EPS is a successor technology of UMTS (Universal Mobile Telecommunications System). Security aspects of EPS depend on whether an access network is a 3GPP-defined access network, e.g. GERAN (GSM (Global System for Mobile communication) EDGE (Enhanced Data rates for Global Evolution) Radio Access Network), UTRAN (UMTS Terrestrial Radio Access Network), E-UTRAN (evolved UTRAN), or a non-3GPP access network, e.g. evolved HRPD (High Rate Packet Data) as defined by 3GPP2 (Third Generation Partnership Project 2), WiMAX (Worldwide Interoperability for Microwave Access) as defined by IEEE (Institute of Electrical and Electronic Engineers) and the WiMAX Forum.
In case the access network is E-UTRAN (also known as LTE (Long Term Evolution)), i.e. a 3GPP-defined access network, a serving network authentication means that a User Equipment (UE) is ensured to communicate with a Mobility Management Entity (MME) in a particular serving network. This is a security feature not known in UMTS.
In order to prevent that this security feature is circumvented by an attacker an additional feature called cryptographic network separation is required. In the following, some more background information is given so that this additional feature can be explained.
In UMTS and in EPS alike, an authentication vector is a collection of parameters, which contains, among others, cryptographic keys CK, IK and a so-called AMF (Authentication Management Field) separation bit. When an attacker knows the keys CK, IK he can impersonate a serving network entity. The keys CK, IK are available in UMTS serving networks in entities SGSN (Serving GPRS (General Packet Radio Service) Support Node) and RNC (Radio Network Controller). Therefore, any compromise of an SGSN or RNC in one UMTS serving network allows an attacker to impersonate another UMTS serving network entity.
EPS users are equipped with a UICC (UMTS Integrated Circuit Card) with a USIM (User Services Identity Module) application for security purposes. User records are held in an HSS (Home Subscriber Server).
Cryptographic network separation of user's security data as specified for EPS rests on the particular handling of the Authentication Management Field (AMF), which is part of the AV (Authentication Vector), in the HSS and a Mobile Equipment (ME). The ME is a User Equipment (UE) without the UICC.
Security procedures between UE and EPC (Evolved Packet Core) network elements comprising ASME (Access Security Management Entity) and HSS including Authentication Centre, comprise an Authentication and key agreement procedure (AKA). The EPS AKA produces keys forming a basis for user plane and control plane protection (ciphering, integrity). EPS AKA is based on following long term keys shared between UE and HSS:                K is the permanent key stored on the USIM (User Services Identity Module) and in the Authentication Centre AuC;        CK, IK is the pair of keys derived in the AuC and on the USIM during an AKA run.        
As a result of the authentication and key agreement, an intermediate key K_ASME is generated which is shared between UE and ASME. For E-UTRAN access networks, the ASME is the MME.
The purpose of this procedure is to provide an MME (Mobility Management Entity) with one or more MME security contexts (e.g. K_ASME) including a fresh authentication vector from the user's HSS to perform a number of user authentications.
An MME security context is derived from the authentication vector. To derive the key K_ASME in the HSS, a Key Derivation Function is used which contains input parameters CK, IK and SN (serving network) identity.
EPS introduces cryptographic network separation for the case of E-UTRAN access networks by using the AMF separation bit. This feature makes it impossible for an attacker to steal keys CK, IK from an entity in one serving network, with either UTRAN or E-UTRAN access networks, and use them to impersonate another serving network when the UE is using E-UTRAN access. This feature ensures by cryptographic means that a security breach in one network does not affect another network, hence the name “cryptographic network separation”.
In the context of E-UTRAN access to EPS, cryptographic network separation is achieved in the following way:                a Home Subscriber Server (HSS) uses only authentication vectors with AMF separation bit=1 for E-UTRAN access networks;        the Home Subscriber Server (HSS) uses only authentication vectors with AMF separation bit=0 for UTRAN access networks;        when an access is made via E-UTRAN, the HSS does not send CK, IK to another entity outside the HSS, but sends a key derived from CK, IK and a serving network identity to the MME in the serving network; and        a UE accepts only authentication vectors with AMF separation bit=1 for E-UTRAN access networks.        
In the context of non-3GPP access networks, for subscriber authentication, a protocol EAP-AKA (Extensible Authentication Protocol for Authentication and Key Agreement) is used. EAP-AKA is terminated in a 3GPP AAA (Access, Authorization, and Accounting) server, which always resides in a home network. The 3GPP AAA server obtains the keys CK, IK from an HSS (Home Subscriber Server). The keys CK, IK then remain in the 3GPP AAA server, which resides in the home network. Therefore, stealing of CK, IK is not the problem here. However, the 3GPP AAA server produces a Master Session Key (MSK) from CK, IK and then sends the MSK to an authenticator which is an entity controlling an access from a user equipment. In the context of non-3GPP access to EPS, the authenticator can be an entity in a non-3GPP access network in the case of so-called trusted access, or the authenticator can be an evolved Packet Data Gateway (ePDG) in a 3GPP EPS network in the case of so-called untrusted access.
The problem is that the authenticator may be compromised and may use the MSK to impersonate another authenticator in a different network. E.g. a WLAN (Wireless Local Area Network) access point from a 3G-WLAN interworking system may obtain an MSK, and then impersonate an ePDG in an EPS network or an authenticator in an eHRPD network. This would make the security of an EPS network dependent on that of the WLAN access point. But the latter may enjoy quite low physical security and may reside in an exposed location. Furthermore, the backhaul link from this WLAN access point may be weakly protected. This dependency of EPS security on WLAN security is therefore highly undesirable.