Considering the success of UMTS security, 3GPP endeavored to alter it only where necessary to facilitate the new Evolved Packet System (EPS) architecture and the security requirements brought by changing business models or deployment requirements.
Thus, 3GPP continued the existing security association between the UE and AuC in LTE. With each of the sides storing and protecting the per- manent key and thus continuing with the principles of AKA, the resulting protocols was denoted EPS-AKA. To prevent significant operator costs and to ease the consumer transition from UMTS to LTE (by avoiding the need to exchange their USIM), it was decided that LTE must support the UMTS USIMs. Due to major disadvantages of GSM AKA compared to EPS-AKA, the older GSM (2G) SIM cards were prohibited for LTE.
One of the design goals of LTE EPS was to flatten the architecture and discontinue the use of intermediate nodes, which made the base station – denoted as evolved Node B (abbreviated as eNodeB or eNB) in LTE net- works – the termination point for many of the signaling protocols. This design restarted the discussion of the security termination point. Terminat- ing signaling protocols in the eNodeB implied that the protection of those messages also terminated at the eNodeB. This is opposite to the decision of UMTS workgroup, which moved the termination point to the RNC – lo- cated deeper inside the UMTS network – to resolve the weakness of GSM. To mitigate the fact that the eNodeB was seen as unsecured (since it is placed in exposed locations), requirements were put in place to enhance the physical and system security of the eNodeB. This was the first time that 3GPP included specific platform security requirements for a network node. With these specifications in place, 3GPP accepted to terminate the security protocols in the eNodeB.
One of the high-level security requirements described in [TS22.278] is that a security lapse in one access technology must not compromise other accesses. Two significant changes compared to UMTS support this require- ment. LTE introduced a distinction between the non-access stratum layer (NAS), handling traffic between the UE and core network, and the access stratum (AS) for signaling traffic between the UE and eNodeB. Additionally, LTE expanded the cryptographic key separation as a mechanism to limit the effect of a key leakage. In LTE a local master key, KASM E, is derived from
the UMTS integrity and confidentiality keys together with the identity of the serving network (SNid), which implies that the serving network is implicitly authorized as the HN has used the correct SNid in its key calculation, which is an improvement from UMTS. From the local master key KASM E, specific
keys are derived to provide integrity and confidentiality protection for AS, NAS and RRC signaling traffic. The LTE AKA procedure is described in Figure 6.
Another feature of LTE is the improved privacy protection of the user, namely two specific changes in the handling of temporary identities as well as the permanent terminal identity of International Mobile Equipment Iden- tity (IMEI) and International Mobile Equipment Identity and Software Ver- sion (IMEISV). To increase the privacy of the user, LTE has support for confidentiality protection of the signaling messages that transmit the Glob- ally Unique Temporary UE Identity (GUTI) identity to the UE. If used, it prevents a passive adversary from correlating the GUTI identity with the permanent IMSI. However, active attacks to retrieve the IMSI from the UE are still possible. The second change is the required protection of the IMEI and IMEISV terminal identities, which are perhaps even more permanent than the IMSI since the user might switch operator more often than the mobile equipment (ME), by requiring NAS signaling protection before they are transmitted.
If we summarize the LTE advancements, the most significant changes were in the network part, making the design flatter and entirely removing the circuit switched domain. From a security perspective, the AKA protocol received improvements, enabling the UE to identify the serving network and the introduction of advanced key derivations.
LTE AKA detailed protocol description
Below is a detailed description of the LTE AKA protocol.
Authentication.
1. The authentication and security mode setup is initialized by the attach request from the UE to the MME, which is a central part responsible for paging, identity allocation, authentication among others in LTE. 2. The MME prepares the authentication challenge by requesting authen-
tication vectors from the home subscriber system (HSS) in the home environment (HE) of the subscriber. The HSS contains user-related and subscription-related information and includes functionality such as u ser authentication and authorization, and is based on the home location registry (HLR) and AuC from earlier 3GPP releases.
3. Upon receiving the acquisition request from the MME, the AuC part of the HSS will compute an UMTS AV.
4. The HSS generates the extended authentication vectors, compared to UMTS, which include the local master key, KASM E, calculated as
KASM E = KDF(CK, IK, SNid, SQN üAK).
5. The HSS sends the EPS authentication vector to the MME.
6. The MME initiates the mutual authentication by sending the RAND,
7. The same algorithms used by the HSS is applied in the UE to generate the necessary output, e.g. session keys, SQN, RES, XMAC, etc. The same verifications as in UMTS is performed by the UE to authenticate the network.
8. If the verifications are true, the UE send the RES to the MME. 9. The MME does a corresponding verification that the RES is identical
to XRES, if true the mutual authentication is completed and the MME prepares the NAS security setup by deriving KN ASEN C and KN ASIN T from KASM E. The MME additionally produces non-access stratum
MAC (NAS-MAC) used for integrity protection.
NAS Security setup.
10. The MME send the UE capabilities, NAS algorithms and the NAS- MAC to the UE.
11. In a similar verification to the mutual authentication, the UE will derive KN ASEN C and KN ASIN T from KASM E and compute its own
XNAS-MAC and compare it with NAS-MAC to verify the integrity
of the message.
12. If verification is successful, the UE send an integrity and confidentiality protected NAS “Security mode complete” to the MME, concluding the NAS Security setup.
AS Security setup.
13. The MME derive a local eNodeB master key, KeN B, from KASM E. 14. The MME send KeN B and the capabilities to the eNodeB.
15. The eNodeB derives cryptographic keys from the local eNodeB mas- ter key, KeN B, to be used for encryption, KRRCEN C, and integrity protection, KRRCIN T, of the Radio Resource Control (RRC) signaling protocol and user-plane encryption, KU PEN C.
16. The eNodeB initiates the AS Security setup, which includes the AS algorithms and AS-MAC.
17. The UE derives the AS session keys and the expected AS-MAC and verify it with the AS-MAC.
18. If the verification is successful, the UE sends “Security mode complete” together with a MAC to the MME, concluding the AS Security setup.
Figure 6: EPS AKA Procedure.