Chapter 4 - LTE

Question 1

What are some basic facts on 4G?

Answer 1

• Evolved Packet System (EPS)
• Evolved Packet Core (EPC)
• Multiple radio access networks
  
  • E-UTRAN
  • UTRAN, GERAN
  • non-3GPP standards (e.g. WLAN)
• EPC a.k.a System Architecture Evolution (SAE)
  
  • Connected to all-IP network
• E-UTRAN a.k.a Long-Term Evolution (LTE)
  
  • 277 Mbit/s downlink, 75 Mbit/s uplink

Question 2

What are the components of a 4G network?

Answer 2

• ME/ USIM
• eNodeB in eUTRAN
• Mobility Management Entity (MME)
• Serving GPRS Support Node (SGSN)
• Serving Gateway (S-GW)
• Home Subscriber Server (HSS)
• Packet Network Gateway (P-GW)
• AuC

Question 3

What are the tasks of the HSS and MME?

Answer 3

HSS:
- HLR
- Transport authentication and authorization information
MME:
- VLR / UE paging
- Authentication with UE
- Signalling with radio network for mobility
- P-GW and S-GW selection
- MME selection for handover
- SGSN selection for 2G/3G handover

Question 4

What are the tasks of the S-GW and P-GW?

Answer 4

S-GW:
- Mobility anchor for inter-MME handover
- e.g. reroute traffic
P-GW:
- Per user packet filtering
- Local breakout: P-GW in serving network is used
- Home-routed: P-GW in home network is used
- UE IP allocation

Question 5

What traffic types exist in a 4G network?

Answer 5

• Radio Resource Control (RRC)
  
  • Control traffic between UE and eNodeB
• Non-Access Stratum (NAS)
  
  • Control traffic between UE and MME
• User Plane (UP)
  
  • Traffic generated by UE

Question 6

What is the underlying protocol stack on the air interface for UP traffic in 4G?

Answer 6

1. PHY
2. MAC
3. Radio Link Control (RLC)
4. Packet Data Convergence Protocol (PDCP)
5. IP

Question 7

What is the protocol stack in the 4G core network for UP traffic?

Answer 7

1. PHY
2. MAC
3. IP/ UDP
4. GPRS Tunneling Protocol for User Traffic (GTP-U)

Question 8

Which keys are used/ created in 4G and who uses them?

Answer 8

• Ki (UE / AuC) - for key derivation
• IK, CK (UE / HSS) - for key derivation
• K_SN (UE / MME) - for key derivaiton of the specific serving network
• K_NASenc K_NASint (UE / MME) - encryption and integrity protection of control traffic
• K_eNB (UE / eNodeB) - for key derivation of the eNodeB
• K_UPenc K_UPint - encryption and integrity protection of user plane traffic
• K_RRCenc K_RRCint - encryption and integrity protection of radio control traffic

Question 9

How is 4G protected against bidding down?

Answer 9

NAS:
- Initial: UE indicates security capabilities
- On NAS security mode command: MME includes UE security capabilities in a integrity protected message
- If UE detects difference, drop connection
RRC / UP:
- eNodeB reveives K_eNB and UE capabilites from MME
- eNB chooses algorithms and derives keys for UP and RRC traffic
- eNB sends security mode command with chosen algorithms in integrity protected message

Question 10

How are keys transferred on handovers within 4G?

Answer 10

Intra-MME:
- eNB derives next K_eNB from current K_eNB and cell ID and target cell downlink frequency
- new K_eNB is transferred directly between eNBs

Inter-MME:
- Current MME uses counter (NCC) and previous next hop parameter (NH) or initially K_eNB to generate new NH
- Transferred to new MME and then new eNB
- eNB uses NH and cell ID, downlink freq. to generate new K_eNB

• Key change possible with active connection (other than in 2G/3G)

Question 11

How are handovers between 4G and 3G/ 2G networks?

Answer 11

4G to 3G:
- CK, IK derived from K_SN by MME
- Transferred to SGSN

3G to 4G:
- CK, IK transferred to MME
- K_SN derived using additional nonce

2G to 4G:
via 3G

Question 12

What attacks are known against 4G?

Answer 12

• Location tracking (Passive / semi-passive / active)
• Cipher (ZUC cypher weak)
• DoS
• Downgrading to 2G/ 3G
• Authentication relay attack

Question 13

How is passive/ semi-passive tracking attack done in 4G?

Answer 13

Use non-encrypted paging of eNB:
- Attacker has a sniffer in each cell of the tracking area (TA)
- Triggers paging (e.g. call or SMS)
- MME sends paging request to last eNB
- eNB broadcast unencrypted paging request with TMSI/ IMSI
- If not in cell, all eNB in TA broadcast
- UE replies with RRC connection request

Passive: Just listen to broadcast requests
Semi-passive: Trigger paging and get current cell

Question 14

How is a DoS attack done in 4G?

Answer 14

Attach request:
- UE initiates “attach request”, which is not integrity protected
- UE indicates service capabilities
- Man in the middle attack: Change to “SMS only”
- MME will block all calls to subscriber

Network-initiated detach:
- Network-initiated detach accepted, even if integrity protection is false

Question 15

How is an downgrading attack done in 4G?

Answer 15

TA-update:
- UE sends TA-update when moving to a new tracking area
- Attacker intercepts and replies with TAU reject (4G not supported)
- TAU-reject accepted with false integrity protection
- UE downgrades to 3G/2G

Question 16

How is an authentication relay attack done in 4G?

Answer 16

• Attacker is man in the middle, between UE and eNB
• Relays traffic between UE and eNB

Attacks:
- Eavesdrop if traffic not encrypted
- DoS if paging is done in wrong TA

NO UE impersonation possible, due to integrity protection