Cyber Security Threats to LTE and LTE-Advanced

Networks

PREETHI GOPALAKRISHNAN RUBASRI KALIDAS

LTE NETWORK ARCHITECTURE

A. Mobility Management Entity

B. User Equipment

m C. Evolved Node B (eNodeB)

D. Serving Gateway (S-GW)

E. Home Subscriber Server (HSS)

F. Policy and Charging Rules Function

G. PDN Gateway

◦

LTE SECURITY ARCHITECTURE ANDMECHANISMS

A. Security architecture

SECURITY ARCHITECTURE Network access security

Network domain security

User domain security

Application domain security

Non 3GPP domain security

MECHANISMS - EPS AKA PROCEDURE

KEY HIERARCHY

VULNERABILITIES IN LTE A) LTE architecture vulnerability

-Flat IP

- Rogue Base Station attacks

B) LTE access procedure vulnerability

-User Privacy

-DOS attacks

C) LTE Handover Procedure Vulnerability

-Lack of backward security

-Replay Attacks

D) LTE IMS Security Mechanism

VULNERABILITIES (continued)D) LTE HeNB Security Mechanism

-Mutual authentication

-Denial of Service

E) MTC architecture Vulnerability

-False network attack

-User Privacy

-Tracking

-Tampering

-Signal Congestion

SOLUTIONS TO VULNERABILITES Solutions to Access Procedure

A new subscriber module ESIM instead of the USIM to provide mutual authentication between ESIM and the MME or the HSS.

Security enhanced authentication and key agreement.

EPS-AKA protocol is replaced by Juggling (J-PAKE) protocol for password authentication.

Solutions to Handover Procedure

Simple and robust handover procedure based on proxy signatures.

Dynamic password is associated with a public-key to provide non-repudiation service

SOLUTIONS (CONTINUED)Solutions to IMS Security

One-pass AKA procedure to reduce authentication overhead.

Identity Based Cryptography (IBC) to enhance the security of the IMS authentication process.

Solutions to HeNodeB Security

Location and identity tracking at the air interface by assigning and changing identifiers.

Solutions to MTC Security

By ensuring, triggering of UEs happens only when the triggers are received from authorized network entities.

Keeps a list of MTC servers authorized to send trigger to a given UE and the type of trigger the MTC server is authorized to send.

Construction of a managed group and choosing a group leader.

Group based authentication and key agreement (GAKA) for a group of UEs roaming from the same home network (HN) to a serving network (SN).

REFERENCES [1] C. Vintila, V. Patriciu, and I. Bica, ”Security Analysis of LTE Access Network”, Proceedings of The Tenth International Conference on Networks (ICN 2011), January 2011, pp. 29-34.

[2] R. Rajavelsamy and S. Choi, ”Security Aspects of Inter-accessSystem Mobility between 3GPP and Non-3GPP networks,” Proceedings of Communication Systems Software and Middleware and Workshops (COMSWARE), January 2008, pp.209-213.

[3] C. K. Han, H. K. Choi and I. H. Kim, ”Building Femtocell More Secure with Improved Proxy Signature”, Proceedings of IEEE GLOBECOM 2009, USA, December 2009, pp. 1-6.

[4] Jin Cao, Maode Ma, and Hui Li, ”A Group-based Authentication and Key Agreement for MTC in LTE Networks”, Proc. IEEE GLOBECOM 2012, Dec. 2012, accepted for publication.

[5] 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Improvements for Machine-Type Communications (Rel 11), 3GPP TR 23.888 V11.0.0, Sep. 2012.

THANK YOU!