HomeMobile EuropeUMTS security --- the issues explained

    UMTS security — the issues explained


    In the light of security concerns on fixed IP networks it is clear that operators of 3G networks will need the absolute trust of subscribers if they want multi-media and other services to be successful. Establishing interoperable security protocols will be essential to that. Experts at Huawei Technologies provided Mobile Europe with a full account of the security architecture and structure of WCDMA 3G services — as specified by the 3GPP.

    The biggest obstacle that faces the mobile subscriber to second or third generation network services is the perception that radio transmission lacks data security and privacy.

    A recent investigation of the Boston Consultation Group showed that in Sweden, where 70% of adults use mobile telephones, 87% of subscribers worry if they transmit a credit card number through the mobile network. Furthermore, the later all-IP 3G network will not only be an environment with open air interfaces, but also a fully open public network, and the security problems will be even more critical.
    It is very important to guarantee security of service and information transmission in 3G. Without good security, a large amount of new 3G services such as e-business, electronic trade, and other network services will be made a nonsense of. That is, a true 3G system cannot live without good security.

    Solving the 3G security problem has become key to achieving 3G system acceptance. That is also the problem the two standardization organizations, 3GPP and 3GPP2, are being faced with. 3GPP and 3GPP2 have both prepared security standards, but they have not kept step. The 3GPP  set up a special SA3 working group during the initial phase which is responsible for preparing security standards for other groups. However, the early security standards of the 3GPP2 were prepared by each working group themselves, and sorted by the TIA TR-45 group. Since a 3G system has many security problems and different working groups cannot prepare uniform security standards, the 3GPP2 proceeded slowly in its preparation. Then, based on the experience of the 3GPP, the 3GPP2 founded its TSG S4 group in August, 2001 which is responsible for the security problems of the 3GPP2 system. The agenda of the group was established at the 3GPP2 OP/SC meeting early in November, 2001 in Shenzhen of China. As the 3GPP (WCDMA) security standards are relatively mature and comprehensive, this article lays emphasis on the 3GPP security standards.

    3G inherits from 2G

    3G systems inherit the following security features of 2G systems.
    l Encryption on the air interface.  3G inherits the air interface information encryption mechanism of 2G. It also strengthens the air interface encryption algorithm and lengthens the key.
    l The subscriber identity is a secret on the air interface.
    l Like the 2G SIM card, the 3G USIM card also serves as a mobile hardware security module. It is under the management of the network provider and is independent of the user equipment (UE).
    l The USIM application toolkit provides a secure application layer channel between the USIM and the home network.
    l Security related operations are independent of the UE. That is, the security application is transparent to the subscriber and provides to the subscriber the highest security visibility.

    3G brings a host of new services and with them additional security challenges. For instance, in 3G the multi-service feature will bring new service providers, so 3G systems will not only have to process subscribers’ communication requests better but need to provide higher security than the existing fixed network and mobile network.

    The traditional direct charging mode will no longer play a lead role. Various pre-paid and immediate payment services will form new charging rules and the 3G security system will need to provide satisfactory security methods for the new charging systems. In 3G, “active attack” will become the primary attack manner, in which the attacker may disguise the attacking equipment as a part of the network to induce security loopholes.

    Additionally, UE will be used for e-business and other application platforms. Multi-application smart cards that include the USIM application will be used in the UE. The smart card and the UE will use environments such as Java to realize those applications and the UE may also have to support personal authentication by biological characteristics.

    UMTS Security Technology

    UMTS Security Technology
    The 3GPP information security systemm includes access network security and core network (CN) security. Access network security refers to subscriber authentication and the encryption and complete privacy of information on the air interface. Core network security includes Mobile Application Part (MAP) security and IP security — which are based on the  MAP application of SS7 and IP. Among the 3GPP security standards, R99 is mainly for access network security and is already secure, R4 is for MAP security and has provided the MAPSec mechanism, and R5 is for all-IP security.

    The security architecture is based on  three layers, the application layer, service layer and transport layer. The layers achieve the following security features:
    l Network access security. This security feature provides a secure access network for 3G subscriber services, including subscriber identity access authentication in the case of USIM access to HE, access verification in the case of USIM insertion into UE and prevention of attacks on the subscriber service information on the air access link, or radio link).
    l Network domain security. This  guarantees that the nodes in the service provider domain can safely exchange signaling data and attack can be prevented on the cable network.
    l Subscriber domain security. This ensures that the subscriber can safely access the UE and provide services through the UE.
    l Application domain security. This guarantees security of the application layer and ensures that the application layer of the subscriber domain and that of the service provider domain can safely exchange messages.
    l Secure configurability and visibility. This is a guarantee of security information provided to the subscriber. It tells the subscriber whether the security features of a system are enabled and whether the application and setting up of services should depend on the security features.

    The security standards the 3GPP has prepared, or is preparing, include the air interface security standard and the authentication and key negotiation security standard in R99, MAPSec security standard in R4 and R5, and IP network layer security standard and IMS security standard in R5. Standards for the latter three security features in the list above have not been prepared yet. They will be given in the successive releases.

    Air Interface Standard

    3G access security includes air interface access security and subscriber access inter-authentication. The former protects subscriber information and signalling information transmitted on the radio link. The latter provides authentication between the subscriber and the network, guaranteeing the security of both the subscriber and the network.

    Air interface access security refers to confidentiality protection for service plane information and control plane information (i.e. information encryption and integrity protection for  control plane information). The confidentiality protection is to protect the information from passive attack such as wiretapping and disclosure. Through information encryption, confidentiality protection guarantees the privacy of information.Integrity protection protects the information from active attack such as deletion, modification and addition. The air interface access security methods are implemented at the Radio Network Controller (RNC) and UE.

    Air interface security can be achieved using the f8 and f9 algorithms. The f8 algorithm achieves confidentiality protection on the air interface, and f9 achieves integrity protection. According to 3GPP specification, f8 and f9 must be standardized algorithms (i.e. algorithms uniformly realized by each network provider and manufacturer.) Only uniform algorithms can guarantee interconnection and interworking between devices and between systems on the basis of secure information transport.

    For confidentiality protection and integrity protection, the 3GPP prepares different standards. Confidentiality protection can be freely selected by network providers, while integrity protection is mandatory. The system may not be subject to confidentiality protection (like 2G systems), but it must be under integrity protection (peculiar to 3G systems). From the aspect of 3G services, it is impossible not to provide confidentiality protection for the subscriber information. For example, the telecommunication operator Vodafone has definitely stated that their future 3G network must support confidentiality protection and that unencrypted communication will not be allowed.

    In August, 1999, the 3GPP began to work on a standard encryption algorithm — called the Kasumi algorithm — to achieve interface security. The ETSI SAGE working group, together with the technical personnel from the relevant corporations, was committed to the development. The algorithm was formally released in December, 2000. Achieving the f8 and f9 algorithm functions, the Kasumi algorithm is the first standard encryption algorithm on the air interface.

    Authentication and key agreement

    Authentication and key agreement are implemented on the USIM card in the UE and at the Visitor Location Register (VLR) of the CN. However, on the network side, the authentication parameters are calculated by the Home Location Register (HLR) and sent to the VLR. The VLR saves the information and performs identification between the network and the UE/USIM. The algorithms for the procedure are realized at the USIM and HLR/AuC.

    Different from the 2G system, the 3G system performs bidirectional authentication, including authentication of the network by the subscriber and authentication of the subscriber by the network. The inter-authentication procedure is accompanied by key negotiation, i.e. negotiation of the encryption key and integrity key respectively .

    According to 3GPP specifications, the f0-f5 algorithms achieve authentication and key negotiation functions. Since subscriber authentication information is determined in the USIM card and HLR/AuC independent of the VLR, the f0~f5 algorithms need be consistent only between the USIM card and the HLR authentication centre and the consistency need be guaranteed by only the communication service provider. That is, the f0~f5 algorithms need not be standardized. Note that such functionality and requirements are completely inherited from the current 2G system.

    Despite the non-standardization of the authentication algorithm, 3GPP committed the 3GPP MCC to develop an example algorithm for the AKA function. The MCC put forward a draft of the algorithm in which the AES-Rijndael algorithm serves as a core algorithm. Some corporations are assessing the security of using the Rijndael algorithm as the authentication algorithm. The 3GPP  wants the finally released example algorithm to be the first choice of 3G product manufacturers and 3G network providers.

    MAPSec Security

    In 3G systems, the MAP signaling message is used to perform location update, supplementary services and call control. It uses the SS7 protocol as its transport layer protocol (it will use the IP transport layer protocol later). Since the SS7 protocol itself does not provide any security methods, the MAP message on the transport layer will inevitably be subject to some security threats and attacks. For example, the MAP message may be modified, added or deleted. The MAP security function protects SS7 signaling in the 3G core network. That function is put forth by the 3GPP, and the 2G system provides no protection for the MAP message.

    According to 3GPP’s specification, the complete set of enhancement and extension mechanisms for protecting the MAP is named MAPSec protocol. The MAPSec protocol provides the MAP information transport security and security management procedures. It is based on the application layer and is independent of the network layer and transport layer.

    Due to the complexity of the core network architecture, MAPSec needs to perform independent security management and key negotiation. A new network unit — the Key Administration Center (KAC) is introduced to the network in order to achieve MAPSec. The KACs of different networks set up MAPSec Security Associations (SAs) through IKE negotiation. The MAP SAs define the mode, key and ciphering algorithm used for protecting MAP signaling. They are valid within the whole PLMN and are distributed to the Network Entities (NEs) in the PLMN that implement MAPSec. A confirmed SA will serve as the security association for intercommunication between NEs in the same network or in different networks, providing security protection for the communication between NEs. According to core network MAPSec security standards, it is through the KAC that the MAP SAs are negotiated, updated and distributed and provide security protection for the communication between NE nodes.

    According to MAPSec security standards, a packet extension header needs to be added to implement the MAP security function. This will increase the load of the MAP message and affect a message that is already overloaded. The 3GPP balances MAP security, MAP message load and security level requirement, and the MAPSec protocol provides three protection modes which are applicable to different situations.
    l Mode 0: No protection. In this mode, no security method is provided.
    l Mode 1: Integrity protection is provided for the MAP signaling. The f7 algorithm is used to apply a digital signature to the security header and plain text so as to achieve integrity protection.
    l Mode 2: Full protection. In this mode, both confidentiality protection and integrity protection are provided. The f6 algorithm encrypts the plain text so as to achieve confidentiality protection. The f7 algorithm is used to apply a digital signature to the security header and plain text to give integrity protection.

    Similar to the air interface security,  MAPSec security also provides only confidentiality protection and integrity protection. According to 3GPP specifications, the f6 algorithm achieves the MAPSec confidentiality protection function, and the f7 algorithm achieves the MAPSec integrity protection function. To guarantee MAPSec security protection as well as interconnection and interworking between core networks of different network providers and between different core network devices, f6 and f7 must be standardized algorithms. Currently, the 3GPP has suggested that the Rijndael algorithm should serve as a core algorithm.

    IP Network Layer

    The IP transport protocol is introduced to the network reference model in the 3GPP system. Generally, the network provider will not own a special transport network but use the public Internet to transport information. This not only saves costs but facilitates interworking with other network or service providers. However, this also brings security threats. The connection to the network becomes a kind of public access in some sense. It is subject to network attack such as wiretapping and deceiving and may lead to re-report, service suspension or other datagram attacks, and consequently damage the routine operations and reputation of the network provider.

    IP network layer security in 3G provides network security protection based on the control plane. Network control is usually divided into the security domain and Border Gateway (BG). The security domain directly communicates with the core network of an individual network provider. The BG is under the protection of the Security Gateway (SEG). The SEG is a security entity on the border of a network. According to relevant security policies, SEG performs security protection for the control plane data, and monitors and manages the packet stream between the internal private network and the external network. SEG does not protect the user plane data. If the policies allow, it can be used to protect the direct packet exchange with the external host, server or terminal. It can set up a secret session by establishing and negotiating a SA.

    IP security architecture

    IP-based network security architecture is structured based on the point-to-point security idea — key administration and distribution are both on the basis of IPSec IKE. Typically, the network of an individual network provider will form a secure domain, in which the same security level and security service will be adopted. If the network provider divides the network into multiple subnets, each subnet will own an independent secure domain. With such architecture, the network can adopt independent security policies and even be divided into multiple logically secure domains according to different requirements, independent of the external network. This increases the flexibility of security applications.

    In this architecture, the SEG serves as the only entity for direct communication with other network domains. Through the SEG, IPSec security channels are established and maintained between different network domains. Each SEG keeps at least one IPSec channel to the peer SEG at any time. A NE (network element) can also set up IPSec security channels to the SEG or other NEs in the same network domain. In the 3G network domain, the IPSec security protocol is always in ESP rather than AH mode. Therefore, the IPSec security channels are all IPSec ESP security channels. In addition, the security architecture forcedly requires that integrity protection against replay attack must be provided.

    One of R5’s important functions is to achieve multimedia services. R5 provides the specifications for achieving an IP Multimedia Subsystem (IMS). The IMS service access security standard is based on the security features and security mechanisms of the 3G system — providing safe access for IMS.

    Since the IMS supports IP-based multimedia applications such as video service, audio service, multimedia meeting, etc, 3GPP chose Session Initiation Protocol (SIP) as the signaling protocol for initiating and terminating multimedia sessions. Therefore, guaranteeing the IMS service access security protects the SIP signaling and to perform inter-authentication between the subscriber and the IMS.

    For IMS services, the IMS has defined multiple NEs that are different from the NEs in the conventional system. The subscriber has an IM Service Identification Module (ISIM) which functions like the conventional SIM card. The ISIM is responsible for processing the IMS related parameters such as key, sequence number, etc. It is independent of the USIM and is specially applied to the IM service subscriber. The security parameters it processes are also independent of those processed by the USIM.

    The Home Subscriber Server (HSS) functions like the conventional HLR. According;y in 3GPP R5 specifications, besides the mandatory capabilities of the HLR, the HSS can also be used for the private account data processing of the IM subscriber in the register network. In some sense, the HLR is a subset of the HSS.

    The Call Session Control Function (CSCF) in the IMS processes the session status in the network and provides connection to other entities, including Serving CSCF (S-CSCF), Proxy CSCF (P-CSCF) and Inquiry CSCF (I-CSCF).

    IMS service access

    The current topic of the 3GPP is mainly the 3G service security problem. Presently, all discussions focus on support of subscriber certificates, multicast/broadcast service (MBMS) security, presence service security and security of interworking between WLAN and 3GPP.

    The emphasis of the 3G subscriber certificate is to set up the WPKI frame. It studies the possible protocol adopted on each interface, division of the entity function, generation position of the private key/public key, life cycle, etc. Research on the MBMS security includes multicast subscriber authentication, multicast key administration, develping a hierarchy model of unicast key and multicast keys, key division protocol and traffic flow encryption protocol.

    The basic frame of interworking between WLAN and 3GPP is already determined, including authentication for EAP-SIM and EAP-AKA in the case of access of the WLAN to the 3GPP, subscriber identification privacy method, re-authentication procedure, etc. Furthermore, the model of trust between WLAN network providers and 3GPP network providers also needs to be discussed to determine which level of security protection should be provided in each circumstance. Presence service security is also a hot spot. Discussion about this includes authentication of watcher and presentity, authentication protocol, etc. Presence is closely related to the IMS. The IMS related parts in presence tend to be separated and gradually added to the IMS security protocol.

    This document generally describes the access and core network security technologies specified in the current 3GPP security standards, prepared mainly for the security of the present WCDMA system. The standards will be developed simultaneously with other technology standards. R6 has been developed up to now. As security is very important in WCDMA, the immature parts in the existing security standards will be improved as far as possible in the future and other security standards will be prepared soon.