Patrick Donegan Senior Analyst, Heavy Reading www.heavyreading.com
on behalf of
www.symantec.com
May 2012
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 2
New Network Security Challenges in LTE The 3GPP network architecture changes in some fundamental ways in the transition from 3G to LTE. And these changes have a major impact on the way security is provided in the mobile network, including as regards authentication of base stations or eNodeBs in the network.
These changes in the LTE architecture and their security implications can be summarized as follows:
The RNC is no longer a dedicated node in LTE. Instead, its functions are distributed between the Evolved Packet Core and the eNodeB. This increases the operator's exposure in LTE compared with 3G, since the 3GPP encryption that is instantiated in the end-user device now terminates in the eNodeB ra- ther than the RNC. From a security perspective, in LTE the 3GPP encryption now terminates at many sites at the edge of the mobile network, instead of a handful of nodes located much deeper in the network. Whereas 3G was originally designed with TDM backhaul in mind, LTE was designed to be launched with IP/ Ethernet backhaul. From a security point of view, 3G was originally designed to be deployed with a highly secure back- haul technology, whereas LTE is required to be deployed with a backhaul technology with known security vulnerabilities that are exploited and ex- tended by large numbers of hackers and attackers every day. To keep up with the huge growth in mobile broadband data consumption, mobile operators recognize that in the coming years they will need to start supplementing their macro and microcell layers with new public access small Figure 1: Authentication and Encryption in 3G and LTE Networks
Source: Heavy Reading
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 3
cells. Designed to be mounted on building walls, bus stops, lampposts and the like, mobile operators envisage deploying four to eight or even more of these public access small cells per macro cell. Precisely because the small cell deployment model assumes such easily accessible locations, these sites will inevitably be much more vulnerable to tampering and security breaches than conventional macro and micro cells that have strong physical protection against intrusion and unauthorized intervention.
As formally recognized by the Next Generation Mobile Network (NGMN) Alliance in its February 2012 White Paper on "Security in LTE Backhauling," the primary threats that arise in the context of the LTE network are:
Insider attacks abuse of administrator rights (eNodeB or Cell Site Gateway access) External attacks via networks from Internet or other PDN, from GPRS roaming exchange or other PLMN, from an external transport network or external non- 3GPP access network External attacks on physical access to the network on the radio interfaces, tampering with easily accessible (e.g., small cells), unauthorized physical access to network ports Attacks from mobiles
To mitigate these security vulnerabilities in LTE, 3GPP provides for the use of IPsec authentication and encryption between the eNodeB and the core network. This is designed to protect the integrity of user traffic and the network wherever the operator considers the backhaul network to be what 3GPP defines as "untrusted."
Three years ago, when most operators first started contemplating LTE deploy- ments, it was common for them to resist the use of IPsec on the grounds that it would add cost and complexity to the network. But Figure 2 shows how the position of mobile operators has shifted over the last couple of years.
Figure 2: Adoption of IPsec for LTE Question: "For the first three years following the launch of LTE, to what extent do you expect that IPsec will be needed between the LTE cell site and the LTE core?" % OF ALL OPERATORS SEPT. 2011 MOBILE SECURITY SURVEY DEC. 2010 BACKHAUL SURVEY All cell sites will need IPsec implemented 37% 20% At least half of all cell sites will need IPsec implemented 11% 13% A subset of cell sites will need IPsec implemented 12% 19% IPsec will probably not be needed in the backhaul 15% 17% IPsec will definitely not be needed in the backhaul 5% 1% It's still unclear at this stage 20% 29% Source: Heavy Reading; n=83 (2010) and 84 (2011)
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 4
As shown in Figure 2, two separate surveys of more than 80 qualified network- oriented professionals carried out in December 2010 and then again in September 2011 demonstrate growing acceptance of the need for IPsec to secure the LTE network. 48 percent of respondents in September 2011 reckoned that IPsec will be required at at least half of LTE cell sites, compared with just 33 percent in Decem- ber 2010. 37 percent reckoned it will be needed at all LTE cell sites in September 2011, compared with just 20 percent nine months earlier.
Authentication of eNodeBs Using PKI According to 3GPP TS 33.310, where IPsec is deployed by the mobile operator this protocol necessarily provides the encryption of traffic between the eNodeB and the core of the LTE network.
Where the authentication of the eNodeB is concerned, however, 3GPP provides a choice of model:
The first option is to use a manual, so-called "shared secret," authentication model. This entails a field engineer manually entering a cryptographic key at the cell site during the initial setup process. That pre-shared key will have been generated by the operator's own operations team. Once it is inputted at the new cell site by the field engineer, it is recognized as legitimate and trusted and the eNodeB will duly be authenticated by the network. The second option is to deploy Public Key Infrastructure (PKI) with IPsec, based on the Internet Key Exchange Version 2 (IKEv2) and Certificate Management Protocol Version 2 (CMPv2).
While most operators that have launched LTE so far have done so using the manual shared secret authentication model, there are good grounds for thinking that over time, operators will want to start adopting the PKI model.
The manual inputting of shared secret keys into each eNodeB by an operative while preserving its secrecy is prone to human error, and hence potentially expensive from an opex perspective. Automating symmetric key manage- ment according to proprietary solutions is liable to be expensive, as well. In the interests of security, shared secret keys should be changed regularly. Managing that program of key renewal without affecting operational stability, together with the necessary site visits to carry out changes, is also potentially expensive from an opex perspective. As previously pointed out, the introduction of public access small cells into the network will result in an acceleration in the rate of deployment of cell sites in the mobile network. As a result, the operational challenges of a manual shared secret key model will become increasingly acute as the operator looks to scale LTE capacity with growing subscriber and data traffic volumes. The growth of machine-to-machine applications using LTE will grow the number of end points in the network still further, amplifying the challenge posed by the growth in the number of cell sites. As shown immediately below, the automated PKI authentication model as defined by 3GPP introduces an additional layer of security into the authenti- cation process as compared with the manual shared secret model.
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 5
3GPP's Model for Certificate Enrollment in a PKI Environment Figure 3 shows the basic 3GPP architecture for PKI-based authentication of eNodeBs in LTE. A RAN vendor provides its own root certificate to the mobile operator. That root certificate is then pre-installed in the mobile operator's Regis- tration Authority (RA) or Certification Authority (CA). That then serves as the primary source of trust, enabling multiple certificates to be issued by the CA to the eNodeB according to what is, in essence, a client-server model.
The two-way authentication is enabled by the vendor's own signed certificate being pre-installed in the eNodeB. Importantly, as mandated by 3GPP, the authentication is supported by the use of the Certificate Management Protocol Version 2 or CMPv2, an Internet protocol used to manage the request and distribution of X.509 digital certificates within a PKI solution.
Once authenticated the eNodeB is authorized to instantiate one or more IPsec encryption tunnels and send traffic across the network towards the core with IPsec encryption where the traffic is unencrypted at the Security Gateway (SEG), in part enabled by the operator's own root certificate being pre-installed. Enhancements to Existing PKI Systems Based on Internet Protocols 3GPP's approach to PKI draws entirely from existing Internet protocols. The main way in which 3GPP's deployment model materially differs from most other PKI implementations is that it is among the first to leverage the CMPv2 protocol, and among the first to leverage one particular advanced feature of CMPv2. This is the capability that CMPv2 has a capability rendered mandatory by 3GPP for LTE to use two certificates, a Vendor Base Station Certificate and an Operator Base Station Certificate, rather than just one, according to the model used in most PKI systems up until now.
In the LTE environment, the mobile operator has its own certificate, much as any enterprise running its own PKI would. In addition, however, the authentication mechanism prescribed by 3GPP leverages the advanced features of CMPv2 to require a second certificate. This is the RAN vendor's own certificate, which it assigns to the eNodeB during the manufacturing process. The vendor's certificate is then required to authenticate the initial request for the operator's certificate Figure 3: Certificate Enrollment for eNodeBs in LTE
Source: 3GPP TS 33.310
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 6
upon turning up each LTE eNodeB to commercial service for the very first time. This vendor certificate effectively replaces a One Time Password, which has to be entered manually in typical enterprise PKIs.
After the initial authentication of the eNodeB at the time of service turn-up, all subsequent update certificates for that eNodeB are authenticated solely by the operator's certificate according to traditional PKI models. Importantly, however, the requirement for the second certificate to participate in the authentication at the point of service turn-up provides a valuable additional layer of security. This goes above and beyond the security and automation provided by the manual shared secret model and above and beyond what is provided by most present- day PKI models in the enterprise environment.
From the perspective of designing and operating a CA for LTE authentication, relatively few changes should be required to render existing PKI equipment and system parameters compliant with 3GPP requirements for LTE. In addition to support for CMPv2, including the ability to enable a dual certificate signature model at the initial point of service turn-up, two other enhancements to existing PKI systems are liable to be required to render them 3GPP-compliant:
Since base stations are objects rather than human operatives, the CA needs to be able to support eNodeB serial numbers in issuing certificates, rather than the user names of individual operatives, as has been typical with PKI systems until now. If an LTE eNodeB is legitimate, it can only have an IP address that comes from within the mobile operator's own unique IP address range. Therefore, a CA needs to be able to restrict issuing certificates to within that specified IP ad- dress range. PKI Authentication: A Mobile Operator's Core Competency? There is little in the changes of the LTE security architecture that would make a mobile operator want to radically alter its present-day operating model so far as the right-hand side of Figure 3 is concerned. So whether the operator runs its network itself or outsources the operation of parts of the network to a vendor partner the operator will deploy and manage its SEG and eNodeBs in much the same way as it manages its 3G network infrastructure.
The same is not so true of the left-hand side of Figure 3, however. Designing, operating and maintaining a PKI solution with its own CA at the heart of it on the scale that is liable to be required for LTE represents a new security model com- pared with what most mobile operators are used to.
Moreover, there are a number of security specialists that are experienced in offering cloud-based certification services as a managed service and are tailoring their capabilities to the mobile operator sector to align with the emerging market requirements for LTE.
It is for this reason that when mobile operators come to roll out LTE, they need to look carefully at the case for leasing authentication as a service from a leading cloud-based provider, as well as the case for building their own PKI infrastructure from scratch.
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 7
Self-Build PKI Solutions for LTE PKI infrastructure is a relatively mature technology and has been widely deployed in enterprise and telco environments for many years. Some mobile operators may even have some experience of using it on the IT side of the house, for example for improving WLAN security with 802.1x, securing internal and external websites, signing code and sensitive documents, and the like.
Until now, however, mobile operators have had no reason to deploy a PKI infrastructure on the telco side of the house as a part of the security infrastructure for the cellular network infrastructure itself.
There is no reason at all why a mobile operator can't build its own PKI infrastruc- ture. If they take the view that as a part of their security solution it should not be outsourced or that the act of outsourcing is itself a security risk then provided the operator invests enough capex and opex, there is nothing to stop the opera- tor going down the self-build route.
The following is a high-level perspective on the primary elements of a PKI solution that are needed to support an LTE deployment and the design and management capabilities that are needed to support it.
The PKI equipment. This is pretty straightforward. The operator basically needs to invest in some standard server equipment and some PKI software together with some hardware security modules. There's certainly nothing unduly taxing about that capital outlay. The design of the PKI data center facility. This gets trickier. Obviously, this requires real estate in the operator's facilities. A PKI infrastructure that supports a service that is open to the general public, as a mobile operator does, also needs to house the equipment in highly secure data center facilities that should conform to strict security auditing standards. In Europe, for example, these auditing standards are laid down in ETSI TS 101456. To begin with, many mobile operators won't have the in-house expertise to design such a facility in a manner that would pass an annual audit. That would therefore typically re- quire either hiring a full-time person or a short-term contractor, which intro- duces project risk once the individual's contract has expired. Walls and doors should meet certain high-specification security standards in terms of thickness and other quality and security criteria. And access control needs to be care- fully designed. One example is so-called "man-trap" doors, which are similar to those sometimes installed in banks, so that only one person at a time can en- ter through each secure door, which closes immediately behind them. Operational headcount and processes. Depending on the level of sophistica- tion the operator wants to deploy, a PKI data center is likely to require staffing by anywhere from three to eight full-time employees. PKI policies and opera- tional processes need to be defined. Operational processes also need to be highly secure. This means, for example, that while it might be optimal from a cost point of view to have the same individual be charged with a variety of tasks in managing the PKI infrastructure, in fact security requirements should prohibit certain combinations of tasks being assigned to the same person lest that person then themselves become a security risk in their own right. Interope- rability between the PKI infrastructure and each release of the RAN vendor's eNodeBs and the SEG also needs to be managed.
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 8
With enough investment in facilities, people, equipment and processes, a mobile operator should certainly be capable of running its own PKI infrastructure to a high standard. But getting PKI security right is decidedly non-trivial. There have, for example, been instances of PKI CAs being shut down after security breaches resulting in the CA issuing fraudulent certificates.
Base Station Authentication as a Service Integrated incumbent telecom operators as well as pure-play mobile operators have tended to reduce rather than increase headcount in recent years. They have been and remain under pressure from a rebalancing of revenues from voice to data and the increasing challenges of keeping up with the growth in data traffic without materially exceeding sustainable levels of capex and opex.
Mobile operators continue to look to allocate limited human and capital re- sources into areas that will maximize cost savings or new revenues. And as they do so, every cost center is one that needs to be carefully evaluated according to whether it can most successfully be performed in-house or outsourced to third parties that can either offer concentrated expertise or scale or both in an area that may be outside the operator's core competence.
There are several reasons for considering authentication of LTE network elements as a potential candidate for outsourcing. To begin with, this is a model in which the operator's user traffic continues to remain entirely within the mobile operator's domain. So not only is it just control traffic that exits the mobile operator's network to a managed service provider according to this model it's also a relatively small proportion of the operator's control traffic.
The model is also based on mature PKI standards that are not only widely dep- loyed in telecom and IT markets worldwide but also adapted and embraced by 3GPP. Moreover, there are a number of managed service providers such as Symantec that have track records in providing cloud-based authentication services at scale based on these standards, albeit not yet for mobile operators rolling out LTE.
Let's begin with the cost of the infrastructure itself. A managed service provider selling authentication as a service should be able to leverage its facilities, its PKI infrastructure and its specialized, skilled personnel a lot more cost-efficiently than the operator can by building out its own dedicated facilities and hiring its own dedicated people. This is particularly pertinent in the case of the marginal cost associated with security processes requiring that certain tasks be distributed across different personnel, rather than concentrated in one person.
With a managed services approach, the up-to-the-minute PKI expertise is also permanently available to the mobile operator, whereas in a self-build model these experts might only be brought in for the initial setup phase and perhaps brought back in again intermittently, according to a model which risks being less seamless as well as potentially more expensive.
Given that it is designed to support several different mobile operators, a managed service provider should be able to support an ongoing program of interoperability between its PKI infrastructure and different vendors' RAN and core infrastructure at a significantly lower cost than an operator can support investing in this capability by itself.
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 9
The SLAs for an LTE Authentication Model For a mobile operator to have confidence in a managed service provider delivering authentication as a service, the managed service provider needs to be able to commit to an SLA that meets the mobile operator's requirements exactly. This means being highly attuned to the unique requirements of the LTE network.
First and foremost, mobile operators don't want "support" of the conventional kind written into an SLA for authentication as a service. They typically don't want to be able to send a question to a support team and be guaranteed a response within a specified number of hours. The mobile operator is typically not going to want to receive a "trouble ticket." Rather, they are likely to want the managed service provider itself to proactively monitor, manage and troubleshoot the PKI service.
The availability of the CA to the mobile operator needs to be nailed down in the SLA. This needs to be done not just in terms of specifying no more than a given amount of hours of non-availability per month. At a more granular level, the SLA also needs to specify that no one incident of non-availability will last longer than a specified number of minutes. And no proportion of total allowable down-time will occur during specified hours of the day when the operator is most likely to need to carry out changes to the RAN infrastructure.
Processing time also needs to be defined. For example, when the mobile operator sends a certificate request to the CA as the operator looks to turn up a new eNodeB to commercial service, the SLA needs to specify that it will receive a response within a specified timeframe. The same processing times need to be defined with respect to the maximum time allowed to pre-approve, revoke and validate certificates depending on the specific operator's requirements. Another area requiring definition is the volume of transactions for example, the maximum daily volume of certificates that the operator is entitled to as well as the frequency with which they can be requested consecutively. Figure 4: Process Flow in a PKI Managed Service Model for LTE
Source: Symantec
HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 10
Conclusion With encryption and authentication terminating in the eNodeB, LTE presents new security exposures for mobile operators. 3GPP has anticipated these and provides for IPsec to defend against these new exposures.
Mobile operators increasingly recognize that while IPsec may only be an option in 3GPP, it will increasingly be required as LTE is rolled out. The question of whether the authentication of each eNodeB should be done manually or automatically leveraging mature PKI standards is more or less a no-brainer. Over time, the manual shared secret model simply won't scale well.
The next question that operators will need to consider carefully is whether or not to invest capex and opex in their own facilities and extra headcount to build up this sophisticated authentication capability in-house.
In days gone by, self-build would have typically been the first instinct of the mobile operator's management team. But we are now in an era when mobile network operating margins will increasingly come under pressure, and when specialist and managed service providers can also offer cloud-based services such as network authentication at potentially significantly lower cost. In this era, mobile operators need to think very carefully about whether a self-build model still aligns with their security, revenue and margin goals or whether buying in base station authenti- cation as a service could start to look like a more compelling option. About Symantec Symantec is a global leader in providing security, storage and systems man- agement solutions to help our customers from consumers and small businesses to the largest global organizations secure and manage their information and identities independent of device. Symantec does this by bringing together leading software and cloud solutions that work seamlessly across multiple platforms, giving customers the freedom to use the devices of their choice and to access, store and transmit information anytime, anywhere.
We ensure that sensitive data is protected through all phases of its use. This information-centric approach makes data protection more intelligent, policy- driven and easier to manage. By leveraging our already rich experience in securing and managing information, Symantec has rounded out the portfolio by acquiring new capabilities, building new solutions, and integrating encryption and policy management capabilities to the authentication services.
Symantec has a strong focus on the communication service provider industry. With its solutions it protects 9 out of the 10 largest telecom companies worldwide. Symantec operates the largest and most comprehensive PKI solutions for enter- prises and service providers available on the market today, and has been doing so since 1995. More than 200 million device certificates have been issued to date.