Third-Generation Security (UMTS)
4.1 Principles of Third-Generation (3G) Security
Third-Generation Security (UMTS)
4.1 Principles of Third-Generation (3G) Security
The design work for 3G security was based on the practical experiences with Global System for Mobile Communications (GSM) security and, to a lesser extent, experiences with the security of other second-generation (2G) cellular systems. Before 3rd Generation Partnership Project (3GPP) was created in 1998, there was a subgroup of the European Telecommunications Standards Institute (ETSI) SMG 10 working group (WG) that did preliminary work for Universal Mobile Telecommunications System (UMTS) security, but the actual design work was done in the 3GPP security WG (SA3). Principles of 3G security, together with design objectives for security work, have been documented [TS33.120].
The major principles for 3G security are:
• It builds on those elements of 2G security that have proven to be both robust and needed.
• It addresses and corrects real and perceived weaknesses in 2G security.
• It adds new security features to address security needs of all new 3G services.
The first two principles were given priority in the beginning of the design work, whereas the third principle became the most important for later releases of 3GPP where more and more features have been added to the 3GPP system.
4.1.1 Elements of GSM Security Carried over to 3G
Here we list the security features and design principles that were identified as worth retaining in 3G systems. In most areas, further development was done for 3G security.
The elements of 2G security that were considerably strengthened in 3G are as follows.
LTE Security, Second Edition. Dan Forsberg, G¨unther Horn, Wolf-Dietrich Moeller and Valtteri Niemi.
2013 John Wiley & Sons, Ltd. Published 2013 by John Wiley & Sons, Ltd.
• Subscriber authentication. This was extended to become mutual authentication between subscribers and the system. Protocols and algorithms were also enhanced.
Note that 3G security uses the term user authentication rather than subscriber authentication.
• Radio interface encryption. Encryption was extended to cover more than just the radio interface between the terminal and the base station. The strength of the encryption was greatly enhanced by a much longer key size and a publicly verifiable algorithm design.
• Subscriber Identity Module (SIM) as a removable and tamper-resistant security module. The SIM card was (gradually) replaced by the Universal IC card (UICC) but its role as a cornerstone of the security architecture remained. Functionality was greatly enhanced for the UICC and the Universal Subscriber Identity Module (USIM) application inside it, compared to the SIM. Related to this, the SIM application toolkit security features were enhanced for the USIM application toolkit.
The elements of GSM security that were eventually seen as adequate also for the 3G environment more or less as they existed already in GSM were as follows.
• Subscriber identity confidentiality on the radio interface. The mechanism based on temporary identities provides protection only against passive attackers. Lots of effort was spent on designing a protection also against active attackers, but in the end it turned out that a full protection would require too costly an investment. Note that 3G security uses the term user identity confidentiality rather than subscriber identity confidentiality.
• Transparency for the user. For the most important security features, like the ones listed here, the user does not have to do anything to get them into operation. The global and pervasive presence of 3G systems emphasizes the importance of this principle.
4.1.2 Weaknesses in GSM Security
Following from the second main principle expressed in this chapter, it was important to explicitly list the weaknesses that were considered to be real at the time when design work for 3G security was started. Of course, in parallel with the 3G security design work, much effort was devoted to mitigating these weaknesses also in the GSM environment.
At the time of writing, more than a decade after the work was started, it is interesting to compare how well the 3G security systems address the listed weaknesses. Partly for that reason, we include all items from the original list (see [TS33.120] for full formulations of these items) in the following.
• Active attacks by ‘false networks’ are possible. The feature of mutual authentica-tion, in combination with the mandatory integrity protection for signalling, addresses this weakness.
• Encryption keys and credentials for authentication are transmitted in cleartext between and within networks. In order to address this weakness, network domain security (NDS) features were added to 3G systems but only in later releases of the 3GPP specifications.
• Encryption does not extend far enough towards the network. In 3G the encryption is run between the user equipment (UE) and the Radio Network Controller (RNC) entity, which resides in the network behind the base station and is in a physically secure place.
Third-Generation Security (UMTS) 39
• Encryption is not used in some networks. From the technical and specification points of view, it would be easy to remove this weakness: just drop all unencrypted calls and sessions. However, this is a regulatory rather than a technical matter, and at the time of writing there still exist big networks that do not regularly use encryption.
• Data integrity is not provided. Protection for signalling data integrity was added from the first release of 3GPP specifications.
• The International Mobile Equipment Identity (IMEI) is an unsecured identity and should be treated as such. Adding an independent authentication system for mobile equipments (MEs), in addition to the subscriber authentication system, would have been too costly.
Therefore, the IMEI was kept as an unsecured identity from the network point of view.
However, measures to prevent tampering with the IMEI implementation on the ME itself have been improved.
• Fraud and lawful interception were not considered in the design phase of GSM security.
This was changed for 3GPP work, as lawful interception specifications have been developed in parallel with other specifications. Similarly, a fraud information-gathering system and support for immediate service termination were provided already in early releases of 3GPP.
• The home network does not know (or control) whether and how the serving network (SN) authenticates roaming subscribers. Mandatory integrity protection addresses the
‘whether’ part, since integrity protection cannot be started without keys, and obtaining keys requires authentication. Some effort was spent on trying to also address the ‘how’
part, but in the end it was decided that the ‘minimal trust’ principle does not justify introduction of a new mechanism for this type of home control.
• There is no flexibility to upgrade security functionality over time. Certain elements to support flexibility and future proofing have been included in the 3G systems. For instance, there is a secure negotiation mechanism for encryption algorithms, which enables effective introduction of new algorithms and removal of deprecated ones. On the other hand, the authentication and key agreement (AKA) protocol is more or less hard-wired to the system; only cryptographic algorithms used inside it may be upgraded.
Overall, it appears that the 2G weaknesses have been addressed well in 3G systems, but there is room for improvement in some items. These lessons from the past have also been helping in the design of the Long Term Evolution (LTE) and Evolved Packet System (EPS) security functions.
4.1.3 Higher Level Objectives
Apart from the fairly concrete design principles stemming from experiences with 2G systems, there was also a list of principles and objectives that helped in meeting the third main principle: securing all new 3G services. For instance, the 3G security was designed to ensure the following.
• All information related to a user is adequately protected.
• Resources and services in the networks are adequately protected.
• Standardized security features are available world-wide, and in particular there is at least one encryption algorithm that can be exported world-wide.
• Security features are adequately standardized to support world-wide interoperability and roaming.
• Protection for 3G subscribers is better than that provided by fixed and mobile (including GSM) systems (of that time).
• 3GPP security mechanisms can be extended as required by new threats and services.