Identification

EPS Authentication and Key Agreement

This chapter describes how users are identified and authenticated for network access in EPS. Section 7.1 introduces the means to identify subscribers and terminals, and the mech-anisms to protect the related identities. Section 7.2 then provides a detailed presentation of EPS Authentication and Key Agreement (AKA), the protocol used in EPS to authenticate subscribers and agree a local master key. Further keys are then derived from this local master key to protect signalling and user traffic over various interfaces between the user equipment (UE) and the network. The complete EPS key hierarchy resulting from this derivation process is described in Section 7.3. In addition to keys, other security-related parameters need to be shared between two entities running a security protocol between them. These parameters, together with the keys, form a security context, and the various security contexts used in EPS are described in Section 7.4.

7.1 Identification

We first describe the means to identify subscribers and terminals in EPS and explain the uses of the corresponding identities. We then proceed to describe the identity confiden-tiality features, which help to protect the user’s privacy. These identities are specified in [TS23.003].

• User identification. Global System for Mobile communications (GSM), 3G and EPS all use the same type of permanent subscriber identity, the International Mobile Sub-scriber Identity (IMSI), to uniquely identify a subSub-scriber. The IMSI is composed of three parts:

– The Mobile Country Code (MCC) identifies the country of domicile of the mobile subscriber.

LTE Security, Second Edition. Dan Forsberg, G¨unther Horn, Wolf-Dietrich Moeller and Valtteri Niemi.

2013 John Wiley & Sons, Ltd. Published 2013 by John Wiley & Sons, Ltd.

– The Mobile Network Code (MNC) identifies the home network of the mobile sub-scriber in that country.

– The Mobile Subscriber Identification Number (MSIN) identifies the mobile sub-scriber within a home network.

The IMSI is crucial for EPS security, as it is for GSM and 3G security, because the permanent authentication key K used in EPS AKA, the AKA protocol used in EPS, is identified by the IMSI. The permanent authentication key K is stored in the Authentication Centre (AuC) and in the Universal Subscriber Identity Module (USIM), but nowhere else.

There are a number of temporary identities associated with an IMSI in EPS, notably the Globally Unique Temporary UE Identity (GUTI) and the Cell Radio Network Tem-porary Identity (C-RNTI). The GUTI is allocated for the purposes of user identity confidentiality. The C-RNTI [TS36.331] is used to identify a UE having a Radio Resource Control (RRC) connection within a cell. The only use of the C-RNTI in security procedures is with handover preparation (see Section 9.4.4).

• Terminal identification. GSM, 3G and EPS all use the same type of permanent termi-nal identity, the Internatiotermi-nal Mobile Equipment Identity (IMEI). In all systems, IMEI is sometimes accompanied by a Software Version Number (SV) in which case the iden-tity is called International Mobile Equipment Ideniden-tity and Software Version Number (IMEISV). Because of possible software upgrades in the terminal, the SV may change during its lifetime, while IMEI remains the same.

7.1.1 User Identity Confidentiality

The EPS protects the confidentiality of the user identity against passive attacks in pretty much the same way as do GSM and 3G. In each of these systems, the network assigns the user a temporary identity sent in a message protected from eavesdropping. It is the purpose of this temporary identity to provide an unambiguous identification of the UE that does not reveal the user’s permanent identity – the IMSI. The temporary identity can be used by the network and the UE during signalling between them, and can be translated by them to the permanent user identity.

The temporary user identity used in EPS is called the Globally Unique Temporary UE Identity. It is a bit different in structure from the Temporary Mobile Subscriber Identity (TMSI) used as a temporary user identity in the circuit-switching (CS) domain of GSM and 3G, and the Packet Temporary Mobile Subscriber Identity (P-TMSI) used as a temporary user identity in the packet-switching (PS) domain of GSM and 3G.

The GUTI has two main components:

• the Globally Unique Mobility Management Entity Identifier (GUMMEI), which glob-ally uniquely identifies the Mobility Management Entity (MME) that allocated the GUTI and

• the MME-TMSI (M-TMSI), which uniquely identifies the UE within the MME that allocated the GUTI.

The GUMMEI is constructed from the MCC, the MNC and the Mobility Management Entity Identifier (MMEI).

EPS Authentication and Key Agreement 111

For certain procedures, such as paging and service requests, a shortened version of the GUTI is used, namely, the S-Temporary Mobile Subscriber Identity (S-TMSI). The S-TMSI consists of the M-TMSI and a part of the MMEI. The S-TMSI enables more efficient radio-signalling procedures.

The MME may assign a GUTI to the UE in an Attach Accept message or in a Tracking Area Update Accept message. The MME may also assign a GUTI in a separate GUTI Reallocation procedure [TS23.401]. In each case, the MME sends the GUTI only after the protection for non-access stratum (NAS) signalling has been enabled (see Chapter 8).

If the network supports signalling confidentiality, then an attacker listening on the link between the MME and the UE cannot read the GUTI, and so cannot associate the GUTI with the IMSI or an earlier GUTI sent in a message by the UE. This mechanism protects the confidentiality of the user identity against passive attacks (eavesdropping). It also prevents tracking a user by observing temporary identities consecutively assigned to the same user. If the network does not support signalling confidentiality, then the user identity confidentiality protection is weakened as well because an eavesdropper can observe the relation between an IMSI sent over the air and a GUTI allocated by the network, or between two consecutive GUTIs.

As for GSM and 3G, there is no user identity confidentiality protection against active attacks; and the reason is again the same. In a typical active attack, an attacker would use a device known as an IMSI catcher, which incorporates a false base station, for sending an Identity Request message to the UE. The UE would then invariably respond with the IMSI. This Identity Request procedure is needed to recover from cases where the network lost the association between the temporary user identity and the IMSI, for example through a crash of the MME. Without such a recovery mechanism, the user could be permanently locked out of the system. 3rd Generation Partnership Project (3GPP) again discussed means to allow for recovery from such a situation while providing better protection against active attacks, but the only effective means seemed to be the use by the UE of public key certificates. For roaming cases, where the MME resides in another operator’s network, this would assume the existence of a public key infrastructure spanning across all operators with mutual roaming agreements. While this would be possible in theory, 3GPP felt that mandating such an infrastructure would be too high a price to pay.

7.1.2 Terminal Identity Confidentiality

While the mechanism for protecting the user identity confidentiality in EPS is still pretty much the same as it was in GSM and 3G, there is an improvement in EPS with respect to GSM and 3G regarding the terminal identity confidentiality. In GSM and 3G it is possible that the network requests the terminal identity at any time, even before the signalling protection has been set up. Without signalling protection already set up, the UE would respond by sending the terminal identity in the clear. As a user tends to use the same terminal for an extended period of time, the terminal identity would also give strong hints regarding the user identity. This is no longer possible in EPS. In EPS, the UE shall not send IMEI or IMEISV to the network upon a network request before NAS security has been activated. (This does not apply to unauthenticated emergency calls.)

In particular, the MME may request the terminal identity in the NAS Security Mode Command (SMC) message, and the UE then includes the terminal identity IMEISV in

the NAS Security Mode Complete message, which is already ciphered (if the network supports confidentiality) – see Chapter 8.