The 3GPP defined telecommunications system LTE provides communication services to User Equipment (UE), and other types of Wireless Communication Devices (WCDs). The LTE architecture includes a Mobility Management Entity (MME), which is responsible for control signaling. An SAE Gateway (SAE-GW) is responsible for the user data. The SAE-GW comprises two different parts, namely a Serving Gateway that routes user data packets, and a Packet Data Network (PDN) Gateway that provides connectivity between a WCD and an external data network. All these nodes are interconnected by an Internet Protocol (IP) network. Further nodes are the eNodeBs (eNBs) which act as base stations in the LTE network and communicate with the WCD. There are three major protocols and interfaces between these node types. These are S1-MME (between the eNB and the MME), S1-U (between the eNB and the S-GW, and X2 (between two eNBs). The corresponding protocols used in these interfaces are S1AP (S1 Application Protocol) and X2AP (X2 Application Protocol). All these protocols and interfaces are IP-based. In addition, the network may contain other nodes that are part of the above interface, for example a Home eNB Gateway (HeNB GW) between a Home eNB and rest of the nodes in the network. The MME is often located in the core network and the eNBs are often located in the radio access network. An illustration of a simplified LTE network is given in FIG. 11.
The LTE system provides confidentiality and integrity protection for data transmitted between the network and a WCD. These security services are provided by the use of encryption and integrity protection algorithms. Such algorithms are jointly described hereinafter as security algorithms. For encryption and integrity protection to work in LTE, the network and the WCD must use the same security algorithms to process the data. The processing using the security algorithms is carried out by the MMEs and the eNBs.
Integrity protection is a mechanism that ensures that the receiver of a message can verify that the received message is exactly the message that the transmitter sent. In addition in two party security protocol (as is used in LTE), the receiver further gets a guarantee that the message originates from the claimed transmitter. This property is achieved by using an integrity checksum computed over the message using a key that both the sender and receiver has access to. The mechanism guards against “man in the middle” attacks where the senders messages are intercepted by an adversary and a modified message is relayed to the receiver.
Encryption is a mechanism providing confidentiality for transmitted data. The sender encrypts the data with a secret key that is only known to the sender and receiver. Because of this, only the receiver is able to decrypt the message. The mechanism guards against adversaries obtaining the data in clear text even when they are able to intercept the transmission.
LTE divides the network into two strata, the Access Stratum (AS) and the Non-Access Stratum (NAS). Each stratum enjoys integrity and confidentiality protection individually. The control protocol for NAS is referred to as the NAS protocol and it is run between the WCD and the MME. The control protocol for AS is called Radio Resource Control (RRC) protocol and runs between the WCD and the eNB. The user plane traffic is also confidentiality protected in AS between the WCD and the eNB. The user plane is further protected by the transport network security when it traverses the backhaul network between the eNB and the core network.
To provide the different encryption and integrity protection functions, LTE uses a key hierarchy as illustrated in FIG. 2. Keys in the hierarchy are derived from other keys closer to the root of the hierarchy or keys at the same level. At the top of the hierarchy is the key stored in the USIM in the WCD. A copy of the same key is stored in the Home Subscriber Server (HSS) in the network. This key is the bases for the Authentication and Key Agreement (AKA) procedure that the MME and WCD run to achieve mutual authentication and establish the root-session key KASME. Mutual authentication is a procedure by which the WCD and the MME can gain assurance about that each entity really is who it claims to be. From the KASME, the WCD and the MME derives keys for protecting NAS (KNAS enc and KNAS int) and a base-key for the AS security, called the KeNB. The MME then securely transfers the KeNB to the eNB.
The eNB and the WCD can then derive keys for AS protection, KRRC enc and KRRC int for protection of the RRC protocol, and KUP enc for protection of the user plane.
LTE allows WCDs to move between base stations, and there are principally two sets of mobility procedures considered in both the current 3GPP Long Term Evolution (LTE) standard as well as in the ongoing 5G discussions.
The first one is denoted ‘Idle Mode Mobility’ and defines how a WCD which is deemed ‘Idle’, i.e. a WCD which has no ongoing nor recent data transfer, shall be able to reach the network using random access procedures and how to be reachable from the network by means of paging procedures etc.
The other one is ‘Active Mode Mobility’, which has the main task of maintaining the connectivity for an ‘Active’ or ‘Connected’ WCD, i.e. a WCD which actually has an ongoing or recent data transfer, as it moves around in the network, and also to handle abnormal cases such as failed handovers, radio link failures etc.
As an example of signaling in a handover procedure, an X2-based handover procedure for an LTE system where the network functions are anchored in the same Mobility Management Entity (MME) and Serving Gateway (S-GW) is illustrated in FIG. 1. The figure is taken from 3GPP TS 36.300 “E-UTRA(N) Overall Description; Stage 2” version: V12.4.0 (2014-12), and gives a general overview of the actions involved in a handover procedure.
An eNB serving an active WCD may detect that another eNB is better suited to serve the active WCD, for example because of better radio conditions. The serving eNB, also denoted source eNB in handover situations, may then hand over the WCD to the other eNB, which is typically referred to as a target eNB. There are two different procedures for performing a handover. The first procedure is a core network assisted handover that is called S1 handover (S1-HO). The second procedure is a handover without core network assistance called X2 handover (X2-HO). The names come from the primary network interfaces, S1 and X2, used during the execution of the handovers.
Regardless of whether it is an S1 or X2 handover, there are two necessary functions that the handover signaling needs to achieve when it comes to security. The first function is to transfer at least keying material and security capabilities supported by the WCD from the source eNB to the target eNB. The term security capabilities should here be understood to comprise encryption algorithms and integrity protection algorithms. The second function is for the target eNB to select which encryption and integrity algorithms to use with the WCD, and signal the choice to the WCD.
S1 Handover: In an S1 handover, the source eNB and target eNB are not directly connected. Instead, the source eNB sends a handover required message to the MME containing the security capabilities of the WCD. The MME then derives the so-called NextHop key (NH) and sends it to the target eNB, together with the WCD's security capabilities. The target eNB uses the NH key to derive the base key KeNB for the target eNB, for communication with the WCD, and sends a handover command containing the chosen algorithms to the source node. Finally, the source eNB forwards the message to the WCD which replies to the target eNB by a handover completed message.
X2 Handover can be performed after the WCD has completed all necessary procedures to activate RRC and NAS security. An X2 handover is initiated by the source eNB calculating a so-called KeNB* key from the currently active so-called KeNB key, shared between the source eNB and the WCD, and sending it together with the WCD security capabilities to the target eNB in a handover request message. The target eNB replies with the required configuration information for the WCD connection. This information includes the chosen algorithms that the target eNB and the WCD shall use for communication. The source eNB then forwards the reply to the WCD, which confirms the handover with a completion message to the target eNB. In the last step, the target eNB retrieves a new key called the Next Hop key, NH, from the MME. The NH key, which is derived from the so-called KASME key, is to be used as a basis for the KeNB* calculation in the next handover event e.g. as described in 3GPP TS 33.401 “3GPP System Architecture Evolution (SAE); Security architecture”, version 12.14.0 (2015-03).
The backhaul network supporting the X2 and S1 interfaces can be considered to be trusted or untrusted. A backhaul network can for example be considered trusted if access to the physical locations of the network components is restricted and controlled. For an untrusted network, it is mandatory to implement a layer to add security, typically via secure tunnels to encapsulate X2 and S1 etc.