In a typical cellular system, also referred to as a wireless communications network, wireless communication devices (WCDs) (such as mobile stations and/or user equipments or user equipment units (UEs)) communicate via a Radio Access Network (RAN) to one or more core networks. The WCDs can be mobile stations or UEs such as mobile telephones (also known as “cellular” telephones), or laptops with wireless capability (e.g., with mobile termination). The UEs can be, for example, portable, pocket-held or hand-held, computer-comprised, or car-mounted mobile devices which communicate voice and/or other forms of data with a radio access network (RAN).
The radio access network covers a geographical area which is divided into cell areas, with each cell area being served by a base station, e.g., a Radio Base Station (RBS), which in some networks is also called “NodeB” or “B node” or “Evolved NodeB” or “eNodeB” or “eNB.” A cell is a geographical area where radio coverage is provided by the radio base station equipment at a base station site. Each cell is identified by an identity within the local radio area, which is broadcast in the cell. The base stations communicate over the air interface operating on radio frequencies with the user equipment units within range of the base stations.
In some versions of the radio access network, several base stations are typically connected, e.g., by landlines or microwave, to a Radio Network Controller (RNC). The radio network controller, also sometimes termed a Base Station Controller (BSC), supervises and coordinates various activities of the plural base stations connected thereto. The radio network controllers are typically connected to one or more core networks.
The Universal Mobile Telecommunications System (UMTS) is a third generation mobile communication system, which evolved from the Global System for Mobile Communications (GSM), and is intended to provide improved mobile communication services based on Wideband Code Division Multiple Access (WCDMA) access technology. UMTS Terrestrial Radio Access Network (UTRAN) is generally a radio access network using wideband code division multiple access for user equipment units (UEs). The Third Generation Partnership Project (3GPP) has undertaken to evolve further the UTRAN and GSM based radio access network technologies. Long Term Evolution (LTE) together with Evolved Packet Core (EPC) is the newest addition to the 3GPP family.
EPC and E-UTRAN Architectures:
Evolved Packet System (EPS) is the Evolved 3GPP Packet Switched Domain and includes the Evolved Packet Core (EPC) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN).
FIG. 1 is an overview of the EPC architecture. This architecture is defined in 3GPP TS 23.401, which is incorporated by reference herein in its entirety. That specification provides for a definition of the PGW (PDN Gateway), SGW (Serving Gateway), PCRF (Policy and Charging Rules Function), MME (Mobility Management Entity) and user equipment (UE). The LTE radio access network (E-UTRAN) includes one or more eNBs. In FIG. 1, a WCD such as UE 101 can access the EPC via an eNB 103. A MME node 105, SGW 111, PGW 113, PCRF node 115, and home subscriber server (HSS) 117 may facilitate communication with the UE 101.
FIG. 2 shows the overall E-UTRAN architecture and is further defined in, for example, 3GPP TS 36.300. The E-UTRAN comprises eNBs, which provide the E-UTRA user plane (e.g., PDCP/RLC/MAC/PHY) and control plane (RRC) protocol terminations towards the UE. The eNBs are interconnected with each other by means of the X2 interface. The eNBs are also connected by means of the S1 interface to the EPC (Evolved Packet Core), more specifically to a MME (Mobility Management Entity) node via the S1-MME interface and to the Serving Gateway (S-GW) by means of the S1-U interface.
FIG. 3 illustrates parts of the EPC Control Plane (CP) architecture, and FIG. 4 illustrates parts of the EPC User Plane (UP) architecture.
Existing E-UTRAN/EPC Security Mechanism
The security architecture of E-UTRAN/EPC is described in 3GPP TS 33.401 and TS 33.220, the contents of which are incorporated herein in their entirety. The E-UTRAN/EPC security architecture contains several parts:                Authentication and Key Agreement (AKA): this may be performed when a UE is connecting to a system for the first time (initial attach), and at various other times, e.g. when re-authentication is required by the network.        EPS key hierarchy: this may be based on permanent keys stored in the universal subscriber identity module (USIM) and authentication center (AuC), which are used during the AKA to derive session keys delivered to the Mobile Equipment (ME) part of a UE and to a MME node. The master session key may be called KASME, which is used in one or more steps to generate KeNB, KNASint, KNASenc, KUPenc, KRRCint and KRRCenc, which are keys used for ciphering and integrity protection at different layers. The hierarchy is illustrated in FIG. 6.        Key handling mechanism for distributing and handling of the E-UTRAN session keys from the MME node to the eNB when the UE enters a connected state.        Encryption protection (e.g. performed by UE and eNB) using the E-UTRAN session keys.        
Below are some discussions from 3GPP TS 33.401 that describe some mechanism for the architecture.
Evolved Packet System (EPS) Authentication and Key Agreement (AKA) procedure:
EPS AKA is the authentication and key agreement procedure used over E-UTRAN. It requires a Rel-99 or later USIM application on, e.g., a universal integrated circuit card (UICC). The EPS AKA produces key material forming a basis for user plane (UP), RRC, and NAS ciphering keys as well as RRC and NAS integrity protection keys. In this context, a UE (or other WCD) may be logically divided into a mobile equipment (ME) and the USIM.
The EPS AKA procedure is based on the MME node sending to the USIM via the Mobile Equipment (ME) a random challenge RAND and an authentication token AUTN for network authentication. RAND and AUTN may be from a selected authentication vector. The MME receives the authentication vector(s) from the HSS.
At receipt of this message, the USIM may verify the freshness of the authentication vector by checking whether AUTN can be accepted. If so, the USIM computes a response RES. USIM may also compute a Ciphering Key (CK) and an Integrity Key (IK) which are sent to the ME.
The UE (ME and USIM) may respond with a User authentication response message, which may include a value RES in case of successful AUTN verification. In this case the ME may compute KASME from CK, IK, and a serving network's identity (SN id) using a Key Derivation Function (KDF).
The MME may check that the RES equals XRES. If so, the authentication is successful. If not, depending on the type of identity used by the UE in the initial NAS message, the MME may initiate further identity requests or send an authentication reject message towards the UE.
In the EPS AKA procedure, the following keys are shared between UE and HSS:                K is the permanent key stored on the USIM on a UICC and in the Authentication Center AuC (e.g., in the HSS/AuC).        CK, IK is the pair of keys derived in the AuC and on the USIM during an AKA procedure.        
As a result of the authentication and key agreement, key generation data for an intermediate key KASME may be shared between UE and MME. As illustrated in FIG. 5, in some instances the key generation data may include an index KSIASME (an index is used so that KASME is not transmitted). In some instances, KSIASME is not included.
EPS Key Hierarchy:
The key hierarchy, as illustrated in FIG. 6, includes following keys: KeNB, KNASint, KNASenc, KUPenc, KRRCint, KRRCenc and KUPimt. Below is a discussion of derivation of the various keys:
KeNB is a key derived by ME and MME node from KASME or by ME and target eNB (e.g., during handover from source eNB to target eNB).
Keys for NAS Traffic:                KNASint is a key, which shall only be used for the protection of NAS traffic with a particular integrity algorithm. This key is derived by ME and MME from KASME.        KNASenc is a key, which shall only be used for the protection of NAS traffic with a particular encryption algorithm. This key is derived by ME and MME from KASME.        
Keys for UP Traffic:                KUPenc is a key, which shall only be used for the protection of UP traffic with a particular encryption algorithm. This key is derived by ME and eNB from KeNB.        KUPint is a key, which shall only be used for the protection of UP traffic between RN and DeNB with a particular integrity algorithm. This key is derived by RN and DeNB from KeNB.        
Keys for RRC Traffic:                KRRCint is a key, which shall only be used for the protection of RRC traffic with a particular integrity algorithm. KRRCint is derived by ME and eNB from KeNB.        KRRCenc is a key, which shall only be used for the protection of RRC traffic with a particular encryption algorithm. KRRCenc is derived by ME and eNB from KeNB.        
Key Distribution and Handling:
FIG. 7 describes how the session keys are distributed and handled in EPC and E-UTRAN. The HSS receives the CK, 1K from HSS/AuC, derives the KASME, which is sent to the MME. The MME derives the keys used for NAS protection (KNAsenc, KNASint) from the KASME as well as the KeNB sent down to the eNB. KeNB is sent to the eNB when the UE enters E-UTRAN connected mode (RRC connected). The eNB derives the RRC encryption and integrity protection keys (KRRcen and KRRnt) as well as user plane encryption key KUPenc. KUPint is only used for Relay Nodes and is not discussed further.
On the terminal side all of these steps are performed internally in the UE (or other WCD). The E-UTRAN session keys (KRRCen, KRRCint and KUPenc) are activated during the RRC Security Mode Command procedures.
Encryption of user plane data and control plane signaling in EUTRAN and UE:
FIG. 8 illustrates the encryption and decryption procedure performed in the E-UTRAN and the UE. The procedure includes a sender (e.g., E-UTRAN sending downlink data, or UE sending uplink data) encrypting the data by bit-wise XORing a keystream block with the data block of the same length. The keystream block is generated by an encryption algorithm which takes an encryption key and a unique sequence number for the data block. If the data is RRC signalling, KRRcenc is used. If it is user plane data, KUPenc is used as key. In the receiver (E-UTRAN receiving uplink data, or UE receiving downlink data), the same procedure is performed using the same key and sequence number. Using bitwise XOR twice with the same keystream will again generate the plaintext data.