Mobile Networks Architecture and Security (2G to 5G)
+ Mobile Networks History 2G/3G/4G/LTE/5G
+ CS/PS/EPC/5GC Core Network Elements Overview
+ Mobile Networks Basic Scenarios
+ Mobile Network Security
+ Authentication / Ciphering
Handwritten Text Recognition for manuscripts and early printed texts
Mobile Networks Architecture and Security (2G to 5G)
1. Mobile Network Architecture & Security
(From 2G to 5G)
Dr. Ali Soleymani, Assistant Professor at Iranians University, ali.soleymani@iranian.ac.ir
Dr. Hamidreza Bolhasani, PhD Candidate at SRB-IAU Branch, hamidreza.bolhasani@srbiau.ac.ir
27th International Computer Conference, Computer Society of Iran
(CSICC 2022)
2.
3. Global System for Mobiles (GSM)
◼ Cellular Network or Mobile Network is a communication network where the last link is
wireless. The network is distributed over land areas called cells, each served by at least
one fixed-location transceiver, known as a cell or base station.
5. 2G Radio
◼ BTS (Base Station Transceiver)
BTS is a piece of equipment that facilitates wireless
communication between user equipment (UE) and a network.
UEs are devices like mobile phones (handsets), WLL phones,
computers with wireless Internet connectivity.
◼ BSC (Base Station Controller)
BSC is a critical mobile network component that controls one
or more base transceiver stations (BTS), also known as base
stations or cell sites. Key BSC functions include radio network
management (such as radio frequency control), BTS handover
management and call setup. It also carries transcoding of
speech channels.
6. 3G Radio
◼ NodeB
NodeB is a term used in UMTS equivalent to the BTS
(base transceiver station) description used in GSM.
◼ RNC (Radio Network Controller)
RNC is a governing element in the UMTS radio access
network (UTRAN) and is responsible for controlling the
NodeBs that are connected to it. The RNC carries out
radio resource management, some of the mobility
management functions and is the point where encryption
is done before user data is sent to and from the mobile.
7. Terminologies - IMSI
MCC MNC MSIN
3 digits 2/3 digits
Not more than 15 digits
IMSI (International Mobile Subscriber Identity)
NMSI
MCC:Mobile Country Code
MNC:Mobile Network Code
MSIN:Mobile Station Identification Number
NMSI:National Mobile Station Identity
8. TMSI
TMSI: Temporary Mobile Subscriber Identity
In order to ensure subscriber identity confidentiality, the VLR (Visiting Location Register) and SGSN
(Serving GPRS Support Node) may allocate TMSI to visiting mobile subscribers.
9. IMEI
TAC FAC spare
6 digits 2 digits
15 digits
IMEI (International Mobile Equipment Identity)
TAC:Type Approval Code
FAC:Final Assembly Code
SNR:Serial Number
spare:Standby bit
Example:490547403767335
SNR
6 digits 1 digits
10. MSISDN
CC NDC SN
National ( Significant ) Mobile Number
MSISDN:Mobile Station International ISDN number
CC: Country Code, China Country Code is 86
NDC:National Destination Code
SN: Subscriber Number
11. LAI / GCI / SAI
Location Area Identity
MCC MNC LAC
Cell Global Identity
MCC MNC LAC CI
Service Area Identity
MCC MNC LAC SAC
17. 2G / 3G Core Network (CN)
◼ Core Network is split into CS domain and PS domain. CS domain is based on
original GSM network. PS domain is based on original GPRS network.
◼ CS domain: used to provide Circuit-switched service. Network mode can
support TDM, ATM and IP. Physical entities include switching equipment (such
as MSC/VLR, GMSCs, HSS), and inter-working equipment (IWF).
◼ PS domain: used to provide Packet-switched service. Network mode is IP.
Physical entities include SGSN, GGSN, CG , BG etc.
18. 2G / 3G Core Network (CN)
◼ Function entity shared by CS domain and PS :
MSC Server: Control layer, to realize MM
(Mobility Management), CM (Call Control),
MGC (Media Gateway Control).
MGW: Bearer layer, to realize the exchange of
voice and media flow, and provide all kinds
sources, such as TC, EC, play announcement
and receive DTMF.
SG: To realize signaling transfer from MTP (SS7
transmission layer) to SCTP/IP (SIGTRAN).
19. 2G / 3G Core Network (CN)
HLR/HSS: To realize mobile subscriber
management and location information
management.
VLR: To deal with all kinds of data
information of current mobile
subscriber.
AUC: To store authentication
information of mobile subscriber.
EIR: To store IMEI data of mobile
subscriber.
SMS: Short Message Center.
20. Scenario #1 Location Update / Authentication
MS BSS MSC VLR HLR/AUC
Locating updating
request(IMSI)
Um BSSAP MAP MAP
A B D
Locating updating request
Update location area
(IMSI)
Send parameters(IMSI)
Authentication parameters
(RAND/SRES/Kc,IMSI)
Authenticate
Authentication request
Authentication response Authentication response Update location
Inserte subscriber data
Subscriber data insertion ack.
cancel location
cancel location
ack.
PVLR
Update location ack.
(HLR?)
Set cyphering mode
Forward new TMSI
Update location area ack.
CYPHER MODE COMMAND
CYPHER MODE COMPLETE
Location updating accepte
TMSI reallocation complete TMSI acknowledge
CLEAR COMMAND
CLEAR COMPLETE
imsi/tmsi,old lai,current
lai/gci
21. Scenario #2 Call Flow (1/2)
Um A B D
A Um
MSa BSSa MSC VLR HLR
BSSb MSb
channel request
RACH
SDCCH CM service request
(CKSN,IMSI/TMSI)
CM service req.)
CM service req.) Send parameters
(IMSI/TMSI)
Authentication para.
(IMSI,RAND/SRES/Kc)
Authenticate
(RAND,CKSNn)
Authentication request(RAND,CKSNn)
Authentication response(SRES)
Authen. res.(SRES)
Set cyphering mode
Access req. accepted
(IMSI/MSISDN)
CM service accept
CIPHER MODE COMMAND(Kc)
CIPHER MODE COMPLETE
Setup ( MSISDN) Send info. for o/g call setup
Complete Call
Call proceeding
ASSIGNMENT REQUEST
ASSIGNMENT COMPLETE
Send routing info req. (MSISDN, supplyment service info )
Provide roaming number req(IMSI)
Provide roaming number Ind
Send Routing infomation acknowledge
send info.for i/c call setup
page MS(LAI)
PAGING(LAI,IMSI)
Page response
Page response(LAI,GCI)
22. Scenario #2 Call Flow (2/2)
Um A B D
A Um
MSa BSSa MSC VLR HLR
BSSb MSb
Process access req.
Send para.
(IMSI/TMSI)
Authen. para.
(IMSI,RAND/SRES/Kc)
Authenticate
(RAND,CKSNn)
Authentication request(RAND,CKSNn)
Authentication(SRES)
Authentication response(SRES)
Set cyphering mode
Access request accepted
Complete call
CIPHER MODE COMMAND(Kc)
CIPHER MODE COMPLETE
Setup (calling MSISDN)
Call confirmed
ASSIGNMENT REQUEST
ASSIGNMENT COMPLETE
Alerting
Connect
Connect acknowledge
Alerting
Connect
Connect acknowledge
23. GPRS Network Structure
⚫ What is GPRS?
General Packet Radio Service
⚫ Why GPRS?
In order to provide the data service out the scope of the fixed network
⚫ GPRS network classification
GSM GPRS
UMTS GPRS
⚫ GPRS network background
GSM GPRS network reuse the existed GSM network
UMTS GPRS network just change the RAN side
25. GPRS Network Structure
⚫ Important Entity Function __ SGSN
Mobility management
− The mobility management functions are used to keep track of the current location of an MS within the PLMN
or within another PLMN.
Session management
− Session Management (SM) function manages the PDP context of MS.
Routing and transfer
− SGSN performs routing and forwarding of service data between MS and GGSN.
Charging
− SGSN can generate, store, convert and send CDRs.
Lawful Interception
NTP
26. GPRS Network Structure
⚫ Important Entity Function __ GGSN
Session management
− Session Management (SM) function manages the PDP context of MS.
Routing and transfer
− GGSN performs routing and forwarding of service data between MS and internet.
Charging
− GGSN can generate, store, convert and send CDRs.
Dynamic IP allocation
Service management
− Manage APN
65. BSC
RAND
generator
IMSI Ki
A3
A8
AUC
Triplets req. Triplets sent
(Sent via HLR)
Kc
SRES
RAND
Triplet
Kc
SIM
MS
Ki
A3
A8
RAND
Kc
SRES
A5
A5
MSC
VLR
Authentication!
IMSI
SRES
Kc
RAND
Call Establishment Request
Authentication Request (RAND)
Ciphering Command (Kc)
Ciph. Command ( )
Ciphering Complete
Ciphering Complete
Ciphered
Traffic and Signalling Traffic and Signalling
Authentication Response (SRES)
Ciphering OK!
AUC Authentication Centre
Ki Subscriber Authentication Key (128 Bit)
Kc Ciphering Key (64 Bit)
RAND Random number (128 Bit)
SRES Signed Response (32 Bit)
GSM Security
66. A3 Algorithm (Compress Function: COMP128)
• Input:
• 128-bit RAND random number
• 128-bit Ki private key
• Output:
• 32-bit RES/SRES
Authentication
67. A8 Algorithm (Compress Function: COMP128)
• Input:
• 128-bit RAND random number
• 128-bit Ki private key
• Output:
• 64-bit Kc Cipher Key
Key Generation
68. A5 Algorithms
• A5/0 : used by countries under UN Sanctions, comes with no encryption.
• A5/1 : LFSR-based stream cipher, 64-bit key, broken, the strongest version and is used in Europe and America
• A5/2 : LFSR-based stream cipher, 64-bit key, broken, (prohibited to use), a weaker version used mainly in Asia.
• A5/3 : KASUMI in OFB mode, 64-bit key
• A5/4 : same as A5/3, 128-bit key
Ciphering
69. A5/1 Algorithm
Ciphering
The best published attacks to it require 240 and
245 steps which makes it vulnerable to
hardware-based attacks of organizations but
not to software based attacks. Its main
weakness is that its key is the output of the A8
algorithm which has already been cracked. The
actual size of its key is not 64 but 54, because
the last 10 bits are set to 0, which makes it
much weaker.
Keystream
71. A5/3 Algorithm
Ciphering
KASUMI applies a 64-bit block with a 128-bit
key. The process of KASUMI has eight rounds
of Feistel Ciphers. Each round require 32-bit
input corresponding with 32-bit output.
72. RNC
RAND
generator
IMSI K Algorithms
AUC
Quintets req. Quintets sent
(Sent via HLR)
RAND
Quintet
CK IK
USIM
UE
K Algo-
rithms
Ciphering and
Integrity
Algorithms
MSC /SGSN
Authentication!
Call/Session Establishment Request
Authentication Request (RAND, AUTN)
Sec Mode
Command (CK,IK)
Security Mode Command ( )
Sec Mode
Complete
Security Mode Complete
Traffic : Ciphering
Signalling: Ciphering & Integrity
Authentication Response (RES)
Ciphering OK!
AKA Authentication and Key Agreement
AUC Authentication Centre
CK Ciphering Key (128 Bit)
IK Integrity Key (128 Bit)
K Subscriber Authentication Key (128 Bit)
RAND Random number (128 Bit)
XRES Expected Response (32-128 Bit)
CK
XRES
AUTN
IK
IMSI
XRES
CK
RAND
IK
AUTN
RAND
CK
IK
RES
AUTN
Ciphering and
Integrity
Algorithms
Authentication:
AUTN=AUTN
Traffic and Signalling
CK IK
UMTS Security
73. UMTS Security
• UMTS uses a set of function f1 to f9 for security purposes. Derivation
functions f1 to f5 are not standardized. There are more than 16
algorithms. Some example integrity and ciphering algorithms:
• MILENAGE based on AES (3GPP TS 35.206)
• TUAK based on SHA3 (3GPP TS 35.231)
• KASUMI in OFB mode-Similar to A5/3 (3GPP TS 35.201)
• SNOW 3G (3GPP TS 35.216)
74. Function Description Input Parameters Output Parameters
F0 The random challenge generating function RAND RAND
F1 The network authentication function AMF, K, RAND
MAC-A (AuC side) /XMAC-A
(UE side)
F2 The user authentication function K, RAND
RES (UE side) /XRES (AuC
side)
F3 The cipher key derivation function K, RAND CK
F4 The integrity key derivation function K, RAND IK
F5 The anonymity key derivation function K, RAND AK
F8 The confidentiality key stream generating function
Count-C, Bearer, Direction,
Length, CK
<Keystream block>
F9 The integrity stamp generating function
IK, FRESH, Direction, Count-I,
Message
MAC-I (UE side) /XMAC-I
(RNC side)
Authentication
78. Ciphering + Integrity check
CK IK AK
RES
XMAC
K
f1 f2 f3 f4 f5
USIM
AUTENTICATION REQUEST
RAND, AUTN
AUTHENTICATION RESPONSE
RES
MME HSS
UE
Calculate AUTN from MAC and AK
Derive KASME from CK, IK
Check RES against XRES
UE authorised!
Derive IKNAS and CKNAS
Derive IKNAS and CKNAS
eNB CK IK AK
XRES
MAC
RAND
IMSI → K
f1 f2 f3 f4 f5
RAND
NAS security (UE – MME)
- NW authorises UE (RES)
- UE authorises NW (MAC)
- Integrity check of sign, (IKNAS)
- Ciphering of sign, (CKNAS)
Authentication Vector
Store received
Authentication
Vector(s)*)
AUTH DATA RESPONSE
RAND, AUTN, XRES, KASME
AUTN
MAC
Check MAC against XMAC
NW authorised!
Derive KASME from CK, IK
LTE Security
NAS SECURITY MODE COMPLETE
NAS SECURITY MODE COMMAND
UE sec capabilities, selected NAS algo:s
Derive KeNB
KeNB, permitted algorithms
Ordered algorithms
Derive IKCP, CKCP, CKUP
Select algorithms
Derive KeNB
K
CK, IK
Never leaves Home Domain
KASME
IKNAS
CKNAS
Only used in NAS
KeNB
CKUP CKCP IKCP
Only used in AS
Derive IKCP, CKCP, CKUP
AS security (UE – eNB)
- Integrity check of sign, (IKCP)
- Ciphering of sign. (CKCP)
- Ciphering of traffic (CKUP)
Ciphering +
Integrity check
It is FFS if NAS Security Mode Command
is a stand-alone procedure, or can be combined with
other messages.
NAS MESSAGE
UE security capabilities
AUTH DATA REQUEST
IMSI, SN id, nw type
79. LTE Security
Key
Function
Length or
Size
Derived From Basic Description
K Master Base Key for GSM/UMTS/EPS 128 - Secret key stored permanently in USIM and AuC
(CK,IK) Cipher key and Integrity Key 128 'K' Key Pair of Keys derived in AuC and USIM during AKA run.
KASME MME (ASME) Base / Intermediate Key 256 CK,IK Intermediate key derived in HSS/UE from (CK,IK) using AKA.
K-eNB eNB Base Key 256 KASME , KeNB*
Intermediate Key derived in MME/UE from KASME when UE transits to ECM
CONNECTED STATE or by UE and target eNB from KeNB*during handover
KeNB* eNB handover transition Key 256 KeNB(H) , NH(V)
Intermediate Key derived in source eNB and UE during handover when
performing horizontal ( KeNB) or vertical Key(NH) derivation. Used at target
eNB to derive KeNB
NH Next Hop 256 KeNB
Intermediate key derived in MME and UE used to provide forward security
and forwarded to eNB via S1-MME interface.
KNASint Integrity key for NAS signalling
256 (128
LSB)
KASME Integrity key for protection of NAS data derived in MME/UE
KNASenc Encryption Key for NAS signalling 256(128 LSB) KASME Encryption key for protection of NAS data derived in MME and UE
KUPenc Encryption key for user plane (DRB) 256(128 LSB) KeNB Encryption key for protection of user plane data derived in eNB and UE
KRRCint Integrity key for RRC signalling(SRB) 256(128 LSB) KeNB Integrity key for protection of RRC data derived in eNB and UE
KRRCenc Encryption key for RRC 256(128 LSB) KeNB Encryption key for protection of RRC data derived in eNB and UE
80. IP
IP
eNB SGW PGW
IP IP
TEID
1
TEID
1
EPS bearer = radio bearer + S1 tunnel + S5 tunnel
EPS bearer = radio bearer + S1 tunnel
EPS bearer = Radio Bearer
EPS bearer
Original IP packet from user….
…encapsulated in another IP packet.
Encapsulation and Tunneling
81. eNB SGW PGW
Security Domains
Security Domain
Security Domains are networks that are managed by a single administrative authority. Within a security
domain the same level of security and usage of security services will be typical.
Typically, a network operated by a single network operator or a single transit operator will constitute one
security domain although an operator may at will subsection its network into separate sub-networks.
Security Domain A Security Domain B Security Domain C
82. 5G Security Framework
UDM (Unified Data Management)
Similar to the HSS on a 4G network, stores subscriber root keys and authentication-related subscription data, and generates
5G authentication parameters and vectors.
AUSF (Authentication Server Function)
- Derives a key.- Provides the network authentication function if the EAP
-AKA‘ authentication method is used or provides the home network authentication function if the 5G AKA authentication
method is used.
AMF (Access & Mobility Management Function)
- Derives lower-layer NAS and AS keys.
- Provides the service network authentication function if the 5G AKA authentication method is used.
83. 5G Security
To solve the problem of IMSI disclosure on 4G networks, IMSIs on 5G networks are encrypted and transmitted over air
interfaces for subscriber privacy protection, as shown in the following figure.
IMSI Encryption (SUPI -> SUCI)
During initial registration, a UE uses the public key of
the home network to encrypt non-routing
information in the subscription permanent identifier
(SUPI) and converts the SUPI into a subscription
concealed identifier (SUCI). The routing information
is still transmitted in plaintext, and is used to
address the home network. After obtaining the SUCI,
the core network uses the private key to decrypt the
SUCI into an SUPI.
UE Base station Core network
Registration request
(SUCI)
SUPI SUCI SUCI SUPI
Encryption Decryption
Obtaining fails.
IMSI Catcher
Allocates the 5G-GUTI to the UE after the
registration succeeds.
Registration request
(SUCI)
84. Auth Resp
RES*
5G Authentication & Key Agreement (AKA)
UDM
AUSF
Calculate HXRES*
Calculate KSEAF (anchor key)
AMF
SIDF ARPF
SEAF
Nausf_UEAuthentication_Auth Req.
RES*
Nudm_UEAuthentication_
_ResultConfirmation Resp.
Nudm_UEAuthentication_
_ResultConfirmation Req.
Nausf_UEAuthentication_Auth Resp.
NAS message
Auth Req
RAND, AUTN
Nausf_UEAuthentication_Auth Req.
SUCI/SUPI, SN Name...
Nausf_UEAuthentication_Auth Resp.
SUPI, 5G AV:
RAND, AUTN, HXRES*, KSEAF
KgNB
Nudm_UEAuthentication_Get Req.
SUCI/SUPI, SN Name...
Nudm_UEAuthentication_Get Resp.
SUPI, 5G-AKA usage flag, 5G HE
AV: RAND, AUTN, XRES*, KAUSF
HPLMN
VPLMN
K
K
128 or 256 bits
Store UE
Authentication status
KSEAF → KAMF
→ KNAS & KgNB
RES* → HXRES*
Check if HRES* = HXRES*
→ UE authenticated
Check if RES* = XRES*
→ UE authenticated
SUCI → SUPI
Decide auth method :
EAP-AKA' / 5G-AKA
Calculate 5G HE AV
K, RAND
RES*, KAUSF
KAMF
KNAS, KgNB
KSEAF
Calculate
response & keys:
AUTN: Authentication Token
AV: Authentication Vector
RAND: Random number
RES: Response
XRES: Expected Response
ARPF Authentication credential Repository and Processing Function
HE Home Environment
SEAF Security Anchor Function
SIDF Subscriber Identity De-concealing Function
85. Key Hierarchy Generation
33.501
KgNB, NH
KRRCenc
KAUSF
K
KAUSF
KAMF
KN3IWF
KNASint KNASenc
KRRCint KUPenc
KUPint
CK’, IK’
KSEAF
CK, IK
ME
N3IWF ME
gNB
ME
ME
ME
USIM
AMF
SEAF
AUSF
ME
ARPF
ARPF
5G AKA EAP-AKA’
K used for primary authentication
KAUSF serving nw specific
Horizontal key derivation
KAMF changes at
AMF change
EAP Extensible Authentication Protocol
NH Next Hop
NH = ”Fresh” param
Source: 33.501 6.2.1-1
86. Comparing
Network Feature 2G 3G 4G 5G
Mutual Authentication No Yes Yes Yes
Integrity Check No Yes Yes Yes
Ciphering Key 64 bit 128 bit 128 bit 256 bit
IMSI Ciphering No No No Yes