How does LTE ensure the confidentiality and integrity of user data during transmission?
LTE (Long-Term Evolution) incorporates several security measures to ensure the confidentiality and integrity of user data during transmission over the network. Here's a detailed technical explanation of how LTE achieves these objectives:
1. Encryption and Confidentiality:
Key Hierarchy:
- KASME (KeNB: Authentication and Key Agreement):* KASME is a master key derived during the authentication and key agreement process.
- KeNB (eNodeB Key):* Derived from KASME and used for encrypting the signaling between the UE and eNodeB.
Radio Bearer Security:
- LTE uses the KeNB* for encryption and integrity protection of user and signaling data over the radio interface (between UE and eNodeB).
- Ciphering and integrity algorithms like AES (Advanced Encryption Standard) and SNOW 3G are used for confidentiality and integrity protection.
Ciphering and Integrity Protection:
- User data and signaling messages are encrypted using the encryption algorithm and a unique Count (CNT) value, ensuring confidentiality.
- Integrity protection is achieved by generating a Message Authentication Code (MAC) based on the Integrity Key (IK) and the message to detect any tampering.
Key Update:
- LTE periodically updates encryption keys to enhance security. Key updates are triggered based on time or the amount of data transmitted.
2. Integrity Protection:
Message Authentication Code (MAC):
- A MAC is generated using the Integrity Key (IK) and the message content.
- The MAC is sent along with the message to the receiving entity, allowing it to verify the message's integrity.
Security Header Protection:
- LTE includes a security header in the RRC (Radio Resource Control) and NAS (Non-Access Stratum) messages, providing integrity protection.
- The security header contains the MAC to validate the message's integrity.
NAS Security:
- NAS messages exchanged between UE and core network are protected using integrity and ciphering.
- NAS integrity is provided using Message Authentication Code (MAC) based on NAS integrity key (IK-NAS).
3. Authentication and Key Agreement (AKA) Procedure:
Authentication Vectors:
- AKA generates authentication vectors that include a RAND (random challenge) and the expected Authentication Token (AUTN) based on the IMSI (International Mobile Subscriber Identity).
Mutual Authentication:
- The UE and the network mutually authenticate each other using authentication vectors and security algorithms.
- This ensures that both the UE and the network are genuine entities and establishes secure communication.
Key Derivation:
- The Authentication Management Field (AMF) and the received RAND are used to derive session keys (KeNB* and KeNB) for encryption and integrity protection.
4. User Plane and Control Plane Separation:
- Security Context:
- Security context is established for both user plane (UP) and control plane (CP) separately to ensure better security.
- Each context has its set of security keys for encryption, integrity, and authentication.
5. Network Domain Security:
- IPsec (Internet Protocol Security):
- For communication between different network elements (e.g., eNodeB, SGW, PGW), IPsec tunnels are used to provide security at the IP layer.
- IPsec provides authentication, confidentiality, and integrity for data transmitted between these network elements.
In summary, LTE ensures confidentiality and integrity of user data through encryption, integrity protection, authentication and key agreement procedures, user and control plane separation, and network domain security mechanisms. These security measures collectively safeguard the communication and data transmitted within the LTE network.