Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.868  Word version:  12.1.0

Top   Top   Up   Prev   None
1…   4…
4 Overview of Security Architecture5 Description of envisioned security aspects of Machine-Type and other Mobile Data Applications Communications Enhancements6 General Security Requirement7 ConclusionsA Key Issues and Solutions deferred from Rel-12$ Change History

 

4  Overview of Security Architecturep. 13

5  Description of envisioned security aspects of Machine-Type and other Mobile Data Applications Communications Enhancementsp. 15

5.1  Device Triggering Enhancementsp. 15

5.1.1  Issue Detailsp. 15

5.1.2  Threatsp. 15

5.1.3  Security Requirementsp. 16

5.1.3.0  Generalp. 16

5.1.3.1  SMS based triggeringp. 16

5.1.3.2  NAS Signalling based triggeringp. 17

5.1.3.3  User Plane based triggeringp. 17

5.1.4  Solutionsp. 17

5.1.4.0  Generalp. 17

5.1.4.1  For offline Device Triggering:p. 17

5.1.4.1.0  Generalp. 17
5.1.4.1.1  Impacts on existing nodes or functionalityp. 18

5.1.4.2  For online Device Triggeringp. 18

5.1.4.2.1  General descriptionp. 18
5.1.4.2.2  Solution 1: Triggering via NAS signallingp. 18
5.1.4.2.3  Solution 2: Solution for fake SMS triggering from normal UE in the same network as UE used only for MTCp. 19
5.1.4.2.4  Solution 3: Solutions protecting SMS triggeringp. 20
5.1.4.2.5  Solution 4: Triggering via User planep. 21
5.1.4.2.6  Solution 5: Using GBA Push to secure Device triggering procedure over Tsp and T4p. 21
5.1.4.2.7  Solution 6: Secure Trigger Delivery with Security Association between MTC-IWF and UEp. 24
5.1.4.2.8  Solution 7: Using regular GBA and GPL to secure Device triggering procedure over Tsp and T4p. 24
5.1.4.2.9  Solution 8: Using GBA Push to secure Device triggering procedure over Tsmsp. 26
5.1.4.2.10  Impacts on existing nodes or functionalityp. 28

5.1.5  Evaluationp. 29

5.2  Secure Connectionp. 32

5.2.1  Issue Detailsp. 32

5.2.2  Threatsp. 32

5.2.3  Security Requirementsp. 32

5.2.4  Solutionsp. 32

5.2.4.1  GBA based solutionp. 32

5.2.4.1.1  UE initiated Secure Connection based on GBAp. 32
5.2.4.1.2  Network initiated Secure Connection based on GBApushp. 34

5.2.4.2  EAP based solutionp. 36

5.2.4.2.1  IKEv2 based solutionp. 36
5.2.4.2.2  EAP/PANA based Solution:p. 38

5.2.5  Evaluationp. 38

5.2.5.0  Generalp. 38

5.2.5.1  Evaluation for GBA/GBA push based solution:p. 38

5.2.5.2  Evaluation for EAP-AKA method:p. 39

5.3  External Interface Securityp. 40

5.3.1  Issue Detailsp. 40

5.3.2  Threatsp. 40

5.3.3  Security requirementsp. 41

5.3.4  Solutionsp. 42

5.3.4.0  Generalp. 42

5.3.4.1  Tsp interface security for MTC Server outside the operator domainp. 42

5.3.4.2  MTC Server inside the operator domainp. 43

5.3.5  Evaluationp. 43

5.4  Restricting the USIM to specific UEsp. 43

5.4.1  Issues Detailsp. 43

5.4.2  Threatsp. 44

5.4.3  Security Requirementsp. 44

5.4.4  Solutionsp. 44

5.4.4.0  Generalp. 44

5.4.4.1  User Equipment-based pairingsp. 44

5.4.4.1.0  Generalp. 44
5.4.4.1.1  Secure Channel pairingp. 44
5.4.4.1.2  USAT application pairingp. 45
5.4.4.1.3  PIN presentation pairingp. 46

5.4.4.2  Network based pairingsp. 46

5.4.4.2.1  IMSI-IMEI binding in HSSp. 46
5.4.4.2.2  Enhanced AKA authenticationp. 48
5.4.4.2.3  Pairing based on symmetric shared secretp. 52

5.4.5  Evaluationp. 62

5.4.5.1  User Equipment-based pairingsp. 62

5.4.5.1.1  Secure Channel pairingp. 62
5.4.5.1.2  USAT application pairingp. 63
5.4.5.1.3  PIN verification pairingp. 64

5.4.5.2  Network based pairingsp. 65

5.4.5.2.1  IMSI-IMEI binding in HSSp. 65
5.4.5.2.2  Enhanced AKAp. 66
5.4.5.2.3  Pairing based on symmetric shared secretp. 67

5.5  Privacy concernp. 67

5.5.1  Issue Detailsp. 67

5.5.2  Threatsp. 68

5.5.3  Security Requirementsp. 68

5.5.4  Solutionsp. 68

5.5.4.0  Generalp. 68

5.5.4.1  UE based methodp. 69

5.5.4.2  Network based methodp. 69

5.5.5  Evaluationp. 70

5.6  UE Power Consumption Optimizationsp. 70

5.6.1  Issue Detailsp. 70

5.6.2  Threatsp. 70

5.6.3  Security Requirementsp. 70

5.6.4  Solutionsp. 70

5.6.4.1  General descriptionp. 70

5.7  Security of Small Data Transmissionp. 71

5.7.1  Issue Detailsp. 71

5.7.2  Threatsp. 71

5.7.2.1  Small data encapsulation in the NASp. 71

5.7.2.2  Small data fast path in the user planep. 72

5.7.3  Security requirementsp. 74

5.7.4  Solutionsp. 75

5.7.4.1  Small data transfer in NAS PDUp. 75

5.7.4.1.1  General descriptionp. 75
5.7.4.1.2  Solution 1: Partly cipheringp. 75
5.7.4.1.3  Analysis of NAS signalling key management in LTEp. 77

5.7.4.2  Small Data Fast Path in User Planep. 78

5.7.4.2.0  Generalp. 78
5.7.4.2.1  Termination point of security for small data in the networkp. 78
5.7.4.2.2  General description of proposed solutionp. 79
5.7.4.2.3  Small data transfer security contextp. 79
5.7.4.2.3A  Small data transfer security protocolp. 81
5.7.4.2.4  Small data transfer security context establishment at Attach procedurep. 82
5.7.4.2.5  UE initiated uplink (UL) small datap. 84
5.7.4.2.6  Network initiated downlink (DL) small datap. 85
5.7.4.2.7  S-GW relocationp. 86
5.7.4.2.8  Switching between small data fast path and regular UPp. 87

5.7.4.3  Connectionless Data Transmission solutionp. 87

5.7.4.3.0  Generalp. 87
5.7.4.3.1  UE Initial Access and Token Allocationp. 87
5.7.4.3.2  Use of a Token for Subsequent Network Accessp. 89
5.7.4.3.3  Cached Context Invalidation and Deletionp. 91
5.7.4.3.4  Token Lifetime Management.p. 91
5.7.4.3.5  Threat scenariosp. 92

5.7.4.4  MTC-IWF based Secure Solution for Small data transmissionp. 93

5.7.4.4.1  Background and requirementsp. 93
5.7.4.4.2  Potential solutionsp. 93
5.7.4.4.3  Solution overviewp. 93
5.7.4.4.4  Detailed Solutionp. 94

5.7.4.5  Connectionless Data Transmission Solution Using Separate Security Contextp. 100

5.7.4.5.1  Generalp. 100
5.7.4.5.2  Separate Security Context Mechanismp. 101
5.7.4.5.3  Key Derivationp. 101
5.7.4.5.4  Security Procedure:p. 102
5.7.4.5.5  Switching from Connectionless to Connected modep. 103

5.7.6  Evaluationp. 104

5.7.6.1  Generalp. 104

5.7.6.2  Connectionless Data Transmission Solutionp. 104

5.7.6.3  MTC-IWF based Secure Solution for Small data transmissionp. 104

5.7.6.3.0  Generalp. 104
5.7.6.3.1  Benefitsp. 104
5.7.6.3.2  Impacts to existing systemp. 106
5.7.6.3.3  Open issuesp. 106

5.7.6.4  Security Solutions of Small Data Transfer in NAS PDUp. 106

5.7.6.5  Security Solution of Small Data Fast Path in User Planep. 106

5.7.6.6  Security Evaluation on Different Solutions of Small Data Optimizationp. 107

5.7.6.7  Overall Evaluationp. 108

6  General Security Requirementp. 109

7  Conclusionsp. 109

7.1  Rel-11 Conclusionsp. 109

7.2  Rel-12 Conclusionsp. 109

A  Key Issues and Solutions deferred from Rel-12p. 110

A.1  Time controlledp. 110

A.1.1  Issue Detailsp. 110

A.1.2  Threatsp. 110

A.1.3  Security requirementsp. 110

A.1.4  Solutionsp. 110

A.1.5  Evaluationp. 111

A.2  Low Mobilityp. 111

A.2.1  Issue Detailsp. 111

A.2.2  Threatsp. 111

A.3  Security of UE Configurationp. 111

A.3.1  Issues Detailsp. 111

A.3.2  Threatsp. 111

A.3.3  Security Requirementsp. 111

A.3.4  Solutionsp. 112

A.3.4.1  ME Configurationp. 112

A.3.4.2  UICC Configurationp. 112

A.3.5  Evaluationp. 113

A.4  Reject message without integrity protectionp. 113

A.4.1  Issue Detailsp. 113

A.4.2  Threatsp. 113

A.4.3  Security Requirementsp. 113

A.5  Congestion Controlp. 113

A.5.1  Issue Detailsp. 113

A.5.2  Threatsp. 113

A.5.3  Security requirementsp. 113

A.5.4  Solutionsp. 114

A.5.5  Evaluationp. 114

A.6  Group Based Featurep. 114

A.6.1  Issue Detailsp. 114

A.6.2  Threatsp. 115

A.6.3  Security Requirementsp. 115

A.6.4  Solutionsp. 115

A.6.4.1  Solution 1: Application layer based protectionp. 115

A.6.4.2  Solution 2: Network based protection for cell broadcastp. 115

A.6.4.3  Solution 3: MBMS based methodp. 116

A.6.4.4  Solution 4: Authentication of UEs of a groupp. 117

A.6.5  Evaluationp. 117

A.7  Monitoringp. 117

A.7.1  Issue Detailsp. 117

A.7.2  Threatsp. 117

A.7.3  Security Requirementsp. 117

A.7.4  Solutionsp. 118

A.7.4.1  Location Managementp. 118

A.7.4.1.0  Generalp. 118
A.7.4.1.1  Impacts on existing nodes or functionalityp. 118

A.7.5  Evaluationp. 118

$  Change Historyp. 119

Up   Top