Content for TR 33.926 Word version: 19.1.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… N… O… P… Q… R… S… T… U… V… W… X… Y…

C.1 Network product class description for the eNB C.2 Assets and threats specific to the eNB C.2.1 Critical assets C.2.2 Threats related to Control plane and User plane C.2.3 Threats related to key reuse
...

C Aspects specific to the network product class eNB |R15| p. 39

C.1 Network product class description for the eNB p. 39

C.1.1 Introduction p. 39

The present document captures the network product class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the aspects specific to one network product class.

C.1.2 Minimum set of functions defining the eNB network product class p. 39

As part of the eNB network product, it is expected that the eNB contains eNB application, a set of running processes (typically more than one) executing the software package for the eNB functions and OAM functions that are specific to the eNB network product model. Functionalities specific to the eNB network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.216.

C.2 Assets and threats specific to the eNB p. 39

C.2.1 Critical assets p. 39

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the eNB to be protected are:

eNB Application;
Mobility Management data: e.g. subscriber's identities (e.g. IMSI), subscriber keys (i.e. KUPenc, KRRCenc, KRRCint, NH), authentication parameters, address of serving gateway, APN name, data related to mobility management like UE measurements, UE's IP address, etc., QoS and so on, etc.
User plane data
The interfaces of eNB to be protected and which are within SCAS scope: for example
- S1 interface
- X2 interface
- Console interface, for local access: local interface on eNB
- OAM interface, for remote access: interface between eNB and OAM system
NOTE 1:
The detailed interfaces of the eNB class are described in clause 4, Network Product Class Description of the present document.
eNB Software: binary code or executable code

NOTE 2:
eNB files may be any file owned by a user (root user as well as non root uses), including User account data and credentials, Log data, configuration data, OS files, eNB application, Mobility Management data or eNB Software.

C.2.2 Threats related to Control plane and User plane p. 40

C.2.2.1 Control plane data confidentiality protection p. 40

Threat name: Control plane data confidentiality protection
Threat Category: Tampering data, Information Disclosure, Denial of Service, Masquerading attack.
Threat Description: If the eNB does not provide confidentiality protection for control plane packets on the S1/X2 reference points, then the control plane packets sent between eNBs (eg. inter-eNB handover) and from eNB to MME (eg. handover on MME change) can be manipulated and the eNB can be compromised by attackers to prevent service to legitimate users (eg. Handover failure). Moreover, the UE identifiers, security capabilities, the security algorithms and key materials exchanged between eNBs and eNB-MME can be accessed by the attackers leading to huge security breach. There, any active attacker can perform masquerading by making use of the legitimate users' UE identifiers to gain access to the network. This threat scenario assumes that the S1, X2 reference points are not within the security environment
Threatened Asset: User account data and credential

C.2.2.2 Control plane data integrity protection p. 40

Threat name: Control plane data integrity protection
Threat Category: Tampering data, Denial of Service
Threat Description: If the eNB does not provide integrity protection for control plane packets on S1/X2 reference points, the control plane packets between eNBs on X2-C and from eNB to MME on S1-MME interface risks being exposed and/or modified. The intruder manipulations on control plane packets will lead to denial of service to legitimate users. This threat scenario assumes that the S1, X2 reference points are not within the security environment
Threatened Asset: Sufficient Processing Capacity

C.2.2.3 User plane data ciphering and deciphering at eNB p. 40

Threat name: User plane data ciphering and deciphering at eNB
Threat Category: Tampering data, Information Disclosure, User tracking, Denial of Service, Man-in-the-middle
Threat Description: If the eNB does not cipher and decipher user plane packets between the Uu reference point and the S1/X2 reference points, then the attackers can manipulate and compromise user packets on Uu, X2-U and S1-U interface to launch Denial of Service as well as Man-in-the middle attack. The attackers can gain access to user identifiers, IMSI, serving network identifiers, location information and can perform user tracking. This threat scenario assumes that the S1, X2 reference points are not within the security environment
Threatened Asset: User account data and credential

C.2.2.4 User plane data integrity protection p. 41

Threat name: User plane data integrity protection
Threat Category: Tampering data, Denial of Service
Threat Description: If the eNB does not handle integrity protection for user plane packets for the S1/X2 reference points then all the uplink/downlink user plane packets over X2-U and S1-U can be attacked and/or manipulated by intruders to launch Denial of Service attack. This threat scenario assumes that the S1, X2 reference points are not within the security environment
Threatened Asset: Sufficient Processing Capacity.

C.2.2.5 Local user plane integrity protection configuration |R18| p. 41

Threat name: Local user plane integrity protection configuration
Threat Category: Tampering data
Threat Description: When an eNB supports user plane integrity protection, and if the eNB is not preconfigured with a user plane integrity protection policy, and if the UE supports user plane integrity protection, then the protection might be disabled exposing the user plane data to tampering attacks when the MME does not send a user plane integrity protection policy to the eNB.
Threatened Asset: user plane data.

C.2.2.6 UP integrity protection policy selection |R18| p. 41

Threat name: UP integrity protection policy selection
Threat Category: Tampering data
Threat Description: When a eNB supports user plane integrity protection, and if the UP integrity protection policy sent by MME does not take precedence over the locally configured one, then the user plane data protection may be disabled which does no longer comply with the service session requirements and exposes the user plane data to tampering attacks.
Threatened Asset: user plane data.

C.2.2.7 Bidding down on UP IP policy |R18| p. 41

Threat name: Bidding down on UP IP policy.
Threat Category: Tampering Data, Information Disclosure, Denial of Service.
Threat Description: If the eNB does not send the UP IP policy, the MME cannot verify current UP IP policy is the same as the UP IP policy that the MME has stored, the attacker (e.g. source eNB) may force the system to accept a weaker UP IP policy (e.g. REQUIRED → NOT NEEDED or none) than the system is allowed, or there may be case that source eNB is not upgraded to support UP IP feature thus UP IP policy from MME is lost, it will force the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: Sufficient processing capability, Mobility Management data.

C.2.3 Threats related to key reuse |R16| p. 41

C.2.3.1 Key reuse for eavesdropping p. 41

Threat name: Key reuse for eavesdropping
Threat Category: Information Disclosure
Threat Description: if the AS keys are not refreshed by the eNB, the key stream reuse is possible. This can result in information disclosure of AS signalling and user plane data. The threat of key stream reuse occurs under the following conditions:
- when the PDCP COUNT wraps around and is reused with the same Radio Bearer (RB) identity and with the same KeNB, e.g. due to the transfer of large volumes of data.
- when the PDCP COUNT is reset to 0 but the RB identity and key stay the same (e.g. the successive Radio Bearer establishment uses the same RB identity and keys, or the RB identity is increased after multiple calls and wraps around).
Threatened Asset: User plane data, Mobility Management data.