What are some basic facts on 4G?
- Evolved Packet System (EPS)
- Evolved Packet Core (EPC)
- Multiple radio access networks
- E-UTRAN
- UTRAN, GERAN
- non-3GPP standards (e.g. WLAN)
- EPC a.k.a System Architecture Evolution (SAE)
- Connected to all-IP network
- E-UTRAN a.k.a Long-Term Evolution (LTE)
- 277 Mbit/s downlink, 75 Mbit/s uplink
What are the components of a 4G network?
- ME/ USIM
- eNodeB in eUTRAN
- Mobility Management Entity (MME)
- Serving GPRS Support Node (SGSN)
- Serving Gateway (S-GW)
- Home Subscriber Server (HSS)
- Packet Network Gateway (P-GW)
- AuC
What are the tasks of the HSS and MME?
HSS:
- HLR
- Transport authentication and authorization information
MME:
- VLR / UE paging
- Authentication with UE
- Signalling with radio network for mobility
- P-GW and S-GW selection
- MME selection for handover
- SGSN selection for 2G/3G handover
What are the tasks of the S-GW and P-GW?
S-GW:
- Mobility anchor for inter-MME handover
- e.g. reroute traffic
P-GW:
- Per user packet filtering
- Local breakout: P-GW in serving network is used
- Home-routed: P-GW in home network is used
- UE IP allocation
What traffic types exist in a 4G network?
- Radio Resource Control (RRC)
- Control traffic between UE and eNodeB
- Non-Access Stratum (NAS)
- Control traffic between UE and MME
- User Plane (UP)
- Traffic generated by UE
What is the underlying protocol stack on the air interface for UP traffic in 4G?
- PHY
- MAC
- Radio Link Control (RLC)
- Packet Data Convergence Protocol (PDCP)
- IP
What is the protocol stack in the 4G core network for UP traffic?
- PHY
- MAC
- IP/ UDP
- GPRS Tunneling Protocol for User Traffic (GTP-U)
Which keys are used/ created in 4G and who uses them?
- Ki (UE / AuC) - for key derivation
- IK, CK (UE / HSS) - for key derivation
- K_SN (UE / MME) - for key derivaiton of the specific serving network
- K_NASenc K_NASint (UE / MME) - encryption and integrity protection of control traffic
- K_eNB (UE / eNodeB) - for key derivation of the eNodeB
- K_UPenc K_UPint - encryption and integrity protection of user plane traffic
- K_RRCenc K_RRCint - encryption and integrity protection of radio control traffic
How is 4G protected against bidding down?
NAS:
- Initial: UE indicates security capabilities
- On NAS security mode command: MME includes UE security capabilities in a integrity protected message
- If UE detects difference, drop connection
RRC / UP:
- eNodeB reveives K_eNB and UE capabilites from MME
- eNB chooses algorithms and derives keys for UP and RRC traffic
- eNB sends security mode command with chosen algorithms in integrity protected message
How are keys transferred on handovers within 4G?
Intra-MME:
- eNB derives next K_eNB from current K_eNB and cell ID and target cell downlink frequency
- new K_eNB is transferred directly between eNBs
Inter-MME:
- Current MME uses counter (NCC) and previous next hop parameter (NH) or initially K_eNB to generate new NH
- Transferred to new MME and then new eNB
- eNB uses NH and cell ID, downlink freq. to generate new K_eNB
- Key change possible with active connection (other than in 2G/3G)
How are handovers between 4G and 3G/ 2G networks?
4G to 3G:
- CK, IK derived from K_SN by MME
- Transferred to SGSN
3G to 4G:
- CK, IK transferred to MME
- K_SN derived using additional nonce
2G to 4G:
via 3G
What attacks are known against 4G?
- Location tracking (Passive / semi-passive / active)
- Cipher (ZUC cypher weak)
- DoS
- Downgrading to 2G/ 3G
- Authentication relay attack
How is passive/ semi-passive tracking attack done in 4G?
Use non-encrypted paging of eNB:
- Attacker has a sniffer in each cell of the tracking area (TA)
- Triggers paging (e.g. call or SMS)
- MME sends paging request to last eNB
- eNB broadcast unencrypted paging request with TMSI/ IMSI
- If not in cell, all eNB in TA broadcast
- UE replies with RRC connection request
Passive: Just listen to broadcast requests
Semi-passive: Trigger paging and get current cell
How is a DoS attack done in 4G?
Attach request:
- UE initiates “attach request”, which is not integrity protected
- UE indicates service capabilities
- Man in the middle attack: Change to “SMS only”
- MME will block all calls to subscriber
Network-initiated detach:
- Network-initiated detach accepted, even if integrity protection is false
How is an downgrading attack done in 4G?
TA-update:
- UE sends TA-update when moving to a new tracking area
- Attacker intercepts and replies with TAU reject (4G not supported)
- TAU-reject accepted with false integrity protection
- UE downgrades to 3G/2G
How is an authentication relay attack done in 4G?
- Attacker is man in the middle, between UE and eNB
- Relays traffic between UE and eNB
Attacks:
- Eavesdrop if traffic not encrypted
- DoS if paging is done in wrong TA
NO UE impersonation possible, due to integrity protection
-
Chapter 1- Introduction3
-
Chapter 2 - GSM19
-
Chapter 3 - UMTS18
-
Chapter 4 - LTE16
-
Chapter 5 - 5G9
-
Chapter 6 - WLAN29
-
Chapter 7 - EAP7
-
Chapter 8 - Bluetooth22
-
Chapter 9 - Example for an Algebraic Attack on a Symmetric Stream Cipher2
-
Chapter 10 - CBC Mode padding oracle4
-
Chapter 11 - Bleichenbacher and Return of the Bleichenbacher Oracle Threat1
-
Chapter 12 - Practical Problems with DH3
-
Chapter 13 - Routing Security3
