Showing posts with label LTE Security. Show all posts
Showing posts with label LTE Security. Show all posts

LTE: Security Protected NAS message

Ø     The SECURITY PROTECTED NAS MESSAGE is sent either by the UE or by the network to transfer a NAS message together with the Sequence Number and the Message Authentication Code (MAC) protecting the NAS message
Ø     Once a valid EPS security context exists and taken into use, all the subsequent NAS messages in the uplink or downlink are security protected  
Ø     The MAC IE contains the integrity protection information for the NAS message
Ø      The Sequence Number (SN) IE includes the NAS message sequence number which consists of the eight least significant bits of the NAS COUNT for a security protected NAS message
Ø     The IE NAS message includes a complete plain NAS message. The SECURITY PROTECTED NAS MESSAGE and the SERVICE REQUEST message are not plain NAS messages and shall not be included in this IE
Ø     The structure of the SECURITY PROTECTED NAS MESSAGE is shown below
Reference: 3GPP TS 24.301
Example: SECURITY PROTECTED NAS message


Posted by KP 3 comments
Labels: , , ,

LTE NAS: Security Mode Reject

Ø     The UE shall first perform the integrity check of the SECURITY MODE COMMAND message and also check that the received ‘replayed UE security capabilities’ and the received nonceUE have not been altered as compared to what the UE provided in the initial L3 message
Ø       If the SECURITY MODE COMMAND cannot be accepted by the UE, then it shall send a SECURITY MODE REJECT message
Ø      The IE EMM Cause in the SECURITY MODE REJECT message typically indicates either cause #23 (UE security capabilities mismatch) or #24 (security mode rejected, unspecified)
Ø      After MME receives SECURITY MODE REJECT message, both the UE and the MME shall apply the EPS security context in use before the initiation of this security mode control procedure, if any, to protect the SECURITY MODE REJECT message and any other subsequent messages according to the rules in 3GPP TS 24.301 subclauses 4.4.4 and 4.4.5 
Reference: 3GPP TS 24.301
Example: SECURITY MODE REJECT


Posted by KP 3 comments
Labels: , , ,

LTE NAS: Security Mode Complete

Ø     If the SECURITY MODE COMMAND message can be acceptable to the UE, then the UE shall send a SECURITY MODE COMPLETE message to the network
Ø     If the MME requests IMEISV in the SECURITY MODE COMMAND message then the UE shall include its IMEISV in the SECURITY MODE COMPLETE message
Ø     The SECURITY MODE COMPLETE message shall be integrity protected with the selected NAS integrity algorithm and the EPS NAS integrity key based on the KASME/K'ASME
Ø     Also, the UE shall cipher the SECURITY MODE COMPLETE message with the selected NAS ciphering algorithm and the EPS NAS ciphering key based on the KASME/K'ASME 
Ø     After sending SECURITY MODE COMPLETE message, the UE shall cipher and integrity protect all the subsequent NAS messages with the selected NAS ciphering and integrity algorithms respectively
Ø     After receiving SECURITY MODE COMPLETE message, the MME shall integrity protect and encipher all signalling messages with the selected NAS integrity and ciphering algorithms respectively
Reference: 3GPP TS 24.301
Example: SECURITY MODE COMPLETE


Posted by KP 2 comments
Labels: , , ,

LTE NAS: Security Mode Command

Ø    The purpose of the NAS security mode control procedure is to take an EPS security context into use, and initialize and start NAS signalling security between the UE and the MME. The MME starts this procedure by sending SECURITY MODE COMMAND message
Ø     The MME may send a SECURITY MODE COMMAND in order to change the NAS security algorithms for a current EPS security context already in use
Ø      The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K'ASME indicated by the eKSI included in the message
Ø    The MME shall set the security header type of the message to "integrity protected with new EPS security context" since this message is only integrity protected but not ciphered
Ø     The MME shall include the replayed security capabilities of the UE (including the security capabilities with regard to NAS, RRC and UP (user plane) ciphering etc...)
Ø      The MME shall include the replayed nonceUE if the UE included it in initial L3 message to the network
Ø       Also, the MME shall send the selected NAS ciphering and integrity algorithms and the NAS Key Set Identifier (eKSI) in the SECURITY MODE COMMAND message
Ø        The MME shall include both the nonceMME and the nonceUE when creating a mapped EPS security context during inter-system change from A/Gb mode to S1 mode or Iu mode to S1 mode in EMM-IDLE mode
Ø        Additionally, the MME may request the UE to send its IMEISV in the SECURITY MODE COMPLETE message
Ø        The UE shall derive KNASenc and KNASint keys from the key KASME/K'ASME and the received EPS encryption and integrity algorithms (respectively)
Reference: 3GPP TS 24.301
Example: SECURITY MODE COMMAND

Posted by KP 18 comments
Labels: , , ,

LTE RRC: Security Mode Failure

Direction: UE => E-UTRAN
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: UL-SCH

The SECURITY MODE FAILURE message is used to indicate an unsuccessful completion of a SECURITY MODE COMMAND. i.e., if the SECURITY MODE COMMAND message fails the integrity protection check, then the UE sends SECURITY MODE FAILURE to the eNodeB

Upon sending this message, the UE shall continue using the configuration used prior to the reception of the SECURITY MODE COMMAND message, i.e. neither applies integrity protection nor ciphering

More details about the security architecture and different kinds of keys are explained here

Reference: 3GPP TS 36.331
Posted by KP 3 comments
Labels: , ,

LTE RRC: Security Mode Complete

Direction: UE => E-UTRAN
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: UL-SCH

The SECURITY MODE COMPLETE message is used to confirm the successful completion of a SECURITY MODE COMMAND.

The UE shall send SECURITY MODE COMPLETE message integrity protected but un-ciphered.
 i.e., the UE doesn’t start ciphering in the uplink before it has sent the SECURITY MODE COMPLETE message to the eNodeB

Example: SECURITY MODE COMPLETE














Reference: 3GPP TS 36.331
Posted by KP 0 comments
Labels: , ,

LTE RRC: Security Mode Command

Direction: E-UTRAN => UE
Signalling Radio Bearer: SRB1
RLC Mode: AM
Logical Channel: DCCH
Transport Channel: DL-SCH

The SECURITY MODE COMMAND message is used to command the UE for the activation of AS security. E-UTRAN always initiates this procedure prior to the establishment of Signalling Radio Bearer2 (SRB2) and Data Radio Bearers (DRBs).

AS security comprises of the integrity protection of RRC signalling (SRBs) as well as the ciphering of RRC signalling (SRBs) and user plane data (DRBs). The integrity protection algorithm is common for signalling radio bearers SRB1 and SRB2. The ciphering algorithm is common for all radio bearers (i.e. SRB1, SRB2 and DRBs). Neither integrity protection nor ciphering applies for SRB0.

The eNodeB sends integrity protected SECURITY MODE COMMAND message to the UE. The UE shall derive KeNB and KRRCint which is associated with integrity protection algorithm indicated in the SECURITY MODE COMMAND. Then, UE verifies the Integrity of the received SECURITY MODE COMMAND by checking the Message Authentication Code (MAC) in the SECURITY MODE COMMAND message. If the SECURITY MODE COMMAND message fails the integrity protection check, then the UE sends SECURITY MODE FAILURE to the eNodeB.

If the SECURITY MODE COMMAND passes the integrity protection check, then the UE shall derive the encryption keys KRRCenc key and the KUPenc keys associated with the ciphering algorithm indicated in the SECURITY MODE COMMAND.

The UE shall apply integrity protection using the indicated algorithm (EIA) and the integrity key, KRRCint immediately, i.e. integrity protection shall be applied to all subsequent messages received and sent by the UE, including the SECURITY MODE COMPLETE message.

            The UE shall apply ciphering using the indicated algorithm (EEA), KRRCenc key and the KUPenc key after completing the procedure, i.e. ciphering shall be applied to all subsequent messages received and sent by the UE, except for the SECURITY MODE COMPLETE message which is sent un-ciphered.

Example: Security Mode Command

More details about the security architecture and different kinds of keys are explained here

Reference: 3GPP TS 36.331 and 3GPP TS 33.401
Posted by KP 15 comments
Labels: , ,
Subscribe to: Posts (Atom)