AN NINH TRONG MNG LTE

KS. Bi Trung Thnh

Phng NCPT Mng v H thng

Tm tt: LTE l mng truy nhp di ng s ng vai tr quan trng trong tng th h tng
cung cp cc dch v tng lai. Vi s k tha cc c trng trong lnh vc di ng cng vi
c tnh mng all-IP dn n nhiu yu cu cng nh gii php cho vn an ninh trong min
mng LTE. Bi bo ny s cung cp thng tin tng quan v an ninh trong mng LTE gip cho
cc nh cung cp dch v di ng ti Vit Nam c thm thng tin cn thit trong vic trin khai
cho mng LTE thi gian ti. Phn u bi bo nu ra cc yu cu v an ninh ca mng LTE,
tip theo bi bo gii thiu v kin trc an ninh c a ra bi t chc 3GPP v phn cui bi
bo gii thiu mt s c ch an ninh c th c p dng trn LTE p ng cc yu cu
nu ra.

1. GII THIU Ngoi ra, c mt s yu cu khc i vi

Vi bt k mng IP no vic m bo an
ninh l ti quan trng, iu ny ng vi
mng LTE, l mt mng di ng all-IP vi
kin trc phng (eNodeB c kt ni vi
nhau thng qua giao din X2, v kt ni trc
tip vi EPC thng qua giao din S1, khng
c thnh phn iu khin tp trung cho cc
trm v tuyn).Bn cnh cc nguy c an ninh
r rng trngiao dinv tuyn truyn n v 3.
i khi thit b ngi dng (User Equipment -
UE) cn l cc nguy c an ninh truyn thng
lin quan n cc lin kt IP ca cc nh
cung cp mng LTE. Vic xy dng kin trc
an ninh i ph vi cc nguy c l khi nhau:
u quan trng cho cc nh cung cp di ng.
2. YU CU AN NINH CA MNG
an ninh trn mng LTE c th d dng nhn
ra nh:
- Cc tnh nng an ninh khng c nh
hng ti s tin dng ca ngi dng.
- Cc tnh nngan ninh khng c nh
hng ti qu trnh chuyn dch t 3G ln
LTE.
KIN TRC AN NINH TNG QUT
CA LTE
3GPP a ra kin trc an ninh tng
qut ca LTE trong tiu chun 3GPP
TS33.401 gm 5 nhm tnh nngan ninh khc
Application
(IV)
stratum
User Application Provider Application

LTE
(I) (I)
Home
(III) stratum/
Tiu chun 3GPP TS 33.401 a ra cc USIM
(II)
HE Serving
Stratum
yu cu v cc tnh nng an ninh cn c trong (I) (I)
SN
Transport
mng LTE nh sau: ME
(I) (II) stratum
AN
(I)
- m bo an ninh gia ngi dng v
mng, gm: Hnh 1. Kin trc an ninh tng qut ca LTE
Nhn dng ngi dng v bo mt thit - Network access security (I): tp hp cc
b, tnh nngan ninh cung cp kh nng bo
Nhn thc cc thc th, v truy nhp ngi dng ti cc dch v,
v cng bo v chng li cc cuc tn
Bo mt d liu ngi dng v d liu cng trn lin kt truy nhp v tuyn. V
bo hiu, d: s dng USIM cung cp truy nhp
Ton vn d liu ngi dng v d liu c m bo cho ngi dng ti EPC,
bo hiu. bao gm nhn thc tng h v cc tnh
nng ring khc.
- C kh nng cu hnh v hin th an ninh.
- p ng cc yu cu an ninh trn eNodeB.

283
- Network domain security (II): tp hp
cc tnh nngan ninh cho php cc node
trao i an ton d liu bo hiu v d liu
ngi dng (gia AN v SN, v trong
AN), v cng bo v chng li cc cuc
tn cng trn mnghu tuyn. V d: AS
Security, NAS Security, IPsec EPS.
- User domain security (III):tp hp cc
tnh nngan ninh bo v truy nhp ti cc
MS (Mobile Station). V d: kha mn
hnh, m PIN s dng SIM.
- Application domain security (IV): tp
hp cc tnh nngan ninh cho phpbo v
cc bn tin trao i ca cc ng dng ti
min ngi dng v min nh cung cp.
V d: https.
- Visibility and configurability of security
(V): tp hp cc tnh nngan ninh cho
php thng bo ti ngi dng mt tnh
nng an ninh c ang hot ng hay
khng, v cc dch v ang s dng v
c cung cp nn ph thuc vo tnh
nng an ninh khng.
Di y chng ta s xem xt mt s
tnh nng an ninh p dng cho mng LTE
thuc v cc nhm tnh nng an ninh (I) v
(II), l nhng nhm tnh nng an ninh c
trng v lin quan trc tip n cc thc th
trong mng LTE.
4. MT S CHC NNG V C CH
AN NINH P DNG CHO MNG
LTE
4.1. C ch EPS AKA
L c ch thuc v nhm tnh nngan
ninh(I) v (II), gip nhn thc thu bao trn
mng LTE/EPS, lm c s cho vic to ra cc
kha CK c bn cho U-Plane, RRC v NAS,
cng nh to kha IK cho RRC v AS. C
ch ny c thc hin nh sau:
1) MME gi cc thng tin ca thu bao
nh IMSI, SN ID (Serving Network
ID) ti HSS to ra EPS AV
(Authentication Vector). Sau HSS
gi tr MME cc thng s nhn thc
gm: RAND, XRES, AUTN, KASME.
2) MME gi ti USIM thng qua ME hai
thng s RAND v AUTN cho vic
nhn thc mng t vertor nhn thc
c la chn. MME cng gi mt
KSIASME cho ME s dng cho vic
nhn dng kha KASMEc to ra bi
th tc EPS AKA.
3) Sau khi nhn c thng s t MME,
USIM kim tra xem AV mi hay
khng, bng vic kim tra vic chp
nhn AUTN. Nu tha mn, USIM s
tnh ton RES phn hi, ng thi
cng tnh ton CK v IK gi ti ME.
ME cng kim tra bit 0 ca AUTN
c thit lp bng 1 hay khng.
4) ME phn hi bn tin ch thng s RES
ti MME trong trng hp kim tra
thnh cng. Sau ME tnh ton KASME
thng qua CK, IK v SN ID s dng
thut ton KDF. SN ID dng nhn
dng ngm mng phc v khi kha
KASME c s dng.
5) MME s snh RES v XRES, nu
ging nhau th nhn thc thnh cng.
Vic thc thi AKA c th mt vi trm
ms cho vic tnh ton kha trn USIM v cho
vic kt ni ti HSS, do c th p dng
mt chc nng cho php kha c cp nht
khng c AKA t c tc cao hn
trong LTE.
4.2. H thng phn cp kha
USIM / AuC K
CK, IK
UE / HSS
KASME
UE / MME
KNASenc KNASint
KeNB / NH
UE / eNB
KUPint KUPenc KRRCint KRRCenc
Hnh 2. H thng phn cp kha trong LTE
i vi vic m ha d liu, LTE s
dng mt phng thc m ha lung, trong
d liu c m ha bng cch ly mt
loi tr OR (XOR) ca d liu v lung kha
theo cng cch nh 3G. Cc kha c s
dng to ra lung kha c thay i
thng xuyn trnh lp li lung kha.Cc
kha cng cn khng c s dng ti nhiu
284
im ti thiu ha tn hi do mt trong
cc kha m ha v bo v ton vn b tn
thng. gii quyt vn ny trn LTE,
h thng phn cp kha c s dng.Vic
s dng h thng phn cp kha thuc v
nhm tnh nng an ninh(I) v (II).
H thng phn cp kha hot ng nh
sau:
1) Ging nh mng 3G, USIM v AuC
chia s trc cc thng tin b mt (kha
K).
2) Khi AKA c thc thi cho nhn thc
tng h gia mng v ngi dng,
kha CK cho m ha v IK cho bo v
ton vn c to ra v c trao i
tng ng t USIM ti ME v t AuC
ti HSS.
3) ME v HSS to ra kha KASMEtng
ng t cp kha CK v IK. KASME c
truyn t HSS ti MME ca mng
phc v nh l thng tin c bn trong
phn cp kha.
4) Kha KNASenc cho m ha giao thc
NAS gia UE v MME; v kha
KNASint cho bo v tnh ton vn c
to ra t kha KASME.
5) Khi UE kt ni ti mng, UE v MME
to ra kha KeNB, sau MME truyn
kha ny cho eNodeB. T kha KeNB
ny, cc kha KUPenc cho m ha U-
Plane, kha KRRCenc cho m ha RRC
v kha KRRCint cho bo v tnh ton
vn c to ra.
4.3. Ch AS security v NAS Security
Trong mng LTE, cc tnh nng an ninh
cho tn hiu bo hiu v tn hiu d liu
ngi dng c s dng hai ch l
NAS Security v AS Security. Trong NAS
Security c thc thi khi UE ang trng
thi ri, cho lin kt bo hiu gia UE v
MME. Cn AS Security c thc thi khi UE
trng thi kt ni, cho lin kt truyn ti d
liu ngi dng gia UE v eNB. y l
nhm chc nng thuc v nhm tnh nng an
ninh (II).
Sau khi nhn thc UE tin vo trng thi
ri, ch an ninh NAS c thc thi.Ch
ny s ch huy m phn thut ton m
ha v bo v ton vn cho truyn thng
NASs dng cc kha KNASenc v KNASint.
ME MME
Start integrity
protection
NAS Security Mode Command (eKSI, UE sec capabilities,
Ciphering algorithm, Integrity algorithm,
[IMEISV request,] [NONCEUE, NONCEMME,] NAS-MAC)
Verify NAS SMC integrity. Start uplink
If succesful, start ciphering/ deciphering
deciphering and integrity
protection and send NAS
Security Mode Complete.
NAS Security Mode Complete ([IMEISV,] NAS-MAC)
H Start downlink ciphering
nh 3. Th tc thc hin ch NAS Security
MME gi bn tin NAS Security Mode
Command ti UE, bao gm tham s eKSI cho
xc nh kha KASME, tham s cha kh nng
an ninh ca UE, thut ton m ha v ton
vn, v cc tham s NONEUE v NONCEMME
dng khi chuyn giao. Bn tin ny c bo
v ton vn vi kha ton vn NAS trn c
s kha KASME c ch ra t tham s eKSI
trong bn tin. UE kim tra ton vn ca bn
tin ny, vnu kim tra thnh cng th UE bt
u m ha/gii m ha, bo v ton vn.Sau
UE gi bn tin phn hi NAS Security
Mode Complete ti MME.
Cn ch AS Security c thc hin
ngay sau khi UE tin vo trng thi kt ni,
v p dng ti tt c kt ni gia UE v eNB,
s dng cc kha KRRCenc, KRRCint v KUPenc.
ME eNB
St art RRC
integrity protection
AS Security Mode Command (Integrit y algorithm, Cipheri ng algorithm,
MAC-I)
Verify AS SM C integrity. S tart RRC/UP
If succesful, start RRC integrity downlink ciphering
protection, RRC/UP downli nk
deciphering, and send AS Securit y
Mode Complete.
AS Security Mode Complete (MAC-I)
S tart RRC/UP
uplink ciphering
S tart RRC/UP
uplink deciphering
Hnh 4. Th tc thc hin ch AS Security
Trong ch AS Security, eNodeB gi
bn tin AS Security Mode Command ti ME,
bao gm tham s v cc thut ton m ha v
ton vn. Bn tin ny c bo v ton vn
vi kha ton vn RRC trn c s kha
KASME hin ti.Ti eNodeB, m ha downlink
RRC v UP c thc hin ngay sau khi gi
bn tin ny i.UE kim tra ton vn ca bn
tin ny, nu thnh cng th UE bt u m
ha downlink RRC v UP, v gi bn tin
phn hi AS Security Mode Complete ti
285
eNodeB.eNodeB sau khi nhn bn tin phn
hi th bt u m ha uplink RRC v UP.
Ti nhng ni khng cho php m ha, AS
security c th m phn mt ch cung
cp an ninh khng c m ha.
Cc thut ton m ha v bo v ton
vn s dng trn LTE c da trn c s
Snow 3G v AES (Advanced Encryption
Standard) c chun ha, v thut ton
s dng cho AS c m phn c lp vi
thut ton s dng cho NAS. Hai thut ton
ny cung cp y tnh nng an ninh, v
khc nhau v cu trc s dng c bn trong
3GPP. Do trong trng hp mt thut ton
b hy hoi th thut ton cn li vn tip tc
m bo cho h thng LTE.
4.4. Bo v nhn dng (Identity
Protection)
Nhm tnh nng an ninh (I) cng cung
cp tnh nng an ninh thng qua vic s dng
hai thng s nhn dng vnh vin UE l:
- IMEI: dng nhn dng thit b phn
cng. IMEI ch c gi ti MME trn
NAS, sau khi NAS Security c thit
lp thnh cng (bo v c m ha v
ton vn).
- IMSI: dng nhn dng thu bao.
IMSI hn ch gi qua mi trng v
tuyn, m thay vo l tham s tm
thi GUTI.
4.5. NDS (Network Domain Security)
bo v cho cc lu lng trn c s
IP ti cc giao din ca mng truy cp/truyn
ti (E-UTRAN), ca mng li (EPC), hay
gia cc mng li vi nhau, 3GPP a ra
chc nng NDS/IP (tr giao din S1-U do
y l giao din c bo v ca 3GPP).
NDS c nh ngha trong tiu chun 3GPP
TS 33.210 v l chc nng thuc nhm tnh
nng an ninh (II).
i vi mng LTE, kin trc NDS c
trin khai nh sau:
Hnh 5. Kin trc trin khai NDS trn mng
LTE
- Mng LTE c chia thnh hai loi min
an ninh gm min E-UTRAN v min
EPC. Trong :
Min EPC: ti bin t cc SEG
(Security Gateway), v trong min c
cc NE l cc node mng c trin
khai; v d nh MME,
Min E-UTRAN: do s lng min E-
UTRAN ln v kt ni vi nhau qua
mt mng li phc tp do cng tn ti
hai giao din S1 v X2 nn gii php
t SEG ti bin ca mi min
EUTRAN l khng hp l. V vy ti
cc min E-UTRAN ch c cc NE l
cc node mng (eNodeB) .
- Giao din Za (gia cc SEG) song hnh
cng giao din S8 gia Home-PLMN v
Visited-PLMN, hoc gia Home-PGW v
Visited-PGW.
- Giao din Zb (gia cc NE hoc gia NE
v SEG) song hnh cng giao din S1 v
X2 trong mt mng LTE ca mt nh
cung cp. Giao din ny phi c trin
khai ging vi giao din Za, nhng khng
cn y chc nng ca SEG.
- Giao din Zb gia SEG v NE ca EPC l
ty chn do cc node c th c bo v
v mt vt l (cng mt mng LAN).
- NDS/IP khng m bo an ninh cho kt
ni gia EPC v Internet (giao din SGi).
NDS/IP cung cp cc dch v an ninh
nh sau:
- Nhn thc d liu gc: bo v mt node
khi cc d liu khng r ngun gc.
- Ton vn d liu: bo v d liu c
truyn khng b thay i (man-in-the-
middle).
286
- Bo v chng qu trnh replay.
- Bo mt d liu: bo v chng li vic
nh cp d liu (eavesdropping).
- Bo v gii hn chng li vic phn tch
lung d liu.
Cc c ch bo v c thc hin thng
qua IPsec, c bit l IPsec ESP
(Encapsulating Security Payload) trong ch
ng hm, vi IKE (Internet Key
Exchange) c s dng thit lp mi lin
h an ninh IPsec gia cc SEG hoc gia
SEG v NE. IPsec EPS cung cp cc tnh
nng bo v an ninh, m mi tnh nng l tp
hp ca nhiu thut ton an ninh:
- Nhn thc: cung cp ban u thng qua
nhn thc tng h v trao i kha bo
mt gia cc SEG hoc SEG v NE s
dng giao thc IKE, v thng qua AH
(Authentication Header) ca cc gi tin
IPsec m bo nhn thc trn mi gi,
v d nh s dng SHA-1.
- Ton vn: cung cp thng qua c ch bm
gi m ha IPsec, v d SHA-1.
- Bo mt: cung cp thng qua vic m ha
IPsec ng gi gi tin, v d AES.
- Anti-replay.
- Bo mt gii hn lung d liu.
4.6. Forward Security
y l c ch thuc nhm tnh nng an
ninh (I), c a ra ngn chn vic l
thng tin cc kha KeNB. C ch ny m bo
rng mt eNodeB vi cc thng tin v kha
KeNB chia s gia n v UE, s khng th tnh
ton c cc kha KeNB tng lai c dng
gia UE y vi cc eNodeB khc. c bit
hn, c ch N-hop Forward Security m bo
rng mt eNodeB khng th tnh ton cc
kha s c s dng gia mt UE v cc
eNodeB khc m UE s kt ni sau N ln
hoc nhiu hn N ln chuyn giao (N=1 hoc
2).C ch ny c thc hin thng qua kha
NH (Next-Hop) c lu tr trn MME.
Nguyn l hot ng c th ca c ch
Forward Security nh sau:
Hnh 6. M hnh chui kha cho chuyn giao
Khi AS Security cn c thit lp gia
UE v eNodeB, MME v UE phi to ra cc
kha KeNB v NH t kha KASME.Trong thit
lp khi to, KeNB c to ra trc tip t
KASME v NAS uplink COUNT, tng ng
chui kha NCC = 0.Kha KeNB c s
dng lm kha c s cho vic bo v truyn
thng gia UE v eNodeB. Tip kha NH
c to ra t KASMEv KeNB trn, v kha
ny c s dng cho chui kha NCC=1
hoc ln hn.Khi chuyn giao trc tip gia
cc eNodeB xy ra, th mt kha mi KeNB*
c to ra t kha KeNB ang hot ng
hoc t NH.Qu trnh ly kha KeNB* t KeNB
ang tn ti c m t bi qu trnh ly
kha theo chiu ngang, KeNB* c to ra t
KeNB vi thng s EARFCN-DL (E-UTRAN
Absolute Radio Frequency Channel Number
Downlink) ca kt ni v PCI (Physical
Cell Identity) ca mc tiu..Cn qu trnh ly
kha KeNB* t NH c m t bi qu trnh
ly kha theo chiu dc, KeNB* c to ra t
NH vi thng s EARFCN-DL v PCI.
Do NH ch c th tnh ton duy nht bi
UE v MME, nn vic s dng qu trnh ly
kha t NH m bo c c ch Forward
Security cho qu trnh chuyn giao qua nhiu
eNodeB.Chc nng ny c th gii hn phm
vi ca tn hi, thm ch nu mt kha b r r,
bi v cc kha tng lai s c to ra m
khng s dng kha KeNB hin ti trong
trng hp ly kha theo chiu dc.
5. KT LUN
Cu trc mng LTE l khc bit so vi
cc mng di ng trc nn mng LTE
c p dng nhiu c ch khc nhau p
ng cc yu cu an ninh c t ra. Trong
, mt s c ch l k tha t cc c ch ca
mng 3G nh EPS AKA, Identity Protection,
hay NDS. Mt s c ch l s pht trin mi
dnh ring cho mng LTE nh h thng phn
287
cp kha, AS Security, NAS Security hay
Forward Security. Cc c ch ny c th trin
khai mt cch d dng trn thc t do c
k tha t mng 3G (cc c ch k tha)
hoc c gn lin vi hot ng ca mng
LTE (cc c ch mi). Ngoi cc c ch
trn, cn cc c ch khc thuc nhm tnh
nng an ninh (I) v (II), c cung cp cho
LTE nhng khng cp chi tit trong bi
bo ny nh Home eNodeB Security, M2M
(Machine-to-Machine) Security, Security for
VoLTE. V to thnh mt kin trc an
ninh y cho mng LTE, cc c ch an
ninh cho cc nhm tnh nng an ninh (III),
(IV), (V) cng cn c s dng.
6. TI LIU THAM KHO
1. Dan Forsberg, Gunther Horn, Wolf-
Dietrich Moeller, Valtteri Niemi
(2010), LTE Sercurity, Wiley;
2. Alf Zugenmaier, Hiroshi Aono,
Technology Reports: Security
Technology for SAE/LTE, NTT
DOCOMO Technical Journal Vol. 11
No. 3;
3. Stoke, Inc WHITE PAPER - LTE
Security Concepts and Design
Considerations;
4. 3GPP TS 33.401 v12.9.0 3GPP System
Architechture Evolution (SAE);
Sercurity architecture (Release 12);
5. 3GPP TS 33.210 v12.2.03G security;
Network Domain Security (NDS); IP
network layer security (Release 12);
6. 3GPP TS 33.310 v12.0.0 Network
Domain Security (NDS); Authentication
Framework (AF) (Release 12);

Thng tin tc gi: Bi Trung Thnh

Nm sinh: 1988
L lch khoa hc: Tt nghip Trng HBK H Ni, 2006, Chuyn
ngnh: in t - Vin thng)
Hng nghin cu: SDN, 4G-LTE, Networking
Email: thanhbt@ptit.edu.vn; thanhbt@cdit.com.vn

288