Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.816  Word version:  10.0.0

Top   Top   Up   Prev   None
1…   4…   10…
10 Proposed Solutions11 Conclusions$ Change history

 

10  Proposed Solutionsp. 31

10.1  Solution 1 - IPsec for control and user planep. 31

10.1.1  Generalp. 31

10.1.2  Security Proceduresp. 31

10.1.3  UICC Aspects in RN scenariosp. 31

10.1.4  Enrolment procedures for RNs for backhaul link securityp. 31

10.1.5  Analysis of Solution 1p. 32

10.2  Solution 2 - IPsec for control and user plane with certificate and AKA authentication in IKEp. 32

10.2.1  Generalp. 32

10.2.2  Security Proceduresp. 32

10.2.3  UICC Aspects in RN scenariosp. 32

10.2.4  Enrolment procedures for RNs for backhaul link securityp. 32

10.2.5  Analysis of Solution 2p. 33

10.3  Solution 3 - AKA credentials embedded in RNp. 33

10.3.1  Generalp. 33

10.3.2  Security Proceduresp. 33

10.3.3  UICC Aspects in RN scenariosp. 33

10.3.4  Enrolment procedures for RNs for backhaul link securityp. 33

10.3.5  Analysis of Solution 3p. 34

10.4  Solution 4 - IPsec for control plane and secure channel between RN and USIM with AKA credentials stored in UICCp. 34

10.4.1  Generalp. 34

10.4.2  Security Proceduresp. 34

10.4.3  UICC Binding Aspects in RN scenariosp. 36

10.4.4  Enrolment procedures for RNsp. 37

10.4.5  Secure management procedures for RNsp. 37

10.4.6  Certificate validationp. 37

10.4.7  Profiles of solution 4p. 38

10.4.7.1  Solution profile 4Ap. 38

10.4.7.1.1  Generalp. 38
10.4.7.1.2  Security Proceduresp. 38
10.4.7.1.3  USIM Binding Aspects in RN scenariosp. 39
10.4.7.1.4  Enrolment procedures for RNsp. 39
10.4.7.1.5  Secure management procedures for RNsp. 39
10.4.7.1.6  Certificate validationp. 39

10.4.7.2  Solution profile 4Bp. 40

10.4.7.2.1  Generalp. 40
10.4.7.2.2  Security Proceduresp. 40
10.4.7.2.3  USIM Binding Aspectsp. 41
10.4.7.2.4  Enrolment procedures for RNsp. 41
10.4.7.2.5  Secure management procedures for RNsp. 41
10.4.7.2.6  Certificate and subscription handlingp. 41

10.4.8  Analysis of Solution 4p. 42

10.4.8.1  How does solution 4 address the threats in clause 5?p. 42

10.4.8.2  How does solution 4 fulfil the requirements in clause 6?p. 43

10.4.8.3  How does solution 4 address the general Editor's notes and the residual threats in clause 8.1.2.1?p. 44

10.5  Solution 5 - Enhanced AKA to include device authenticationp. 45

10.5.1  Generalp. 45

10.5.2  Security Proceduresp. 45

10.5.2.1  Generalp. 45

10.5.2.2  Enhanced AKA authenticationp. 46

10.5.2.2.1  High level descriptionp. 46
10.5.2.2.2  Security Analysisp. 47
10.5.2.2.3  Attach flow and rekeying E-UTRAN keysp. 48
10.5.2.2.4  Changes to NAS messagesp. 49
10.5.2.2.5  Profiles of Cryptographic Functionsp. 49
10.5.2.2.6  Error casesp. 50

10.5.3  UICC Aspects in RN scenariosp. 50

10.5.4  Enrolment procedures for RNs for backhaul link securityp. 50

10.5.5  Analysis of Solution 5p. 51

10.5.5.1  How does solution 5 address the threats in clause 5?p. 51

10.5.5.2  How does solution 5 fulfil the requirements in clause 6?p. 52

10.5.5.3  How does solution 5 address the general Editor's notes and the residual threats in clause 8.1.2.1?p. 53

10.5.5.4  How does solution 5 address the general Editor's notes and the residual threats in clause 8.1.2.2?p. 54

10.5.5.5  Analysis of solution 5 not related to threatsp. 54

10.6  Solution 6: AKA for Relay Node UE authentication and secure channel between RN and USIMp. 54

10.6.1  Generalp. 54

10.6.2  Security Proceduresp. 55

10.6.3  UICC Aspects in RN scenariosp. 55

10.6.4  Enrolment procedures for RNs for backhaul link securityp. 55

10.7  Solution 7: AKA for Relay Node UE authentication and IPSec protectionp. 55

10.7.1  Generalp. 55

10.7.2  Security Proceduresp. 56

10.7.3  UICC Aspects in RN scenariosp. 56

10.7.4  Pre-shared Key Enrolment procedures for RNs for backhaul link securityp. 56

10.7.5  Analysis of Solution 7p. 57

10.7.5.1  Countermeasures for the threats in clause 5p. 57

10.7.5.2  How does solution 7 fulfil the requirements in clause 6p. 58

10.7.5.3  Benefits of PSK based IPsec tunnel in solution 7p. 59

10.8  Solution 8 - Enhancing AKA to include device authentication via symmetric key in RN and HSS/MMEp. 59

10.8.1  Generalp. 59

10.8.2  Security Proceduresp. 59

10.8.2.1  Generalp. 59

10.8.2.2  Enhanced EPS-AKA using a relay-node device secret keyp. 59

10.8.2.3  Improvement using enhanced authentication datap. 60

10.8.3  UICC Aspects in RN scenariosp. 62

10.8.4  Enrolment procedures for RNs for backhaul link securityp. 63

10.8.5  Analysis of solution 8p. 63

10.8.5.1  How does solution 8 address the threats in clause 5.3?p. 63

10.8.5.2  How does the solution 8 fulfil the requirements in clause 6.2?p. 64

10.8.5.3  How does the solution 8 address the general Editor's notes and the residual threats in clause 8.1.2.1.2?p. 65

10.8.5.4  How does solution 8 address the general Editor's notes and the residual threats in clause 8.1.2.2?p. 66

10.8.5.5  Analysis of solution 8 not related to threatsp. 66

10.9  Solution 9 - IPsec or PDCP security for control plane and with key binding for AS securityp. 66

10.9.1  Generalp. 66

10.9.2  Security Proceduresp. 68

10.9.2.1  Start up procedure phase II: Attach for RN operationp. 68

10.9.2.2  Binding of RN platform authentication to the AS security contextp. 69

10.9.2.2.1  Purpose of the bindingp. 69
10.9.2.2.2  Binding KO and the keys from RN subscription authenticationp. 69
10.9.2.2.3  Switching to the KO-bound AS security contextp. 70
10.9.2.2.4  Establishment of KOp. 70
10.9.2.2.5  KeNB chaining, change of KO and change of IPsec SAsp. 70

10.9.2.3  Analysis of protection against identified threatsp. 71

10.9.3  UICC Aspects in RN scenariosp. 72

10.9.4  Enrolment procedures for RNs for backhaul link securityp. 72

10.10  Solution 10 - Secure channel between RN and USIM with a one-to-one mapping between RN and UICCp. 72

10.10.1  Generalp. 72

10.10.2  Security Proceduresp. 72

10.10.3  UICC Aspects in RN scenariosp. 72

10.10.4  Enrolment procedures for RNs for backhaul link securityp. 73

10.11  Solution 11 - Secure Channel between USIM and RN and AS integrity for S1 /X2; Variant with two USIMsp. 73

10.11.1  Generalp. 73

10.11.2  Security Proceduresp. 73

10.11.3  USIM Binding Aspects in RN scenariosp. 75

10.11.4  Enrolment procedures for RNsp. 75

10.11.5  Secure management procedures for RNsp. 76

10.11.6  Certificate validationp. 76

10.11.7  Profiles of solution 11p. 76

10.11.7.1  Solution profile 11Ap. 76

10.11.7.1.1  Generalp. 76
10.11.7.1.2  Security Proceduresp. 77
10.11.7.1.3  USIM Binding Aspects in RN scenariosp. 78
10.11.7.1.4  Enrolment procedures for RNsp. 78
10.11.7.1.5  Secure management procedures for RNsp. 78
10.11.7.1.6  Certificate validationp. 78

10.11.7.2  Solution profile 11Bp. 78

10.11.7.2.1  Generalp. 78
10.11.7.2.2  Security Proceduresp. 79
10.11.7.2.3  USIM Binding Aspectsp. 81
10.11.7.2.4  Enrolment procedures for RNsp. 81
10.11.7.2.5  Secure management procedures for RNsp. 81
10.11.7.2.6  Certificate and subscription handlingp. 82

10.11.8  Analysis of Solution 11p. 82

10.11.8.1  How does solution 11 address the threats in clause 5?p. 82

10.11.8.2  How does the solution 11 fulfill the requirements in clause 6?p. 84

10.11.8.3  How does the solution 11 address the general Editor's notes and the residual threats in clause 8.1.2.1?p. 85

10.12  Solution 12 - Secure Channel between USIM and RN and AS integrity for S1 /X2; Variant with modified KASMEp. 86

10.12.1  Generalp. 86

10.12.2  Security Proceduresp. 86

10.12.3  USIM Binding Aspects in RN scenariosp. 88

10.12.4  Enrolment procedures for RNsp. 88

10.12.5  Secure management procedures for RNsp. 89

10.12.6  Certificate validation checksp. 89

10.12.7  Analysis of Solution 12p. 89

10.12.7.1  How does solution 12 address the threats in clause 5?p. 89

10.12.7.2  How does the solution 12 fulfill the requirements in clause 6?p. 91

10.12.7.3  How does the solution 12 address the general Editor's notes and the residual threats in clause 8.1.2.1?p. 92

11  Conclusionsp. 93

$  Change historyp. 94

Up   Top