Authentication Steps and Entities role in LTE

Security 
Mutual Authentication + Integrity+Ciphering
Control Plane :
1.UE - NAS and RRC 
NAS -Control Plane between UE and MME
RRC- Integrity Protected and Ciphered between UE(RRC) and eNodeB
As discussed earlier their will be 6 steps involved in control plane security,lets see in detail


Step 1
Network tries to find out User context based on GUTI. If not found MME requests IMSI from UE

Step 2
After receiving UE’s IMSI(Provided UE doesn’t have GUTI), the mobility management entity MME sends the home network HE /HSS AuC [Authentication Centre]Authentication Data Request which includes IMSI, serving networks SN identity and network type
Step 3
Upon receiving the request,
Step 4

HE generates an EPS authentication vector/(s) (RAND,XRES, AUTN,KSI_ASME)

where the first three parameters are same as those in the EAP-AKA, and

KSI_ASME is the key set identity of access security management entity ASME

Step 5: MME sends the RAND, AUTN and KSI_ASME to the UE which verifies the AUTN and authenticates the networks.

Step 6: If successful, UE generates the response RES and sends it back to MME which compares XRES with RES and authenticates UE

What each entity does

Well in next post lets see Ciphering and Integrity along with Algorithms involved

LTE Security Terminology

ASME-Access Security Management Entity

Architecture

• HSS/HE – Home Subscriber Server– Contains the User credentials and profile settings
• ME – Mobile Equipment – UE without UICC / USIM
• UICC – Universal Integrated Circuit Card – Smart Card used in UMTS and GSM
• (U)SIM – (UMTS) Subscriber Identity Module – Application in the UICC for (3G) 2G

EPS AKA

• AKA – Authentication and Key Agreement
• RAND – AKA: Random challenge
• AUTN – AKA: Authentication Token
• XRES – AKA: Expected Response
• E-AV – EPS Authentication Vector – Contains: AUTN, XRES, KASME, RAND

IDENTITY

• IMSI – International Mobile Subscriber Identity (user id)
• IMEI – International Mobile Equipment Identity (device id)
• GUTI – Globally Unique Temporary Identity– Similar to P-TMSI in UMTS but longer 

Identifiers 

GUTI : ID which uniquely identifies a UE in EPS without revealing the users permanent ID. GUTI is allocated by a MME which can be used to

•   Uniquely identify the MME which allocated the GUTI
•   Uniquely identify the UE within the MME that allocated the GUTI

GUTI = GUMMEI + M-TMSI

Where
GUMMEI
GUMMEI: Globally unique MME Identifier which is used to identify a MME uniquely

GUMMEI = MCC+MNC+MME Identifier

MME Identifier(MMEI) = MME Group ID(MMEGI)+MME Code(MMEC)

The MMEC provides a unique identity to an MME within the MME pool, 
while the MMEGI isused to distinguish between different MME pools.

TMSI:

  The TMSI is a temporary number used instead of the IMSI to identify an MS. (8 digits)

  Mapping of the TMSI to the IMSI is done by the network and is typically handled by the VLR

Note:

IMSI is sent only when necessary, for example

•   when the SIM is used for the first time
•   when there is data loss at VLR

TAI: Tracking Area Identity

IMSI <=15 digits

The Serving Network identity i.e. MCC + MNC

Network Type : E-UTRAN

Similar to UMTS AKA, EPS AKA is also based on the shared key K between USIM and the networks.

Steps involved

1.Identity Request

2.AKA Procedure

3.Key Derivation

 

LTE:Key Derivation in EPS

Key Derivation in EPS

KDF= (derived key of length kLen) <-- (secret value, [OtherInfo])

KDF= HMAC-SHA-256 (Key, S)

Where S= FC || P0 || L0 || P1 || L1 || P2 || L2 || P3 || L3 ||... || Pn || Ln

FC=0x10-0x1F

Eg.,

K_ASME

S= FC || P0 || L0 || P1 || L1

Where

FC=0x10,
P0=SN id/PLMN ID (viz., MCC+MNC),
L0=length of SN id =0x00 0x03,
P1=SQN xor AK,
L1=length of SQN xor AK=0x00 0x06

Key=CK||IK

Key Hierarchy

Includes following keys: K_eNB, K_NASint, K_NASenc, K_UPenc, K_RRCint and K_RRCenc

_{==================================================================}

KDF = Key Derivation Function, a one way hash function (SHA256)

• K_ASME = KDF(CK, IK, PLMN Id, SQN xor AK) ->256 bit[FC=0x10,Kin=CK||IK)

• K_eNB = KDF(K_ASME, NAS-UL COUNT) ->256 bit[FC=0x11,Kin= K_ASME]

• NAS Keys->128 bit

– K_NASInt = KDF(K_ASME, NAS-int-alg, algorithm-id)

– K_NASEnc = KDF(K_ASME, NAS-enc-alg, algorithm-id)

• AS Keys->128 bit

– K_RRCInt = KDF(K_eNB, RRC-int-alg, algorithm-id)

– K_RRCEnc = KDF(K_eNB, RRC-enc-alg, algorithm-id)

-K_UPEnc = KDF(K_eNB, UP-enc-alg, algorithm-id)

Note:

Sequence Number (SQN) and the Anonymity Key (AK) is sent to the UE as a part of the Authentication Token (AUTN)

Key	FC	Kin	Length
KASME	0x10	CK||IK	256
KeNB	0x11	KASME	256
NH	0x12	KASME	256
KeNB*	0x13	NH or KeNB	256
NAS,RRC	0x15	KASME or KeNB	128

LTE Throughput Calculation

From the 3gpp specification:

1 Radio Frame = 10 Sub-frame

1 Sub-frame = 2 Time-slots

1 Time-slot = 0.5 ms (i.e1 Sub-frame = 1 ms)

1 Time-slot = 7 Modulation Symbols (when normal CP length is used)

1 Modulation Symbols = 6 bits; if 64 QAM is used as modulation scheme

Radio resource is managed in LTE as resource grid…..

1 Resource Block (RB) = 12 Sub-carriers

Assume 20 MHz channel bandwidth (100 RBs), normal CP

Therefore,

number of bits in a sub-frame  = 100RBs x 12 sub-carriers x 2 slots x 7 modulation symbols x 6 bits
                                         = 100800 bits

Hence, data rate = 100800  bits / 1 ms = 100.8 Mbps

•  If 4x4 MIMO is used, then the peak data rate would be 4 x 100.8 Mbps = 403 Mbps.
•  If 3/4 coding is used to protect the data, we still get 0.75 x 403 Mbps = 302 Mbps as data rate.

Open Source 3GPP

Seagull: an Open Source Multi-protocol traffic generator

http://gull.sourceforge.net/

RADIUS
http://openradius.sourceforge.net/
IMS:
http://www.openimscore.org/
SGSN:
http://openbsc.osmocom.org/trac/wiki/osmo-sgsn
ASN1 to C/C++
http://lionet.info/asn1c/blog/
GGSN:
http://sourceforge.net/projects/ggsn/
S11:
http://code.google.com/p/s11interface/

OMNeT++ Network Simulation Framework

http://www.omnetpp.org/