Handover Keying Mechanisms Background

User authentication is needed when the mobile terminal (MT) attaches to the network.⁵ Then, as a result of the authentication and successful authorization for network access, the MT and the network share a key that is used to protect the communication with the network. When the MT is in a state that corresponds to what is called connected state in LTE, also the MT and the base station share a key. When the MT changes the base station in the network as a result of mobility, the new base station also needs to share a key with the MT. There are multiple ways to deliver the base station specific keys efficiently to the

5In this section we use the terms MT and base station in a broader and network technology independent sense to mean a wireless terminal and a wireless receiver that communicates with the MT via a wireless link and with the network via wireless or wired link.

Security in Intra-LTE State Transitions and Mobility 163

new base station before or during handover. Public key-based methods are traditionally not considered because asymmetric cryptographical operations (like decrypting and signing with a secret key of the public key pair) are considered computationally too heavy for mobile devices and radios, in which handovers are very time critical.

Delegated Authentication

Delegated authentication means that the Authentication Server, like Home Subscriber Server (HSS) in EPS, delegates the authentication authority to a local authentication agent, which may be a local AAA server or signalling gateway close to the MT like the MME in E-UTRAN. Typically this happens deriving a key from the root key that can be distributed to the access network Key Distributor (KD). This is a common approach in many mobile network key management frameworks as the mobility happens mostly inside the access network or between the access networks, and there is no need to go back to the authentication server.

Key Request

Key request is the simplest form of key delivery to the base station. The base station sends a key request to the KD when the MT hands over to it. The KD creates a fresh base station specific key and delivers it to the new base station. A modified mechanism can be used for cases where the handover signalling goes through a centralized element providing the KD functionality (e.g. a WLAN switch or the MME in EPS). In this case, the source base station sends a key request to the KD along with other mobility signalling, but the KD then sends a fresh key to the target base station, instead of to the source base station. LTE uses this modified key request scheme in S1 handovers and a normal key request mechanism in X2 handovers, except that in X2 handovers the fresh key is used in the next handover and not in the current handover (see Section 9.4.3).

Pre-distribution

In a pre-distribution (or pre-emptive keying) scenario [draft-irtf-aaaarch-handoff-04, Mishraet al. 2003, 2004, Kassabet al. 2005] the KD derives base station specific session keys and distributes them to a number of base stations when the MT has successfully attached to the access network. The specific base stations, and the number of them included in the pre-distribution scheme, can vary [Mishra et al. 2004]. This scenario makes the handover faster as the key is already in the target base station, provided that it was in the distribution group of the pre-distribution algorithm. The main disadvantage of a pre-distribution scheme is that it increases signalling between the KD and multiple base stations. Also, the KD needs to pre-distribute the keys to multiple neighbouring base stations, but the MT may never visit the neighbouring base stations the keys were pre-distributed to. A modified pre-distribution scheme is where the base station sends keys to the neighbouring base stations for preparing them for a possible handover. LTE does not apply pre-distribution as such, because the source base station does not prepare multiple target base stations. However, the X2 handover prepares the target base station by sending the key to it before the actual radio break. In this way the key distribution

part happens before the time-critical handover break and thus makes the LTE handovers very efficient as in pre-distribution in general.

Optimistic Access

Aura and Roe describe a method they call optimistic access [Aura and Roe 2005], in which the network delivers a ticket to the MT. The MT then uses the ticket as a temporary authentication key to get access before the normal authentication procedure is finished with the target base station. This resembles ticket-based methods like the Kerberos [Miller et al. 1987, Neuman and Ts’o 1994] protocol. Ohba and Dutta describe a kerberized handover keying method, in which they also send a ticket to the target base station [Ohba et al. 2007]. Komarova and Riguidel [2007] continue with the same mechanism and use the tickets for fast intersystem roaming and also let the home network provide multiple tickets to multiple visited networks at the same time for the MT. This mechanism increases over-the-air signalling and is not well suited for LTE and thus not applied.

Pre-Authentication

Pack and Choi introduced a pre-authentication mechanism where the MT authenticates to multiple base stations through a single base station [Pack and Choi 2002a, 2002b, draft-ietf-pana-preauth-07, draft-ietf-hokey-preauth-ps-09, Smetters et al. 2007]. In this way the MT can pre-establish shared keys with multiple neighbouring base stations. This makes the next handover fast as the keys are already established. However, the MT may have to run pre-authentication with multiple base stations as it is not certain to which base station the MT is handed over next. It increases signalling over-the-air (battery life) and between base stations. Pre-authentication sits well with intersystem handovers, as the source and target systems may not support the same key management or authentication mechanisms. In EPS, a form of this mechanism is applied to handovers between LTE and cdma2000 HRPD access. These two access types are sufficiently different so that the more efficient key mapping techniques applied to handovers between LTE and GSM or 3G systems cannot be used.

Session Keys Context

Session Keys Context (SKC) [Forsberg 2007] is a way to distribute keys to the base stations. SKC contains multiple session keys separately encrypted for each and every base station. The SKC is created in the KD, for a number of base stations and sent to the base station that the MT is currently attached to. When the MT moves, the SKC is transferred between the base stations. Transferring the SKC between base stations may use, for example the context transfer protocol [RFC4067] or inter-access point protocol [IEEE 802.11F]. Each base station gets the session key from the SKC and creates encryption and integrity protection keys from it.

The session keys are encrypted and accompanied by base station identity informa-tion. The encrypted session key and base station identity information are signed using a Security Association (SA) between the KD and the base station. Each base station that

Security in Intra-LTE State Transitions and Mobility 165

Table 9.1 Example SKC rows for three base stations Base station

identity

Encrypted key (SK) Message authentication code (MAC)

ID_BS1 E_SA-BS1{SK_MTx-BS1} MAC_SA-BS1{ID_BS1 ||E_SA-BS1{SK_MTx-BS1}}

ID_BS2 E_SA-BS2{SK_MTx-BS2} MAC_SA-BS2{ID_BS2 ||E_SA-BS2{SK_MTx-BS2}}

ID_BS3 E_SA-BS3{SKMTx-BS3} MAC_SA-BS3{IDBS3 ||E_SA-BS3{SKMTx-BS3}}

receives this context finds its own encrypted Session Key (SK) based on its identity.

Table 9.1 shows an example context row in an SKC. The row is integrity-protected with a message authentication code, such as a Keyed-Hash Message Authentication Code (HMAC) [RFC2104].

Each of the keys is derived from the root key and the target base station identifier as in formula (9.1):

SK_MTx−BSi=KDF(rootkey||ID_BSi||TID_MTx) (9.1) The ID_BSi is the access point identity. SKC assumes that the base station identity is available for the MT when attaching to it so that the MT can use formula (9.1) to derive the key from the root key that is holds. In this way the key management with SKC is simple, and the base station identity is also authenticated. The last parameter is temporary identity of the MT (TID_MTx) in the access network. It is assumed that the temporary identity of the ME does not change between consecutive attachments or handovers to the same base station. Also, if all the input parameters to the keystream generation are reset while attached to the base station (e.g. sequence numbers (SQNs)), the key must be refreshed.

Illustrative KDF parameters for deriving integrity protection and ciphering keys are given in formulas (9.2) and (9.3), where the parameters A and B are constants that make the keys different. Additionally, the selected integrity protection and ciphering algorithms should be bound to the keys as KDF input parameters (not shown in the equations).

K_Int=KDF(SK_MTx−BSi||TLinkID_MTx||A) (9.2) K_Enc=KDF(SK_MTx−BSi||TLinkID_MTx||B) (9.3) The SKC mechanism was proposed to the 3GPP security working group as a candidate mechanism at an early stage of LTE security standardization but, after intensive discus-sions, it was not selected. One reason was the complexity of determining the right group of base stations to be included in the SKC, and another was the lack of a base station identity on the air interface in LTE.

All these key management methods have different properties and are suitable for dif-ferent mobile network architectures and deployments. Forsberg extensively compares key request, pre-distribution and pre-authentication key management methods [Forsberg 2007].

See also the LTE handover key management analysis with SKC [Forsberg 2010].

eNB

UE

S1-C S1-U

eNB

MME

SAE GW Uu

Uu

X2

S1-C

S1-U E-UTRAN

Evolved Packet Core (EPC)

Figure 9.3 Evolved packet system (EPS).