AN NINH TRONG MNG LTE

KS. Bi Trung Thnh

Phng NCPT Mng v H thng
Tm tt: LTE l mng truy nhp di ng s ng vai tr quan trng trong tng th h tng
cung cp cc dch v tng lai. Vi s k tha cc c trng trong lnh vc di ng cng vi
c tnh mng all-IP dn n nhiu yu cu cng nh gii php cho vn an ninh trong min
mng LTE. Bi bo ny s cung cp thng tin tng quan v an ninh trong mng LTE gip cho
cc nh cung cp dch v di ng ti Vit Nam c thm thng tin cn thit trong vic trin khai
cho mng LTE thi gian ti. Phn u bi bo nu ra cc yu cu v an ninh ca mng LTE,
tip theo bi bo gii thiu v kin trc an ninh c a ra bi t chc 3GPP v phn cui bi
bo gii thiu mt s c ch an ninh c th c p dng trn LTE p ng cc yu cu
nu ra.
1.

Ngoi ra, c mt s yu cu khc i vi

an ninh trn mng LTE c th d dng nhn
ra nh:

GII THIU

Vi bt k mng IP no vic m bo an
ninh l ti quan trng, iu ny ng vi
mng LTE, l mt mng di ng all-IP vi
kin trc phng (eNodeB c kt ni vi
nhau thng qua giao din X2, v kt ni trc
tip vi EPC thng qua giao din S1, khng
c thnh phn iu khin tp trung cho cc
trm v tuyn).Bn cnh cc nguy c an ninh
r rng trngiao dinv tuyn truyn n v
i khi thit b ngi dng (User Equipment UE) cn l cc nguy c an ninh truyn thng
lin quan n cc lin kt IP ca cc nh
cung cp mng LTE. Vic xy dng kin trc
an ninh i ph vi cc nguy c l khi
u quan trng cho cc nh cung cp di ng.
2.

- Cc tnh nng an ninh khng c nh

hng ti s tin dng ca ngi dng.
- Cc tnh nngan ninh khng c nh
hng ti qu trnh chuyn dch t 3G ln
LTE.
3.

KIN TRC AN NINH TNG QUT

CA LTE

3GPP a ra kin trc an ninh tng

qut ca LTE trong tiu chun 3GPP
TS33.401 gm 5 nhm tnh nngan ninh khc
nhau:
(IV)

YU CU AN NINH CA MNG
LTE

User Application

Provider Application

(I)

(I)

(III)

Tiu chun 3GPP TS 33.401 a ra cc

yu cu v cc tnh nng an ninh cn c trong
mng LTE nh sau:

USIM

HE
(II)

(I)

ME

(I)

(I)

Home
stratum/
Serving
Stratum

SN
(II)

AN

Application
stratum

Transport
stratum

(I)

- m bo an ninh gia ngi dng v

mng, gm:

Hnh 1. Kin trc an ninh tng qut ca LTE

Nhn dng ngi dng v bo mt thit

b,

- Network access security (I): tp hp cc

tnh nngan ninh cung cp kh nng bo
v truy nhp ngi dng ti cc dch v,
v cng bo v chng li cc cuc tn
cng trn lin kt truy nhp v tuyn. V
d: s dng USIM cung cp truy nhp
c m bo cho ngi dng ti EPC,
bao gm nhn thc tng h v cc tnh
nng ring khc.

Nhn thc cc thc th,

Bo mt d liu ngi dng v d liu
bo hiu,
Ton vn d liu ngi dng v d liu
bo hiu.
- C kh nng cu hnh v hin th an ninh.
- p ng cc yu cu an ninh trn eNodeB.
283

- Network domain security (II): tp hp

cc tnh nngan ninh cho php cc node
trao i an ton d liu bo hiu v d liu
ngi dng (gia AN v SN, v trong
AN), v cng bo v chng li cc cuc
tn cng trn mnghu tuyn. V d: AS
Security, NAS Security, IPsec EPS.

c la chn. MME cng gi mt

KSIASME cho ME s dng cho vic
nhn dng kha KASMEc to ra bi
th tc EPS AKA.
3) Sau khi nhn c thng s t MME,
USIM kim tra xem AV mi hay
khng, bng vic kim tra vic chp
nhn AUTN. Nu tha mn, USIM s
tnh ton RES phn hi, ng thi
cng tnh ton CK v IK gi ti ME.
ME cng kim tra bit 0 ca AUTN
c thit lp bng 1 hay khng.

- User domain security (III):tp hp cc

tnh nngan ninh bo v truy nhp ti cc
MS (Mobile Station). V d: kha mn
hnh, m PIN s dng SIM.
- Application domain security (IV): tp
hp cc tnh nngan ninh cho phpbo v
cc bn tin trao i ca cc ng dng ti
min ngi dng v min nh cung cp.
V d: https.

4) ME phn hi bn tin ch thng s RES

ti MME trong trng hp kim tra
thnh cng. Sau ME tnh ton KASME
thng qua CK, IK v SN ID s dng
thut ton KDF. SN ID dng nhn
dng ngm mng phc v khi kha
KASME c s dng.

- Visibility and configurability of security

(V): tp hp cc tnh nngan ninh cho
php thng bo ti ngi dng mt tnh
nng an ninh c ang hot ng hay
khng, v cc dch v ang s dng v
c cung cp nn ph thuc vo tnh
nng an ninh khng.

5) MME s snh RES v XRES, nu

ging nhau th nhn thc thnh cng.
Vic thc thi AKA c th mt vi trm
ms cho vic tnh ton kha trn USIM v cho
vic kt ni ti HSS, do c th p dng
mt chc nng cho php kha c cp nht
khng c AKA t c tc cao hn
trong LTE.

Di y chng ta s xem xt mt s
tnh nng an ninh p dng cho mng LTE
thuc v cc nhm tnh nng an ninh (I) v
(II), l nhng nhm tnh nng an ninh c
trng v lin quan trc tip n cc thc th
trong mng LTE.
4.

4.2. H thng phn cp kha

MT S CHC NNG V C CH
AN NINH P DNG CHO MNG
LTE

USIM / AuC

K
CK, IK

UE / HSS

4.1. C ch EPS AKA

KASME

UE / MME

L c ch thuc v nhm tnh nngan

ninh(I) v (II), gip nhn thc thu bao trn
mng LTE/EPS, lm c s cho vic to ra cc
kha CK c bn cho U-Plane, RRC v NAS,
cng nh to kha IK cho RRC v AS. C
ch ny c thc hin nh sau:

KNASenc

KNASint
KeNB / NH

UE / eNB
KUPint

KUPenc

KRRCint

KRRCenc

Hnh 2. H thng phn cp kha trong LTE

1) MME gi cc thng tin ca thu bao

nh IMSI, SN ID (Serving Network
ID) ti HSS to ra EPS AV
(Authentication Vector). Sau HSS
gi tr MME cc thng s nhn thc
gm: RAND, XRES, AUTN, KASME.

i vi vic m ha d liu, LTE s

dng mt phng thc m ha lung, trong
d liu c m ha bng cch ly mt
loi tr OR (XOR) ca d liu v lung kha
theo cng cch nh 3G. Cc kha c s
dng to ra lung kha c thay i
thng xuyn trnh lp li lung kha.Cc
kha cng cn khng c s dng ti nhiu

2) MME gi ti USIM thng qua ME hai

thng s RAND v AUTN cho vic
nhn thc mng t vertor nhn thc
284

im ti thiu ha tn hi do mt trong
cc kha m ha v bo v ton vn b tn
thng. gii quyt vn ny trn LTE,
h thng phn cp kha c s dng.Vic
s dng h thng phn cp kha thuc v
nhm tnh nng an ninh(I) v (II).

ha v bo v ton vn cho truyn thng

NASs dng cc kha KNASenc v KNASint.
ME

MME
Start integrity
protection
NAS Security Mode Command (eKSI, UE sec capabilities,
Ciphering algorithm, Integrity algorithm,
[IMEISV request,] [NONCEUE, NONCEMME,] NAS-MAC)

H thng phn cp kha hot ng nh

Verify NAS SMC integrity.

If succesful, start ciphering/
deciphering and integrity
protection and send NAS
Security Mode Complete.

sau:
1) Ging nh mng 3G, USIM v AuC
chia s trc cc thng tin b mt (kha
K).

Start uplink
deciphering

NAS Security Mode Complete ([IMEISV,] NAS-MAC)

H
nh 3. Th tc thc hin ch NAS Security
Start downlink ciphering

2) Khi AKA c thc thi cho nhn thc

tng h gia mng v ngi dng,
kha CK cho m ha v IK cho bo v
ton vn c to ra v c trao i
tng ng t USIM ti ME v t AuC
ti HSS.

MME gi bn tin NAS Security Mode

Command ti UE, bao gm tham s eKSI cho
xc nh kha KASME, tham s cha kh nng
an ninh ca UE, thut ton m ha v ton
vn, v cc tham s NONEUE v NONCEMME
dng khi chuyn giao. Bn tin ny c bo
v ton vn vi kha ton vn NAS trn c
s kha KASME c ch ra t tham s eKSI
trong bn tin. UE kim tra ton vn ca bn
tin ny, vnu kim tra thnh cng th UE bt
u m ha/gii m ha, bo v ton vn.Sau
UE gi bn tin phn hi NAS Security
Mode Complete ti MME.

3) ME v HSS to ra kha KASMEtng

ng t cp kha CK v IK. KASME c
truyn t HSS ti MME ca mng
phc v nh l thng tin c bn trong
phn cp kha.
4) Kha KNASenc cho m ha giao thc
NAS gia UE v MME; v kha
KNASint cho bo v tnh ton vn c
to ra t kha KASME.

Cn ch AS Security c thc hin

ngay sau khi UE tin vo trng thi kt ni,
v p dng ti tt c kt ni gia UE v eNB,
s dng cc kha KRRCenc, KRRCint v KUPenc.

5) Khi UE kt ni ti mng, UE v MME

to ra kha KeNB, sau MME truyn
kha ny cho eNodeB. T kha KeNB
ny, cc kha KUPenc cho m ha UPlane, kha KRRCenc cho m ha RRC
v kha KRRCint cho bo v tnh ton
vn c to ra.

ME

eNB
St art RRC
integrity protection

AS Security Mode Command (Integrit y algorithm, Cipheri ng algorithm,

MAC-I)
Verify AS SM C integrity.
S tart RRC/UP
If succesful, start RRC integrity
downlink ciphering
protection, RRC/UP downli nk
deciphering, and send AS Securit y
Mode Complete.
AS Security Mode Complete (MAC-I)

4.3. Ch AS security v NAS Security

Trong mng LTE, cc tnh nng an ninh
cho tn hiu bo hiu v tn hiu d liu
ngi dng c s dng hai ch l
NAS Security v AS Security. Trong NAS
Security c thc thi khi UE ang trng
thi ri, cho lin kt bo hiu gia UE v
MME. Cn AS Security c thc thi khi UE
trng thi kt ni, cho lin kt truyn ti d
liu ngi dng gia UE v eNB. y l
nhm chc nng thuc v nhm tnh nng an
ninh (II).

S tart RRC/UP
uplink ciphering

S tart RRC/UP
uplink deciphering

Hnh 4. Th tc thc hin ch AS Security

Trong ch AS Security, eNodeB gi
bn tin AS Security Mode Command ti ME,
bao gm tham s v cc thut ton m ha v
ton vn. Bn tin ny c bo v ton vn
vi kha ton vn RRC trn c s kha
KASME hin ti.Ti eNodeB, m ha downlink
RRC v UP c thc hin ngay sau khi gi
bn tin ny i.UE kim tra ton vn ca bn
tin ny, nu thnh cng th UE bt u m
ha downlink RRC v UP, v gi bn tin
phn hi AS Security Mode Complete ti

Sau khi nhn thc UE tin vo trng thi

ri, ch an ninh NAS c thc thi.Ch
ny s ch huy m phn thut ton m
285

eNodeB.eNodeB sau khi nhn bn tin phn

hi th bt u m ha uplink RRC v UP.
Ti nhng ni khng cho php m ha, AS
security c th m phn mt ch cung
cp an ninh khng c m ha.
Cc thut ton m ha v bo v ton
vn s dng trn LTE c da trn c s
Snow 3G v AES (Advanced Encryption
Standard) c chun ha, v thut ton
s dng cho AS c m phn c lp vi
thut ton s dng cho NAS. Hai thut ton
ny cung cp y tnh nng an ninh, v
khc nhau v cu trc s dng c bn trong
3GPP. Do trong trng hp mt thut ton
b hy hoi th thut ton cn li vn tip tc
m bo cho h thng LTE.

Hnh 5. Kin trc trin khai NDS trn mng

LTE
- Mng LTE c chia thnh hai loi min
an ninh gm min E-UTRAN v min
EPC. Trong :
Min EPC: ti bin t cc SEG
(Security Gateway), v trong min c
cc NE l cc node mng c trin
khai; v d nh MME,

4.4. Bo v nhn dng (Identity

Protection)

Min E-UTRAN: do s lng min EUTRAN ln v kt ni vi nhau qua

mt mng li phc tp do cng tn ti
hai giao din S1 v X2 nn gii php
t SEG ti bin ca mi min
EUTRAN l khng hp l. V vy ti
cc min E-UTRAN ch c cc NE l
cc node mng (eNodeB) .

Nhm tnh nng an ninh (I) cng cung

cp tnh nng an ninh thng qua vic s dng
hai thng s nhn dng vnh vin UE l:
- IMEI: dng nhn dng thit b phn
cng. IMEI ch c gi ti MME trn
NAS, sau khi NAS Security c thit
lp thnh cng (bo v c m ha v
ton vn).

- Giao din Za (gia cc SEG) song hnh

cng giao din S8 gia Home-PLMN v
Visited-PLMN, hoc gia Home-PGW v
Visited-PGW.

- IMSI: dng nhn dng thu bao.

IMSI hn ch gi qua mi trng v
tuyn, m thay vo l tham s tm
thi GUTI.

- Giao din Zb (gia cc NE hoc gia NE

v SEG) song hnh cng giao din S1 v
X2 trong mt mng LTE ca mt nh
cung cp. Giao din ny phi c trin
khai ging vi giao din Za, nhng khng
cn y chc nng ca SEG.

4.5. NDS (Network Domain Security)

bo v cho cc lu lng trn c s
IP ti cc giao din ca mng truy cp/truyn
ti (E-UTRAN), ca mng li (EPC), hay
gia cc mng li vi nhau, 3GPP a ra
chc nng NDS/IP (tr giao din S1-U do
y l giao din c bo v ca 3GPP).
NDS c nh ngha trong tiu chun 3GPP
TS 33.210 v l chc nng thuc nhm tnh
nng an ninh (II).

- Giao din Zb gia SEG v NE ca EPC l

ty chn do cc node c th c bo v
v mt vt l (cng mt mng LAN).
- NDS/IP khng m bo an ninh cho kt
ni gia EPC v Internet (giao din SGi).

i vi mng LTE, kin trc NDS c

trin khai nh sau:

NDS/IP cung cp cc dch v an ninh

nh sau:
- Nhn thc d liu gc: bo v mt node
khi cc d liu khng r ngun gc.
- Ton vn d liu: bo v d liu c
truyn khng b thay i (man-in-themiddle).
286

- Bo v chng qu trnh replay.

- Bo mt d liu: bo v chng li vic
nh cp d liu (eavesdropping).
- Bo v gii hn chng li vic phn tch
lung d liu.
Cc c ch bo v c thc hin thng
qua IPsec, c bit l IPsec ESP
(Encapsulating Security Payload) trong ch
ng hm, vi IKE (Internet Key
Exchange) c s dng thit lp mi lin
h an ninh IPsec gia cc SEG hoc gia
SEG v NE. IPsec EPS cung cp cc tnh
nng bo v an ninh, m mi tnh nng l tp
hp ca nhiu thut ton an ninh:

Hnh 6. M hnh chui kha cho chuyn giao

Khi AS Security cn c thit lp gia
UE v eNodeB, MME v UE phi to ra cc
kha KeNB v NH t kha KASME.Trong thit
lp khi to, KeNB c to ra trc tip t
KASME v NAS uplink COUNT, tng ng
chui kha NCC = 0.Kha KeNB c s
dng lm kha c s cho vic bo v truyn
thng gia UE v eNodeB. Tip kha NH
c to ra t KASMEv KeNB trn, v kha
ny c s dng cho chui kha NCC=1
hoc ln hn.Khi chuyn giao trc tip gia
cc eNodeB xy ra, th mt kha mi KeNB*
c to ra t kha KeNB ang hot ng
hoc t NH.Qu trnh ly kha KeNB* t KeNB
ang tn ti c m t bi qu trnh ly
kha theo chiu ngang, KeNB* c to ra t
KeNB vi thng s EARFCN-DL (E-UTRAN
Absolute Radio Frequency Channel Number
Downlink) ca kt ni v PCI (Physical
Cell Identity) ca mc tiu..Cn qu trnh ly
kha KeNB* t NH c m t bi qu trnh
ly kha theo chiu dc, KeNB* c to ra t
NH vi thng s EARFCN-DL v PCI.

- Nhn thc: cung cp ban u thng qua

nhn thc tng h v trao i kha bo
mt gia cc SEG hoc SEG v NE s
dng giao thc IKE, v thng qua AH
(Authentication Header) ca cc gi tin
IPsec m bo nhn thc trn mi gi,
v d nh s dng SHA-1.
- Ton vn: cung cp thng qua c ch bm
gi m ha IPsec, v d SHA-1.
- Bo mt: cung cp thng qua vic m ha
IPsec ng gi gi tin, v d AES.
- Anti-replay.
- Bo mt gii hn lung d liu.
4.6. Forward Security
y l c ch thuc nhm tnh nng an
ninh (I), c a ra ngn chn vic l
thng tin cc kha KeNB. C ch ny m bo
rng mt eNodeB vi cc thng tin v kha
KeNB chia s gia n v UE, s khng th tnh
ton c cc kha KeNB tng lai c dng
gia UE y vi cc eNodeB khc. c bit
hn, c ch N-hop Forward Security m bo
rng mt eNodeB khng th tnh ton cc
kha s c s dng gia mt UE v cc
eNodeB khc m UE s kt ni sau N ln
hoc nhiu hn N ln chuyn giao (N=1 hoc
2).C ch ny c thc hin thng qua kha
NH (Next-Hop) c lu tr trn MME.

Do NH ch c th tnh ton duy nht bi

UE v MME, nn vic s dng qu trnh ly
kha t NH m bo c c ch Forward
Security cho qu trnh chuyn giao qua nhiu
eNodeB.Chc nng ny c th gii hn phm
vi ca tn hi, thm ch nu mt kha b r r,
bi v cc kha tng lai s c to ra m
khng s dng kha KeNB hin ti trong
trng hp ly kha theo chiu dc.
5.

KT LUN

Cu trc mng LTE l khc bit so vi

cc mng di ng trc nn mng LTE
c p dng nhiu c ch khc nhau p
ng cc yu cu an ninh c t ra. Trong
, mt s c ch l k tha t cc c ch ca
mng 3G nh EPS AKA, Identity Protection,
hay NDS. Mt s c ch l s pht trin mi
dnh ring cho mng LTE nh h thng phn

Nguyn l hot ng c th ca c ch
Forward Security nh sau:

287

cp kha, AS Security, NAS Security hay

Forward Security. Cc c ch ny c th trin
khai mt cch d dng trn thc t do c
k tha t mng 3G (cc c ch k tha)
hoc c gn lin vi hot ng ca mng
LTE (cc c ch mi). Ngoi cc c ch
trn, cn cc c ch khc thuc nhm tnh
nng an ninh (I) v (II), c cung cp cho
LTE nhng khng cp chi tit trong bi
bo ny nh Home eNodeB Security, M2M
(Machine-to-Machine) Security, Security for
VoLTE. V to thnh mt kin trc an
ninh y cho mng LTE, cc c ch an
ninh cho cc nhm tnh nng an ninh (III),
(IV), (V) cng cn c s dng.

2. Alf Zugenmaier, Hiroshi Aono,

Technology
Reports:
Security
Technology for SAE/LTE, NTT
DOCOMO Technical Journal Vol. 11
No. 3;

6.

6. 3GPP TS 33.310 v12.0.0 Network

Domain Security (NDS); Authentication
Framework (AF) (Release 12);

3. Stoke, Inc WHITE PAPER - LTE

Security
Concepts
and
Design
Considerations;
4. 3GPP TS 33.401 v12.9.0 3GPP System
Architechture
Evolution
(SAE);
Sercurity architecture (Release 12);
5. 3GPP TS 33.210 v12.2.03G security;
Network Domain Security (NDS); IP
network layer security (Release 12);

TI LIU THAM KHO

1. Dan Forsberg, Gunther Horn, WolfDietrich Moeller, Valtteri Niemi
(2010), LTE Sercurity, Wiley;

Thng tin tc gi:

Bi Trung Thnh
Nm sinh: 1988
L lch khoa hc: Tt nghip Trng HBK H Ni, 2006, Chuyn
ngnh: in t - Vin thng)
Hng nghin cu: SDN, 4G-LTE, Networking
Email: thanhbt@ptit.edu.vn; thanhbt@cdit.com.vn

288