Authentication in LTE

-

Home               LTE              NB-IoT          5G(NR-NSA) 
What is Authentication and what type of Authentication is used in LTE?

Authentication is a process by which both the UE and Network check whether the other party is authorized to communicate with them.

In LTE and WCDMA, a mutual authentication process is used i.e. the Network checks whether the UE is authorized to camp on it and the UE also checks whether it is trying to camp on is the correct Network.

The UE becomes authorized to camp on a network by subscribing to the network.

In LTE, EPS AKA i.e. Authentication Key Agreement procedure is used for Mutual Authentication.

Why is Authentication required from both sides in LTE?

The UE needs to be authenticated by the NW to check whether it has subscribed to the NW or not. Only UEs which have a valid subscription should be allowed to camp on the NW.

The NW should also be authenticated by the UE because if the UE does not check its authenticity, there is a risk that the UE might camp on a fake NW (which has been designed to accept any UE) instead of the one it is supposed to camp on.

What is a difference between LTE authentication, NAS security and AS security?

LTE Authentication: performs mutual authentication between UE and  NW.

NAS Security: performs integrity protection/verification and ciphering (encryption/decryption) of NAS signaling between UE and MME.

AS Security: performs integrity protection/verification and ciphering of RRC signaling and ciphering of user traffic between a UE and an eNB.

Give a brief description of Authentication procedure in LTE?

The UE sends Attach Request to the MME asking permission to camp on the Network.

In the Attach Request, the UE sends its IMSI (or GUTI if the UE has camped on the NW before) as its identity.

The MME, upon receiving the request, in turn requests Authentication Vectors from the HSS.

The HSS generates the following Authentication Vectors using the EPS AKA Algorithm:

RAND
XRES
AUTNHSS
KASME



The HSS forwards these vectors to the MME. The MME stores these vectors and selects one of them to perform Mutual Authentication with the UE.

The MME forwards only RAND and AUTNHSS to the UE.

The UE computes the RES, AUTNUE and KASME using EPS AKA Algorithm.

The UE compares AUTNUE with AUTNHSS to authenticate the Network.

If successfully authenticated, the UE forwards the RES to the MME which compares it with the XRES received from the HSS to authenticate the UE.

If the UE and the Network have successfully authenticated each other, they share the same KASME.

Note: The KASME is not transferred between the UE and the NW due to security reasons.

What are the important Information Elements present in the Attach Request for Authentication?

  • IMSI: International Mobile Subscriber Identity
  • UE Network Capability: security algorithms  supported by the UE  
  • KSIASME=7: indicates that UE has no authentication key

What are the types of Encryption and Integrity protection algorithms supported by UE?

The UE can support any of the following EPS Encryption Algorithms and EPS Integrity Algorithms:

EEA
EIA
EEA0
Null ciphering    algorithm.
EIA0
Null integrity protection algorithm.
128-EEA1
SNOW 3G.
128-EIA1
SNOW 3G.
128-EEA2
AES.
128-EIA2
AES.
128-EEA3
ZUC.
128-EIA3
ZUC.

What is Authentication Information Request and when is it triggered?

When the MME receives an Attach Request with KSIASME=7(111- the UE has no KASME available), it initiates Authentication Information Request message to the HSS. The message contains the following information elements:

  • IMSI
  • SN ID (Serving Network ID): used to refer to the network accessed by the user. Consists of PLMN ID (MCC+MNC).
  • n (number of Authentication Vectors): No. of authentication vectors requested by MME
  • Network Type: type of the network accessed by UE (e.g. E-UTRAN)
What is the step taken by the HSS upon receiving the Authentication Information Request?

On receiving the Authentication Information Request message from the MME, the HSS takes the following steps:

Generation of RAND and SQN, and creation of XRES, AUTN, CK and IK using EPS AKA algorithm with LTE key (K), SQN and RAND.
Derivation of a top-level key (KASME) of the access network, using Key Derivation Function (KDF), and input elements CK, IK, SQN and SN ID, to be delivered to the MME. KDF is a one-way function.
Since SN ID is required when deriving KASME, if the serving network is changed, KASME is derived again.
Formation of authentication vectors AVi=(RANDi, AUTNi, XRESi, KASMEi), i=0..n.

All these vectors are delivered to the MME in the Authentication Information Answer message.

What is the step taken by the MME on getting the Authentication Information Answer message?

On receiving the Authentication Vectors from the HSS, the MME:
stores them, and chooses one of them for Mutual Authentication with the UE.
KASME - which is a base key of MME and serves as a top-level key in the access network - stays within EPC only and is not delivered to the UE through E-UTRAN, which is not secure.
Instead of KASME, the MME allocates KSIASME, an index for KASME, and delivers it to the UE so that the UE and the MME can use it as a substitute for KASME. 

What Information Elements are exchanged between the MME and the UE during the Mutual Authentication procedure?

The MME keeps with itself the KASME and XRES in AV and delivers KSIASME, in substitution for KASME, RAND and AUTN in the Authentication Request (KSIASME, RAND, AUTN) message to the UE. XRES is used later in when authenticating the user.

On receiving the Authentication Request message from the MME, the UE delivers RAND and AUTN to USIM. USIM, using the same EPS AKA algorithm used by the HSS, derives RES, AUTNUE, CK and IK with the stored LTE key (K) and RAND and SQN generated from the HSS. The UE then compares AUTNUE generated using EPS AKA algorithm and AUTN received from MME to authenticate the network.

Once the UE has authenticated the network, it delivers an Authentication Response message to MME, which includes the RES generated using EPS AKA algorithm. If the network authentication using AUTN fails, UE sends an Authentication Failure (CAUSE) message that contains a CAUSE field stating reasons for such failure.

The MME, on receiving the Authentication Response message from the UE, compares RES generated by the UE and XRES of the AV received from the HSS to authenticate the user.

What process takes place in the UE once it is authenticated by the Network?

The USIM delivers CK and IK to the UE after its network authentication is completed. The UE derives KASME using Key Derivation Function (KDF) with CK, IK, SQN and SN ID and stores it using KSIASME which is received from the MME as its index. After this, KSIASME is used instead of KASME during the NAS security setup between the UE and the MME.

What happened for authentication process when emergency bearer created by UE?

The UE has a PDN connection for emergency bearer services established or is establishing a PDN connection for emergency bearer services, the MME need not follow the procedures specified for the authentication failure specified in the present sub-clause. 
The MME may respond to the AUTHENTICATION FAILURE message by initiating the security mode control procedure selecting the "null integrity protection algorithm" EIA0, null ciphering algorithm or may abort the authentication procedure and continue using the current security context, if any. 

The MME shall deactivate all non-emergency EPS bearer contexts, if any, by initiating an EPS bearer context deactivation procedure. If there is an ongoing PDN connectivity procedure, the MME shall deactivate all non-emergency EPS bearer contexts upon completion of the PDN connectivity procedure. 

The network has considered the UE to be attached for emergency bearer services only. If a UE has a PDN connection for emergency bearer services established or is establishing a PDN connection for emergency bearer services and sends an AUTHENTICATION FAILURE message to the MME with the EMM cause appropriate for these cases (#20, #21, or #26, respectively) and receives the SECURITY MODE COMMAND message before the timeout of timer T3418 or T3420, the UE shall deem that the network has passed the authentication check successfully, stop timer T3418 or T3420, respectively, and execute the security mode control procedure. 

If a UE has a PDN connection for emergency bearer services established or is establishing a PDN connection for emergency bearer services when timer T3418 or T3420 expires, the UE shall not deem that the network has failed the authentication check and not behave as described in item f. 

Instead the UE shall continue using the current security context, if any, deactivate all non-emergency EPS bearer contexts, if any, by initiating UE requested PDN disconnect procedure. If there is an ongoing PDN connectivity procedure, the UE shall deactivate all non-emergency EPS bearer contexts upon completion of the PDN connectivity procedure. 

The UE shall start any retransmission timers (e.g. T3410, T3417, T3421 or T3430) if: - they were running and stopped when the UE received the AUTHENTICATION REQUEST message and detected an authentication failure; - the procedures associated with these timers have not yet been completed. The UE shall consider itself to be attached for emergency bearer services only.







Comments

Post a Comment

Popular posts from this blog

5G Deployment Option-3/3a/3x

-
Image
Home                 LTE                NB-IoT            5G(NR-NSA)   Hi Guys today we are learning about 5G deployment options, if you want to know more about other 5G deployment option please  click here Option 3: EN-DC (EUTRA-NR Dual Connectivity) Option 3 represents a network having both LTE and NR radio access, but using only the EPC core of LTE to route the Control signals. In this option, LTE is used as the control plane anchor for NR, and both LTE and NR are used for user data traffic.(user plane). It could also be called as Non-Standalone (NSA) NR in Evolved Packet System. The only difference between Options 3 and 3A is based on whether the user plane data is sent to NR directly or via the LTE RAN. This standardization was concluded in 3GPP Rel-15. This is a possible first step in the migration towards 5G-SA. This option will be most attractive for operators which have early deployments of 5G NR access systems in areas where legacy eNB and EPC a
Read more

DRX (Discontinuous Reception)

-
Image
Home                 LTE                NB-IoT            5G(NR-NSA)   What is DRX and DRX active period? What channels does it monitor in active period? Data transmission between UE and their base stations(eNodeB) uses radio frames with10ms duration, where in each radio frame consists of 10 1ms( 1 frame=10ms duration=10 subframe) subframes. Physical Downlink Control Channel (PDCCH) at the beginning of each subframe indicates whether there is data for UE to receive or not. Devices has to monitor these PDCCHs in each subframe so that it can find out whether they carry any data to receive. Because devices do not receive data in every subframe, this monitoring process naturally leads to high battery consumption.  What is the purpose of DRX? The main purpose of DRX is to lower battery consumption when there is no UL/DL data. means, when there is no traffic(DL/UL) that time devices enter into sleep mode (with RF module turned off) for some period of time as configured by
Read more

5G Deployment Option-7/7a/7x

-
Image
Home                 LTE                NB-IoT            5G(NR-NSA) Hi Guys today we are learning about 5G deployment options, if you want to know more about other 5G deployment option please  click here Option 7: Deployment Option 7 represents a deployment scenario in which the Next Generation Core (NGC) will be used with a mixture of LTE and NR radio.  Next Generation signaling will be used but it will be routed via the LTE RAN because the LTE network is more fully built out and thus more reliable for handling signaling.  Options 7 and 7a differ on whether the user plane data is sent to NR directly or via the LTE RAN. 7/7A/7X require an eLTE upgrade of the existing LTE network at the start. (Difference is UP path Non Standalone ( Dual Connectivity 4G/5G ) Option 7/7A: NSA NR in 5GS. This option is particularly attractive for areas in which legacy LTE eNBs and the EPCs are ready to be upgraded to ngeNBs and the 5GCs.  From the point of
Read more

HARQ RTT Timer

-
Home                 LTE                NB-IoT            5G(NR-NSA)   Hi guys today we are focus on HARQ RTT timer in DL as well as UL for LTE and NB-IOT. What is HARQ RTT Timer? This parameter specifies the min amount of TTIs before a DL HARQ retransmission is expected by the UE. (3GPP TS 36.321 V8.0.0) Simple way to understand: the HARQ Round Trip Time (RTT) timer is defined for UE to sleep during HARQ RTT. When decoding DL TB for one HARQ fails, UE can next retransmission TB after at least HARQ RTT sub frames. While HARQ RTT timer is running, UE need not monitor PDCCH. At HARQ RTT timer expiry, UE resumes PDCCH reception. Two type of HARQ RTT timer is there. HARQ RTT Timer : This parameter specifies the minimum number of subframe(s) before a DL HARQ retransmission is expected by the MAC entity. (3GPP TS 36.321 version 13.3.0 Release 13) UL HARQ RTT Timer : This parameter specifies the minimum amount of subframe(s) before a UL HARQ retransmission grant is e
Read more

DC Carrier in NR

-
Image
Home                 LTE                NB-IoT               5G(NR-NSA) In this article, we will learn the basics of DC Carrier and why it is needed. Why in NR, DC subcarrier is not reserved like LTE? With legacy LTE (4G) it was decided that all devices (UE) should be capable of the maximum carrier bandwidth of 20MHz (UE can also support 10/15/5/3 MHz). This was a reasonable assumption at the time given the relatively modest bandwidth compared to NR, Whereas NR is designed to support very wide bandwidths up to 400MHz (for FR2) and 100Mhz (for FR1) for a single carrier. As well as NR supports multiple numerologies on the same transmitted carrier frequency. It is not necessary that all devices can support up to 400 MHz Bandwidth, hence in NR BWP concept is introduced. (To learn more about BWP Click here ). Note: in the above and below NR case figure, we assume that for each and every BWP have configured some  txDirectCurrentLocation  value.     As shown in the a
Read more

Soft Handover vs Hard Handover

-
Home                 LTE                NB-IoT            5G(NR-NSA) Now before we move to other things like measurements in handover, handover decision, handover procedure, handover interruption time, and mobility robustness optimization, let us take a look into difference between soft handover and hard handover. Soft Handover Hard Handover The handover in which radio links are added and removed in a way that MS always keeps at least one radio link to the UTRAN is known as soft handover. The handover in which all the old radio links in MS are removed before the new radio links are established is known as hard handover. This can also be simplified as make before break This can also be simplified as break before make As call drop rate is lower this handover is used to lower the rate of call drop. In this case higher rates of call drops are found Why soft handover is not included
Read more