Professional Documents
Culture Documents
Michael Bartock
Jeffrey Cichonski
Joshua Franklin
IT Specialist (Security)
National Institute of
Standards & Technology
IT Specialist (Security)
National Institute of Standards
& Technology
IT Specialist (Security)
National Institute of Standards
& Technology
Disclaimer
Agenda
Context of Research
Located in Boulder, CO
What is LTE
2G
GSM
2.5G
EDGE
3G
UMTS
3.5G
HSPA
4G
LTE
The Basics
10
Mobile Device
11
X2 Interface: connection
between eNodeBs
12
13
LTE Network
14
Communications Planes
15
LTE Protocols
TCP/IP sits on top of the cellular protocol
stack:
16
17
MCC
MNC
310
014
MSIN
00000****
19
UICC Token
Stores IMSI
Authentication Response
22
23
Backhaul Protection
Confidentiality protection of
traffic running over S1 Interface
(Backhaul)
3GPP TS 33.401 - 13: NOTE: In case the S1 management plane interfaces are trusted (e.g.
physically protected), the use of protection based on IPsec/IKEv2 or equivalent mechanisms is
not needed.
25
An
Implementation
Use
Use
Implemented
Testing
Working
Encrypted Traffic
UDP Downlink
45
40
35
30
25
20
15
39.47
39.39
10
5
0
14
12
10
8
6
4
12.12
11.06
2
0
Next Steps
Identify
Identify
secure.
Uu
Renegotiation Attacks
Mitigation:
Mitigation:
41
Call Interception
43
HSS/AuC
Mitigation(s):
45
Mitigation: Unclear
46
47
48
Questions?
LTE
AuC
Authentication Center
ME
Mobile Equipment
AS
Access Stratum
MME
AUTN
Authentication token
NAS
CP
Control Plane
NIST
EDGE
PDCP
eNB
P-GW
Packet Gateway
eNodeBEvolved Node B
PHY
Physical
EPC
PSCR
EPS
RAND
Random
E-UTRAN
RES
Response
GPRS
RLC
GSM
RRC
GUTI
S-GW
Serving Gateway
HSS
SQN
Sequence Number
IMEI
TMSI
IMS
IP Multimedia Subsystem
UE
User Equipment
IMSI
UICC
Secret Key K
UMTS
XRES
Expected result
50
References
3GPP TS 33.210: 3G security; Network Domain Security (NDS); IP network layer security
D. Forsberg, G.Horn, W.-D. Moeller, and V. Niemi, LTE Security, 2nd ed., John Wiley & Sons,
Ltd.: United Kingdom, 2012.
Schneider, Peter, How to secure an LTE-network: Just applying the 3GPP security standards
and that's it?, Nokia, 2012.
51