的三个问题，就直接(在开机后）删除ME中存储的EPS S.C.,开机状态下卡被拨出,关机状态下USIM卡被换成另一个卡,关机状态下卡被拨出,2019/5/22,12,USIM,ME及S.C.及IRAT移动性,GERAN/UTRAN的3G S.C.与EPS S.C.是相互独立的。即使将一个映射到另一个时，就成为另外一个类型，而原来的类型不变，即两者还是独立的。 当UE从LTE进入（HO或Idle的RAU）到GERAN/UTRAN后，SGSN执行UMTS AKA后，会出现两个S.C.，一个用于GERAN/UTRAN，而另一个用于EPS，这两个S.C.是独立的。 若SGSN不执行UMTS AKA，则SGSN一直使用从EPS S.C.映射过来的3G S.C.，并且将此映射的3G S.C.替代所有的原来SGSN及UE上的3G S.C. 然后，当UE从GERAN/UTRAN通过HO到LTE后，UE使用的是从3G S.C.映射过来的Mapped EPS S.C.； 若前面SGSN没有执行UMTS AKA，则UE将原来的EPS S.C. 映射为Mapped 3G S.C.,此时使用的Mapped EPS S.C.是在此Mapped 3G S.C.的再次映射，而此时最初的EPS S.C.还是有效的但是进入了Non-Current状态。 若此后，UE进入Idle状态后，再次进入连接状态，则使用原来的EPS S.C. 2次Mapped的EPS S.C.被删除（但Mapped 3G S.C.还是不作任何的变化） 若UE从GERAN/UTRAN通过Idle的TAU进入到LTE，则UE使用EPS S.C.，而3G S.C.（包括（E-）USIM中的CK,IK）不作任何的变化。,USIM,ME,E-USIM,ME,EMM S.C.,EPS S.C.,3G S.C.,CK,IK,KSI,3G S.C.,CK,IK,KSI,EPS S.C.,2019/5/22,13,Type of EPS Security Context,Security Context,Full native SC,Partial Native SC,没有确定NAS完整保护算法及加密算法,Mapped SC,C,NC,NC,C,2019/5/22,14,Security Context,Security Context,EPS NAS Security Context,EPS AS Security Context,AS keys & ID,NH,NCC,the identifiers of the selected AS cryptographic algorithms & counters used for replay protection,KASME,KSIasme,UE security capabilities,UL&DL NAS COUNT,Knas-int&Knas-enc& identifiers of the selected NAS integrity& encryption algorithms.,Full EPS,2019/5/22,15,EPS S.C.状态的转移,在EPS中，最多只能有一个Current及一个Non-Current EPS S.C. 当AKA产生一个Non-Current EPS S.C.时，若存在其它Non-Current，则覆盖之前的。 通过NAS S.M.C.将一个Non-Current的EPS S.C.激活为Current时，新激活的EPS S.C.覆盖之前的Current EPS S.C.(可能是Native，也可能是Mapped)。 但是当UE从GERAN/UTRAN切换到E-UTRAN时，UMTS S.C.是映射到EPS S.C.并自动成为Current EPS (mapped) S.C.，同时原来LTE中的Current EPS native S.C. 就自动地变为Non-Current，并覆盖原来的Non-Current。这是一个很大的不同的。,AKA,NAS SMC,从GERAN/ UTRAN切换到LTE,从GERAN/UTRAN切换到LTE,2019/5/22,16,EPS UE与EMM S.C.,当UE关机或进入DEREGISTER状态时，EMM S.C.只能放入到ME中的Non-Votile Memeory中。 当UE开机时，使用ME中的EMM S.C. 当UE关机或进入DEREGISTER状态时，ME中的EMM S.C.必须存放到USIM中的Non-Votile Memeory中并标识有效，还标识ME中的S.C.无效（相当于删除）。 当UE开机时，使用USIM中的EMM S.C.（如果标识为有效）.,UMTS USIM,E-UTRAN ME,E-UTRAN USIM,E-UTRAN ME,EMM S.C.,EMM S.C.,EMM S.C.,2019/5/22,17,Current EPS S.C.的选择与激活,If the MME receives a TAU Request or Attach Request protected with a non-current full EPS security context, then this context becomes the current EPS security context and the MME shall delete any existing current EPS security context. After a successful run of a NAS SMC relating to the eKSI associated with an EPS security context, this context becomes the current EPS security context and shall overwrite any existing current EPS security context.,2019/5/22,18,S.C.的类型与状态的关系,2019/5/22,19,Storage S.C. in the UE during power-off,2019/5/22,20,主要内容,EPS 安全综述 EPS AKA与S.M.C过程 EPS MM程与HO过程中的安全 EPS KDF EPS EEA1/2/3与EIA/1/2/3算法,2019/5/22,21,EPS Authentication and Key Agreemen,2019/5/22,22,EPS AKA,If the keys CK, IK resulting from an EPS AKA run were stored in the fields already available on the USIM for storing keys CK and IK this could lead to overwriting keys resulting from an earlier run of UMTS AKA. This would lead to problems when EPS security context and UMTS security context were held simultaneously (as is the case when security context is stored e.g. for the purposes of Idle Mode Signaling Reduction). Therefore, “plastic roaming“ where a UICC is inserted into another ME will necessitate an EPS AKA authentication run if the USIM does not support EMM parameters storage. 也就是说，在EPS AKA过程中产生的CK,IK不能存贮于USIM中存贮UMTS AKA产生的CK,IK的地方。USIM应当为EPS AKA的CK,IK使用独立的Files。若USIM不支持EMM File，则EPS CK,IK必须存贮在ME中。这就说明，当USIM不支持EMM Files，当USIM卡换ME时，则必须要执行EPS AKA过程。,2019/5/22,23,EPS-Authentication Vector,说明Kasme不是由MME产生的，而是由HE直接产生的,EPS AV (4),RAND,UMTS AV (5),GERAN AV(3),XRES,AUTN,Kasme,CK,IK,Kc,2019/5/22,24,EPS user authentication (EPS AKA),2019/5/22,25,UMTS HSS,AMF,RAND,SQN,K,f1,f2,f3,f4,f5,MAC,XRES,CK,IK,AK,AMF,SQN,SQN(+)AK,AMF,MAC,MAC,认证向量五元组,认证令牌,认 证 算 法,认证配置,RAND,AUTN,HSS,2019/5/22,26,UMTS UE,RAND,K,f1,f2,f3,f4,f5,XMAC,RES,CK,IK,SQN(+)AK,双向认证,认证令牌及随机数,AMF,MAC,SQN,AK,认 证 算 法,MAC,USIM,ME,ME,2019/5/22,27,EPS HSS,AMF,RAND,SQN,K,f1,f2,f3,f4,f5,MAC,XRES,CK,IK,AK,AMF,SQN,SQN(+)AK,AMF,MAC,MAC,认证向量四元组,认证令牌,认 证 算 法,认证配置,RAND,AUTN,SN-Id,Kasme,HSS,2019/5/22,28,EPS UE,RAND,K,f1,f2,f3,f4,f5,XMAC,RES,CK,IK,SQN(+)AK,双向认证,认证令牌及随机数,AMF,MAC,SQN,AK,认 证 算 法,MAC,USIM,SN-Id,Kasme,ME,ME,2019/5/22,29,Different serving network domains,MME,MME,SGSN,An SGSN may forward unused UMTS authentication vectors to an MME,UMTS AVs which were previously stored in the MME may be forwarded back towards the same SGSN. UMTS AVs which were previously stored in the MME shall not be forwarded towards other SGSNs. EPS authentication vectors shall not be forwarded from an MME towards an SGSN.,Unused EPS authentication vectors shall not be distributed between MME's belonging to different serving domains (PLMNs) UMTS authentication vectors that were previously received from an SGSN shall not be forwarded between MME's,Only EPS AVs in the same PLMN,Only UMTS AVs in the same SGSN,Only UMTS AVs in the same PLMN,2019/5/22,30,2019/5/22,31,2019/5/22,32,2019/5/22,33,Kasme与SN ID,SN ID=MCC+MNC Kasme=f(CK, IK, SN id, SQN(+)AK ) Kasme的产生与SN id有关，因此，当SN id发生改变时，则原来的Kasme不能使用。 因此，在Inter-PLMN的TAU时，则必须要运行EPS AKA。,2019/5/22,34,NAS COUNT Reset,0 NAS Count(复位）,AKA,S.C. Mapping in UTRAN/GERAN E-UTRAN HO,S.C. Mapping in UTRAN/GERAN E-UTRAN idle Mobility,The NAS COUNTs shall not be reset during idle mode mobility or handover for an already existing native EPS NAS security context. 也就是说NAS Count快还返转时，就要更换Kasme了,2019/5/22,35,NAS S.M.C,The NAS security mode command message from MME to UE shall contain the replayed UE security capabilities, the selected NAS algorithms, the eKSI for identifying KASME, and both NONCEue and NONCEmme in the case of creating a mapped context in idle mobility. This message shall be integrity protected (but not ciphered) with NAS integrity key based on KASME indicated by the eKSI in the message . The UE shall verify the integrity of the NAS security mode command message. This includes ensuring that the UE security capabilities sent by the MME match the ones stored in the UE to ensure that these were not modified by an attacker and checking the integrity protection using the indicated NAS integrity algorithm and the NAS integrity key based on KASME indicated by the eKSI. In addition, when creating a mapped context for the case described in clause 9.1.2, the UE shall ensure the received NONCEUE is the same as the NONCEUE sent in the TAU Request and also calculate K'ASME from CK, IK and the two nonces (see Annex A.11). If successfully verified, the UE shall start NAS integrity protection and ciphering/deciphering with this security context and sends the NAS security mode complete message to MME ciphered and integrity protected The NAS security mode complete message shall include IMEI in case MME requested it in the NAS SMC Command message. The MME shall de-cipher and check the integrity protection on the NAS Security Mode Complete using the keys and algorithms indicated in the NAS Security Mode Command. NAS downlink ciphering at the MME with this security context shall start after receiving the NAS security mode complete message. NAS uplink deciphering at the MME with this context starts after sending the NAS security mode command message.,MME,UE,NAS S.M.Command(UE S.Cap, Selected NAS Algoritm, eKSI, IMEISV Request, NONCEue, NONCEmme, NAS-MAC),NAS S.M.Complete( IMEISV, NAS-MAC ),Start I.P. & (de-)Ciphering,Start UL de-Ciphering,Start DL-Ciphering,Start I.P.,2019/5/22,36,Nonce,If the MME does not have the context indicated by the UE in the TAU request, or the TAU request was received unprotected, the MME shall create a new mapped security context (that shall become the current security context). In this case, the MME shall generate a 32bit NONCEmme and use the received NONCEue with the NONCEmme to generate a fresh mapped K'ASME from CK and IK, where CK, IK were identified by the KSI and P-TMSI in the TAU Request. See Annex A.11 for more information on how to derive the fresh K'ASME. The MME initiates a NAS Security mode command procedure with the UE including the KSISGSN, NONCEUE, and NONCEMME in the NAS Security mode command. The uplink and downlink NAS COUNT for mapped security context shall be set to start value (i.e., 0) when new mapped security context is created in UE and MME. Nonce-UE When creating a mapped context for the case described in clause 9.1.2, the UE shall ensure the received NONCEUE is the same as the NONCEUE sent in the TAU Request and also calculate K'ASME from CK, IK and the two nonces (see Annex A.11).,2019/5/22,37,AS S.M.C,The AS security mode command message from eNB to UE shall contain the selected AS algorithms. This message shall be integrity protected with RRC integrity key based on the current KASME. The AS security mode complete message from UE to eNB shall be integrity protected with the selected RRC algorithm indicated in the AS security mode command message and RRC integrity key based on the current KASME. RRC and UP downlink ciphering (encryption) at the eNB shall start after sending the AS security mode command message. RRC and UP uplink deciphering (decryption) at the eNB shall start after receiving and successful verification of the AS security mode complete message. RRC and UP uplink ciphering (encryption) at the UE shall start after sending the AS security mode complete message. RRC and UP downlink deciphering (decryption) at the UE shall start after receiving and successful verification of the AS security mode command message,2019/5/22,38,AS SMC过程,2019/5/22,39,AS SMC与NAS SMC的同步,NAS SMC正在进行 1:MME不应当发起触发AS SMC的S1-AP过程 6：MME只有完成了NAS SMC后才继续Inter-MME HO。 Inter-ENB HO正在进行 5： 源ENB reject触发AS SMC的S1-AP过程 5：源ENB当AS Refresh/Re-key结束后，才可以进行HO HO过程中 3：MME发起NAS SMC，但在HO Request/Path Switch Request Acknowledge中使用Old AS S.C. 4：UE收到NAS SMC，但在HO过程中继续使用Old AS S.C. 触发AS SMC的SA-AP正在进行中 2：MME不应当发起NAS SMC. 7：MME当S1-AP结束后，才可以进行Inter-MME HO NAS SMC完成，但S1-AP未进行 8,9：有Inter-MME HO，新旧MME则继续使用Old AS S.C.传输，同时在S10接口上传输两套S.C.,2019/5/22,40,主要内容,EPS 安全综述 EPS AKA与S.M.C过程 EPS MM程与HO过程中的安全 EPS KDF EPS EEA1/2/3与EIA/1/2/3算法,2019/5/22,41,EPS MM程与HO过程中的安全,LTE内的状态迁移时的安全上下文的处理 LTE内TAU过程。 UTMS与LTE之间的RAU，TAU过程 LTE内的X2,S1 Handover过程 LTE与UMTS之间的切换过程,2019/5/22,42,Transition To EMM-DEREGISTERED,If UE and MME have a full non-current native EPS security context and a current mapped EPS security context, then they shall make the non-current native EPS security context the current one. UE and MME shall delete any mapped or partial EPS security contexts they hold.,NC-F,NC-P,C-M,C-F,EMM-DEREGISTERED,EMM-REGISTERED,C-F,E-USIM,ME,USIM,ME,C-F,2019/5/22,43,To EMM-DEREGISTERED的其它场景,AV,NC-P,C-F,AV,C-F,AV,NC-P,C-F,UE-initiated Detach with Power off,UE-int Detach without Power off MME-int Detach Explicitly with re-attach MME-int Detach Implicitly,HSS-initiated Detach with Subscription withdrawn,2019/5/22,44,To EMM-DEREG. with TAU Reject,NC-P,C-F,NC-P,C-F,ME,E-USIM,NC-P,ME,(E-)USIM,ME,ME,NC-P,C-F,ME,USIM,ME,NC-P,C-F,2019/5/22,45,Away From EMM-DEREGISTERED,NC-P,C-F,E-USIM,ME,USIM,ME,NC-P,C-F,(E-)USIM,ME,C-F,Attach Request with I.P. and MME sets new C-F S.C. If there is no F-S.C. in MME, AKA is runned.,C-F,Attach Request with I.P. and MME sets new C-F S.C. If there is no F-S.C. in MME, AKA is runned.,Attach Request without I.P. MME Runs EPS AKA,2019/5/22,46,From ECM-IDLE to ECM-CONNECTED,初始化的NAS消息不能加密,NC-P,C-F,E-USIM,ME,ME,NC-P,C-F,C-F,C-F,Knasint,对初始化的NAS消息 进行I.P.,Knasenc,Knasint,对初始化的NAS消息 进行I.P.,Knasenc,进入ECM-Connected时，MME将E-USIM中的C-F标识为无效！以保证ME中的C-F是有效的。,USIM,2019/5/22,47,From ECM-IDLE to ECM-CONNECTED,Knasenc= f(Kasme,0x15|0x01|0x0001|EEA1/2|0x0001) Knasint= f(Kasme,0x15|0x02|0x0001|EIA1/2|0x0001) Kenb = f(Kasme,0x11|UL NAS Count|0x0004 ) NH0 = f(Kasme,0x12|Kenb|len(Kenb)=0x0020=32 ) NH* = f(Kasme,0x12|NH |len(NH) ),NC-P/F,C-F/M,E-USIM,ME,C-F,Knasint,对初始化的NAS消息进行I.P.,Knasenc,Initial UE Context Setup (UE S.Capability, Kenb),Kenbf(Kasme) NCC0 NHf(Kasme,Kenb) NCC1,EPS AKA,UL/DL NAS Count0,当MME改变且PLMN-ID发生改变时，必须要执行，否则根据MME的Policy来决定,NAS S.M.C.,AS S.M.C (EncAlg, IpAlg),仅仅用于(extended) Service Request消息或TAU With Active Flag消息,2019/5/22,48,From ECMCONNECTED to ECM-IDLE,NC-P/F,C-F/x,E-USIM,ME,ME,C-F/M,NC-P/F,NC-P/F,C-F/M,UE S.Capability 对于Full Native S.C中Knasint,Knasenc 不存贮,USIM,UE S.Capability 对于Full Native S.C中Knasint,Knasenc 不存贮,2019/5/22,49,MME传递Kenb给ENB,MME,Target eNB,Initial Context Setup (UE S.Cap, Kenb),UE Context Modification (UE S.Cap, Kenb),eNB: 0 NCC, after receiving S1-AP Initial Context Setup Request message.,2019/5/22,