LTE secure mode

转载自：http://www.tweet4tutorial.com/tutorial/security-mode-command-in-lte/

LTE/SAE的安全鉴权（AKA）机制

LTE/SAE的AKA鉴权过程和UMTS中的AKA鉴权过程基本相同，采用Milenage算法，继承了UMTS中五元组鉴权机制的优点，实现了UE和网络侧的双向鉴权。

与UMTS相比，SAE的AV（Authentication Vector）与UMTS的AV不同，UMTS AV包含CK/IK，而SAE AV仅包含Kasme,也就是说他的AV是一个四元组（RAND, AUTN, XRES, KASME）。LTE/SAE使用AV中的AMF来标识此AV是SAE AV还是UMTS AV，UE利用该标识来判断认证挑战是否符合其接入网络类型，网络侧也可以利用该标识隔离SAE AV和UMTS AV，防止获得UMTS AV的攻击者假冒SAE网络。

The AUTN consists of (SQN xor AK)||AMF||MAC = 48 + 16 + 64 = 128-bits.

LTE/SAE的密钥层次架构

如下图所示，由K派生出较多层次的密钥，分别实现各层的保密性和完整性保护，提高了通信中的安全性。

LTE/SAE网络的密钥层次架构中包含如下密钥：

1) UE和HSS间共享的密钥：

l K：存储在USIM和认证中心AuC的永久密钥。

l CK/IK：AuC和USIM在AKA认证过程中生成的密钥对。与UMTS相比，CK/IK不应离开HSS。

2) ME和ASME共享的中间密钥：

l KASME：UE和HSS根据CK/IK推演得到的密钥，用于推演下层密钥。

3) UE与eNB和MME的共享密钥：

l KNASint：UE和MME根据KASME推演得到的密钥，用于保护UE和MME间NAS流量的完整性。

l KNASenc：UE和MME根据KASME推演得到的密钥，用于保护UE和MME间NAS流量的保密性。

l KeNB：UE和MME根据KASME推演得到的密钥。KeNB用于推导AS层密钥。

l KUPenc：UE和eNB根据KeNB和加密算法的标识符推演得到，用于保护UE和eNB间UP的保密性。

l KRRCint：UE和eNB根据KeNB和完整性算法的标识符推演得到，用于保护UE和eNB间RCC的完整性。

l KRRCenc：UE和eNB根据KeNB和加密算法的标识符推演得到，用于保护UE和eNB间RCC的保密性。

Security Procedures at Non Access Stratum Layers

Initial establishment of security context and activation of Security Procedures between UE and EPC elements can be broadly categorised into three parts as depicted in the figure below:
初始安全上下文的激活可以分类三部分

Activation of security starts with both UE and EPC mutually authenticating each other’s identity. Once UE and EPC have authenticated each other an initial security context is established in both the entities. This security context is used by both for deriving and generating other security related parameters. Using these parameters actual application of the security is then activated by UE and EPC by exchanging multiple protocol signalling messages. Details of these procedures are noted in the subsequent sections.
在UE和NW完成互相认证后，就执行安全上下文的激活。安全上下文是用来计算推导出其他安全相关的参数的

Security procedure at NAS layer is responsible for Mutual authentication of UE and Network, Generation of Security and Integrity keys and Ciphering and Integrity protection of NAS signaling data.
Security context in the NAS layers consists of parameters for authentication, integrity protection and ciphering of signaling data. These parameters are grouped together into distinct sets, each of which can be identified by an identifier known as a Key-Set Identifier (eKSI).
NAS层的安全上下文用来认证，以及对信令消息的加密和完整性保护。这些参数分为几个集合，每个集合用一个eKSI来标记。

The first step towards activation of security at NAS layers involves establishment of security context at UE and MME. Security context is created either by Authentication procedure or during an inter-system handover from Iu mode or A/Gb mode to S1 mode.
During Authentication procedure the Key-Set Identifier eKSI is assigned by MME to UE whereas during Handover procedure eKSI is derived from the existing UMTS or GPRS security context. eKSI consists of a value and a type of security context parameter indicating whether eKSI has been directly assigned by MME or whether it has been derived from UMTS/GPRS security context.
在鉴权认证阶段，网络会把eKSI参数给到手机。

Security Mode Command at NAS

1. Once security context is established the next step for activation of NAS security is achieved by executing the Security Mode control procedure. This procedure is initiated by MME by sending SECURITY MODE COMMAND message to UE. The purpose of the NAS security mode control procedure is to take an EPS security context into use, and initialize and start NAS signalling security between the UE and the MME. The MME starts this procedure by sending SECURITY MODE COMMAND message.
2. This message is sent unciphered by MME but it is integrity protected. The MME shall send the SECURITY MODE COMMAND message unciphered, but shall integrity protect the message with the NAS integrity key based on KASME or mapped K’ASME indicated by the eKSI included in the message. The MME shall set the security header type of the message to “integrity protected with new EPS security context” since this message is only integrity protected but not ciphered.
3. On receiving the message UE validates this message, and if the message can be accepted, it sends SECURITY MODE COMPLETE message back to MME. SECURITY MODE COMPLETE message is integrity protected and is also encrypted, if the operator chooses to activate ciphering.
   After the successful exchange of these two messages, security procedure is activated at NAS and any subsequent uplink or downlink NAS messages are integrity protected and ciphered.
   The general structure of a security protected NAS message is as follows:
   

Security Mode Command at Access Stratum Layers(RRC)

1. Security procedure at AS layers involves confidentiality protection as well as integrity protection of data. Confidentiality protection is applicable to both User Plane data and Signaling data whereas Integrity protection is applicable to only Signaling data.
2. Security is activated in AS by RRC layer using the Security Mode procedure. This procedure is initiated when eNB sends Security Mode Command message to UE. This message contains the integrity and ciphering algorithm to be used for applying security. Selection of these algorithms is dependent on the UE capability.
3. Security Mode Command message itself is integrity protected but is not ciphered. Same is the case with response message (Security Mode Complete) sent by UE. Ciphering of messages is activated, both in Uplink and downlink direction, only after the completion of the security mode procedure.
4. Configuration of Security parameters is handled by RRC layer. Security configuration information includes integrity protection algorithm, ciphering protection algorithm, keyChangeIndicator parameter and nextHopChainingCount parameter. The last two parameters are used by UE to determine the AS security keys upon handover and/or connection reestablishment.
5. Actual ciphering/deciphering and integrity protection of messages is done by the PDCP layer. PDCP uses three different keys for this purpose. KRRCint is used for integrity protection of RRC messages, KRRCenc is used for ciphering/deciphering of RRC messages and KUPencis used for ciphering/deciphering of User Plane data. All three keys are derived from KeNB key, which in turn is derived from KASME. KASMEis generated by NAS layers and is supplied to AS after NAS completes its own Security Mode procedure. In the subsequent sections the heriarchial relation between these different keys has been described in greater details.
6. Security keys are renewed whenever there is a RRC Connection Reestablishment or a Handover. The KeyChangeIndicator parameter is used upon handover to decide if the latest KASME can be used to generate new keys. The nextHopChainingCount parameter is used upon Handover and reestablishment for deriving new KeNB.
7. 
   
   

Security Algorithms

LTE uses two different sets of Ciphering and Integrity algorithms for security. One set is based on SNOW 3G specification [7] and the other is based on AES (Advanced Encryption Standard) specification [8]. SNOW 3G is a word-oriented stream cipher that generates a sequence of 32-bit words under the control of a ciphering key. These 32-bit words can then be used to mask the plaintext. AES algorrithm, on the other hand, is a symmetric block cipher algorithm that can process data blocks of 128 bits using the given ciphering keys. The ciphering key length for both sets of algorithms is currently restricted to 128 bits, with the possibility to introduce 256-bit keys in future if required. The encryption algorithms are signaled between UE and Network by using 4-bit identifier as given below:
EEA0 : 0000 (Null Ciphering Algorithm)
EEA1 : 0001 (SNOW 3G)
EEA2 : 0010 (AES)

Similarly integrity algorithms are also identified by a 4-bit number:
EIA1 : 0001 (SNOW 3G)
EIA2 : 0010 (AES)

Ciphering Algorithms

Input and Output
The input parameters to the ciphering algorithm are a 128-bit cipher key named KEY, 32-bit COUNT, 5-bit bearer identity BEARER, 1-bit direction of the transmission DIRECTION and length of the keystream LENGTH. The figure given below illustrates the use of ciphering algorithm to encrypt plaintext by applying a keystream using a bit per bit binary addition of the plaintext and the keystream.

EEA0
EEA0 is a NULL Ciphering algorithm i.e. it does not provide any security. The algorithm is implemented such that it genrates KEYSTREAM of all zeroes. The length of the KEYSTREAM is equal to LENGTH input parameter. It does not require any input parameter other then LENGTH.
EEA1
EEA1 is based on SNOW 3G [7] and is identical to the traditional UMTS algorithm UEA2 [6].
EEA2
EEA2 is based on AES algorithm operating in CTR mode [9]. The sequence of 128-bit counter blocks needed for CTR mode T1, T2,…Ti,… shall be constructed as follows:

The most significant 64 bits of T1 consist of COUNT[0]…COUNT[31] | BEARER[0]…BEARER[4] | DIRECTION | 026(ie 26 0 bits). These are written from most significant on the left to the least significant on the right. Subsequent counter blocks are then obtained by applying the standard integer incrementing function mod 264 to the least significant 64 bits of the previous counter block.

Integrity Algorithms

Input and Output
The input parameters to the integrity algorithm are 128-bit integrity key named KEY, a 32-bit COUNT, 5-bit BEARER, the 1-bit direction of transmission DIRECTION and the message itself i.e MESSAGE. The bit length of MESSAGE is LENGTH. The figure given below illustrates the use of integrity algorithm EIA to authenticate integrity of messages:
Based on these input parameters the sender computes a 32-bit message authentication code (MAC-I/NAS-MAC) using the integrity algorithm EIA. The message authentication code is then appended to the message when sent. The receiver computes the expected message authentication code (XMAC-I/XNAS-MAC) on the message received in the same way as the sender computed its message authentication code on the message sent and verifies the data integrity of the message by comparing it to the received message authentication code, i.e. MAC-I/NAS-MAC.
EIA1
EIA1 is based on SNOW 3G [7] and is identical to the traditional UMTS algorithm UIA2 [6].
EIA2
EIA2 is based on AES algorithm operating in CMAC mode[10]. The bit length of MESSAGE is BLENGTH. The input to CMAC is a bit string M of length Mlen. M is constructed as follows: