White Paper

Authentication as a Service for

LTE Base Stations



Prepared by

Patrick Donegan
Senior Analyst, Heavy Reading
www.heavyreading.com



on behalf of



www.symantec.com



May 2012




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 2


New Network Security Challenges in LTE
The 3GPP network architecture changes in some fundamental ways in the
transition from 3G to LTE. And these changes have a major impact on the way
security is provided in the mobile network, including as regards authentication of
base stations or eNodeBs in the network.



These changes in the LTE architecture and their security implications can be
summarized as follows:

The RNC is no longer a dedicated node in LTE. Instead, its functions are
distributed between the Evolved Packet Core and the eNodeB. This increases
the operator's exposure in LTE compared with 3G, since the 3GPP encryption
that is instantiated in the end-user device now terminates in the eNodeB ra-
ther than the RNC. From a security perspective, in LTE the 3GPP encryption
now terminates at many sites at the edge of the mobile network, instead of a
handful of nodes located much deeper in the network.
Whereas 3G was originally designed with TDM backhaul in mind, LTE was
designed to be launched with IP/ Ethernet backhaul. From a security point of
view, 3G was originally designed to be deployed with a highly secure back-
haul technology, whereas LTE is required to be deployed with a backhaul
technology with known security vulnerabilities that are exploited and ex-
tended by large numbers of hackers and attackers every day.
To keep up with the huge growth in mobile broadband data consumption,
mobile operators recognize that in the coming years they will need to start
supplementing their macro and microcell layers with new public access small
Figure 1: Authentication and Encryption in 3G and LTE Networks

Source: Heavy Reading




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 3


cells. Designed to be mounted on building walls, bus stops, lampposts and the
like, mobile operators envisage deploying four to eight or even more of
these public access small cells per macro cell. Precisely because the small cell
deployment model assumes such easily accessible locations, these sites will
inevitably be much more vulnerable to tampering and security breaches than
conventional macro and micro cells that have strong physical protection
against intrusion and unauthorized intervention.

As formally recognized by the Next Generation Mobile Network (NGMN) Alliance
in its February 2012 White Paper on "Security in LTE Backhauling," the primary
threats that arise in the context of the LTE network are:

Insider attacks abuse of administrator rights (eNodeB or Cell Site Gateway
access)
External attacks via networks from Internet or other PDN, from GPRS roaming
exchange or other PLMN, from an external transport network or external non-
3GPP access network
External attacks on physical access to the network on the radio interfaces,
tampering with easily accessible (e.g., small cells), unauthorized physical
access to network ports
Attacks from mobiles

To mitigate these security vulnerabilities in LTE, 3GPP provides for the use of IPsec
authentication and encryption between the eNodeB and the core network. This is
designed to protect the integrity of user traffic and the network wherever the
operator considers the backhaul network to be what 3GPP defines as "untrusted."

Three years ago, when most operators first started contemplating LTE deploy-
ments, it was common for them to resist the use of IPsec on the grounds that it
would add cost and complexity to the network. But Figure 2 shows how the
position of mobile operators has shifted over the last couple of years.


Figure 2: Adoption of IPsec for LTE
Question: "For the first three years following the launch of LTE, to what extent do you expect
that IPsec will be needed between the LTE cell site and the LTE core?"
% OF ALL OPERATORS
SEPT. 2011
MOBILE SECURITY
SURVEY
DEC. 2010
BACKHAUL
SURVEY
All cell sites will need IPsec implemented 37% 20%
At least half of all cell sites will need IPsec implemented 11% 13%
A subset of cell sites will need IPsec implemented 12% 19%
IPsec will probably not be needed in the backhaul 15% 17%
IPsec will definitely not be needed in the backhaul 5% 1%
It's still unclear at this stage 20% 29%
Source: Heavy Reading; n=83 (2010) and 84 (2011)




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 4


As shown in Figure 2, two separate surveys of more than 80 qualified network-
oriented professionals carried out in December 2010 and then again in September
2011 demonstrate growing acceptance of the need for IPsec to secure the LTE
network. 48 percent of respondents in September 2011 reckoned that IPsec will be
required at at least half of LTE cell sites, compared with just 33 percent in Decem-
ber 2010. 37 percent reckoned it will be needed at all LTE cell sites in September
2011, compared with just 20 percent nine months earlier.

Authentication of eNodeBs Using PKI
According to 3GPP TS 33.310, where IPsec is deployed by the mobile operator this
protocol necessarily provides the encryption of traffic between the eNodeB and
the core of the LTE network.

Where the authentication of the eNodeB is concerned, however, 3GPP provides a
choice of model:

The first option is to use a manual, so-called "shared secret," authentication
model. This entails a field engineer manually entering a cryptographic key at
the cell site during the initial setup process. That pre-shared key will have been
generated by the operator's own operations team. Once it is inputted at the
new cell site by the field engineer, it is recognized as legitimate and trusted
and the eNodeB will duly be authenticated by the network.
The second option is to deploy Public Key Infrastructure (PKI) with IPsec, based
on the Internet Key Exchange Version 2 (IKEv2) and Certificate Management
Protocol Version 2 (CMPv2).

While most operators that have launched LTE so far have done so using the
manual shared secret authentication model, there are good grounds for thinking
that over time, operators will want to start adopting the PKI model.

The manual inputting of shared secret keys into each eNodeB by an operative
while preserving its secrecy is prone to human error, and hence potentially
expensive from an opex perspective. Automating symmetric key manage-
ment according to proprietary solutions is liable to be expensive, as well.
In the interests of security, shared secret keys should be changed regularly.
Managing that program of key renewal without affecting operational stability,
together with the necessary site visits to carry out changes, is also potentially
expensive from an opex perspective.
As previously pointed out, the introduction of public access small cells into the
network will result in an acceleration in the rate of deployment of cell sites in
the mobile network. As a result, the operational challenges of a manual
shared secret key model will become increasingly acute as the operator looks
to scale LTE capacity with growing subscriber and data traffic volumes.
The growth of machine-to-machine applications using LTE will grow the
number of end points in the network still further, amplifying the challenge
posed by the growth in the number of cell sites.
As shown immediately below, the automated PKI authentication model as
defined by 3GPP introduces an additional layer of security into the authenti-
cation process as compared with the manual shared secret model.




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 5


3GPP's Model for Certificate Enrollment in a PKI Environment
Figure 3 shows the basic 3GPP architecture for PKI-based authentication of
eNodeBs in LTE. A RAN vendor provides its own root certificate to the mobile
operator. That root certificate is then pre-installed in the mobile operator's Regis-
tration Authority (RA) or Certification Authority (CA). That then serves as the
primary source of trust, enabling multiple certificates to be issued by the CA to the
eNodeB according to what is, in essence, a client-server model.



The two-way authentication is enabled by the vendor's own signed certificate
being pre-installed in the eNodeB. Importantly, as mandated by 3GPP, the
authentication is supported by the use of the Certificate Management Protocol
Version 2 or CMPv2, an Internet protocol used to manage the request and
distribution of X.509 digital certificates within a PKI solution.

Once authenticated the eNodeB is authorized to instantiate one or more IPsec
encryption tunnels and send traffic across the network towards the core with IPsec
encryption where the traffic is unencrypted at the Security Gateway (SEG), in part
enabled by the operator's own root certificate being pre-installed.
Enhancements to Existing PKI Systems Based on Internet Protocols
3GPP's approach to PKI draws entirely from existing Internet protocols. The main
way in which 3GPP's deployment model materially differs from most other PKI
implementations is that it is among the first to leverage the CMPv2 protocol, and
among the first to leverage one particular advanced feature of CMPv2. This is the
capability that CMPv2 has a capability rendered mandatory by 3GPP for LTE to
use two certificates, a Vendor Base Station Certificate and an Operator Base
Station Certificate, rather than just one, according to the model used in most PKI
systems up until now.

In the LTE environment, the mobile operator has its own certificate, much as any
enterprise running its own PKI would. In addition, however, the authentication
mechanism prescribed by 3GPP leverages the advanced features of CMPv2 to
require a second certificate. This is the RAN vendor's own certificate, which it
assigns to the eNodeB during the manufacturing process. The vendor's certificate
is then required to authenticate the initial request for the operator's certificate
Figure 3: Certificate Enrollment for eNodeBs in LTE

Source: 3GPP TS 33.310




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 6


upon turning up each LTE eNodeB to commercial service for the very first time. This
vendor certificate effectively replaces a One Time Password, which has to be
entered manually in typical enterprise PKIs.

After the initial authentication of the eNodeB at the time of service turn-up, all
subsequent update certificates for that eNodeB are authenticated solely by the
operator's certificate according to traditional PKI models. Importantly, however,
the requirement for the second certificate to participate in the authentication at
the point of service turn-up provides a valuable additional layer of security. This
goes above and beyond the security and automation provided by the manual
shared secret model and above and beyond what is provided by most present-
day PKI models in the enterprise environment.

From the perspective of designing and operating a CA for LTE authentication,
relatively few changes should be required to render existing PKI equipment and
system parameters compliant with 3GPP requirements for LTE. In addition to
support for CMPv2, including the ability to enable a dual certificate signature
model at the initial point of service turn-up, two other enhancements to existing
PKI systems are liable to be required to render them 3GPP-compliant:

Since base stations are objects rather than human operatives, the CA needs
to be able to support eNodeB serial numbers in issuing certificates, rather than
the user names of individual operatives, as has been typical with PKI systems
until now.
If an LTE eNodeB is legitimate, it can only have an IP address that comes from
within the mobile operator's own unique IP address range. Therefore, a CA
needs to be able to restrict issuing certificates to within that specified IP ad-
dress range.
PKI Authentication: A Mobile Operator's Core Competency?
There is little in the changes of the LTE security architecture that would make a
mobile operator want to radically alter its present-day operating model so far as
the right-hand side of Figure 3 is concerned. So whether the operator runs its
network itself or outsources the operation of parts of the network to a vendor
partner the operator will deploy and manage its SEG and eNodeBs in much the
same way as it manages its 3G network infrastructure.

The same is not so true of the left-hand side of Figure 3, however. Designing,
operating and maintaining a PKI solution with its own CA at the heart of it on the
scale that is liable to be required for LTE represents a new security model com-
pared with what most mobile operators are used to.

Moreover, there are a number of security specialists that are experienced in
offering cloud-based certification services as a managed service and are tailoring
their capabilities to the mobile operator sector to align with the emerging market
requirements for LTE.

It is for this reason that when mobile operators come to roll out LTE, they need to
look carefully at the case for leasing authentication as a service from a leading
cloud-based provider, as well as the case for building their own PKI infrastructure
from scratch.




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 7


Self-Build PKI Solutions for LTE
PKI infrastructure is a relatively mature technology and has been widely deployed
in enterprise and telco environments for many years. Some mobile operators may
even have some experience of using it on the IT side of the house, for example for
improving WLAN security with 802.1x, securing internal and external websites,
signing code and sensitive documents, and the like.

Until now, however, mobile operators have had no reason to deploy a PKI
infrastructure on the telco side of the house as a part of the security infrastructure
for the cellular network infrastructure itself.

There is no reason at all why a mobile operator can't build its own PKI infrastruc-
ture. If they take the view that as a part of their security solution it should not be
outsourced or that the act of outsourcing is itself a security risk then provided
the operator invests enough capex and opex, there is nothing to stop the opera-
tor going down the self-build route.

The following is a high-level perspective on the primary elements of a PKI solution
that are needed to support an LTE deployment and the design and management
capabilities that are needed to support it.

The PKI equipment. This is pretty straightforward. The operator basically needs
to invest in some standard server equipment and some PKI software together
with some hardware security modules. There's certainly nothing unduly taxing
about that capital outlay.
The design of the PKI data center facility. This gets trickier. Obviously, this
requires real estate in the operator's facilities. A PKI infrastructure that supports
a service that is open to the general public, as a mobile operator does, also
needs to house the equipment in highly secure data center facilities that
should conform to strict security auditing standards. In Europe, for example,
these auditing standards are laid down in ETSI TS 101456. To begin with, many
mobile operators won't have the in-house expertise to design such a facility in
a manner that would pass an annual audit. That would therefore typically re-
quire either hiring a full-time person or a short-term contractor, which intro-
duces project risk once the individual's contract has expired. Walls and doors
should meet certain high-specification security standards in terms of thickness
and other quality and security criteria. And access control needs to be care-
fully designed. One example is so-called "man-trap" doors, which are similar to
those sometimes installed in banks, so that only one person at a time can en-
ter through each secure door, which closes immediately behind them.
Operational headcount and processes. Depending on the level of sophistica-
tion the operator wants to deploy, a PKI data center is likely to require staffing
by anywhere from three to eight full-time employees. PKI policies and opera-
tional processes need to be defined. Operational processes also need to be
highly secure. This means, for example, that while it might be optimal from a
cost point of view to have the same individual be charged with a variety of
tasks in managing the PKI infrastructure, in fact security requirements should
prohibit certain combinations of tasks being assigned to the same person lest
that person then themselves become a security risk in their own right. Interope-
rability between the PKI infrastructure and each release of the RAN vendor's
eNodeBs and the SEG also needs to be managed.




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 8


With enough investment in facilities, people, equipment and processes, a mobile
operator should certainly be capable of running its own PKI infrastructure to a high
standard. But getting PKI security right is decidedly non-trivial. There have, for
example, been instances of PKI CAs being shut down after security breaches
resulting in the CA issuing fraudulent certificates.

Base Station Authentication as a Service
Integrated incumbent telecom operators as well as pure-play mobile operators
have tended to reduce rather than increase headcount in recent years. They
have been and remain under pressure from a rebalancing of revenues from
voice to data and the increasing challenges of keeping up with the growth in
data traffic without materially exceeding sustainable levels of capex and opex.

Mobile operators continue to look to allocate limited human and capital re-
sources into areas that will maximize cost savings or new revenues. And as they do
so, every cost center is one that needs to be carefully evaluated according to
whether it can most successfully be performed in-house or outsourced to third
parties that can either offer concentrated expertise or scale or both in an area
that may be outside the operator's core competence.

There are several reasons for considering authentication of LTE network elements
as a potential candidate for outsourcing. To begin with, this is a model in which
the operator's user traffic continues to remain entirely within the mobile operator's
domain. So not only is it just control traffic that exits the mobile operator's network
to a managed service provider according to this model it's also a relatively small
proportion of the operator's control traffic.

The model is also based on mature PKI standards that are not only widely dep-
loyed in telecom and IT markets worldwide but also adapted and embraced by
3GPP. Moreover, there are a number of managed service providers such as
Symantec that have track records in providing cloud-based authentication
services at scale based on these standards, albeit not yet for mobile operators
rolling out LTE.

Let's begin with the cost of the infrastructure itself. A managed service provider
selling authentication as a service should be able to leverage its facilities, its PKI
infrastructure and its specialized, skilled personnel a lot more cost-efficiently than
the operator can by building out its own dedicated facilities and hiring its own
dedicated people. This is particularly pertinent in the case of the marginal cost
associated with security processes requiring that certain tasks be distributed across
different personnel, rather than concentrated in one person.

With a managed services approach, the up-to-the-minute PKI expertise is also
permanently available to the mobile operator, whereas in a self-build model these
experts might only be brought in for the initial setup phase and perhaps brought
back in again intermittently, according to a model which risks being less seamless
as well as potentially more expensive.

Given that it is designed to support several different mobile operators, a managed
service provider should be able to support an ongoing program of interoperability
between its PKI infrastructure and different vendors' RAN and core infrastructure at
a significantly lower cost than an operator can support investing in this capability
by itself.




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 9



The SLAs for an LTE Authentication Model
For a mobile operator to have confidence in a managed service provider
delivering authentication as a service, the managed service provider needs to be
able to commit to an SLA that meets the mobile operator's requirements exactly.
This means being highly attuned to the unique requirements of the LTE network.

First and foremost, mobile operators don't want "support" of the conventional kind
written into an SLA for authentication as a service. They typically don't want to be
able to send a question to a support team and be guaranteed a response within
a specified number of hours. The mobile operator is typically not going to want to
receive a "trouble ticket." Rather, they are likely to want the managed service
provider itself to proactively monitor, manage and troubleshoot the PKI service.

The availability of the CA to the mobile operator needs to be nailed down in the
SLA. This needs to be done not just in terms of specifying no more than a given
amount of hours of non-availability per month. At a more granular level, the SLA
also needs to specify that no one incident of non-availability will last longer than a
specified number of minutes. And no proportion of total allowable down-time will
occur during specified hours of the day when the operator is most likely to need to
carry out changes to the RAN infrastructure.

Processing time also needs to be defined. For example, when the mobile operator
sends a certificate request to the CA as the operator looks to turn up a new
eNodeB to commercial service, the SLA needs to specify that it will receive a
response within a specified timeframe. The same processing times need to be
defined with respect to the maximum time allowed to pre-approve, revoke and
validate certificates depending on the specific operator's requirements. Another
area requiring definition is the volume of transactions for example, the maximum
daily volume of certificates that the operator is entitled to as well as the frequency
with which they can be requested consecutively.
Figure 4: Process Flow in a PKI Managed Service Model for LTE

Source: Symantec




HEAVY READING | MAY 2012 | WHITE PAPER | AUTHENTICATION AS A SERVICE FOR LTE BASE STATIONS 10


Conclusion
With encryption and authentication terminating in the eNodeB, LTE presents new
security exposures for mobile operators. 3GPP has anticipated these and provides
for IPsec to defend against these new exposures.

Mobile operators increasingly recognize that while IPsec may only be an option in
3GPP, it will increasingly be required as LTE is rolled out. The question of whether
the authentication of each eNodeB should be done manually or automatically
leveraging mature PKI standards is more or less a no-brainer. Over time, the
manual shared secret model simply won't scale well.

The next question that operators will need to consider carefully is whether or not to
invest capex and opex in their own facilities and extra headcount to build up this
sophisticated authentication capability in-house.

In days gone by, self-build would have typically been the first instinct of the mobile
operator's management team. But we are now in an era when mobile network
operating margins will increasingly come under pressure, and when specialist and
managed service providers can also offer cloud-based services such as network
authentication at potentially significantly lower cost. In this era, mobile operators
need to think very carefully about whether a self-build model still aligns with their
security, revenue and margin goals or whether buying in base station authenti-
cation as a service could start to look like a more compelling option.
About Symantec
Symantec is a global leader in providing security, storage and systems man-
agement solutions to help our customers from consumers and small businesses to
the largest global organizations secure and manage their information and
identities independent of device. Symantec does this by bringing together leading
software and cloud solutions that work seamlessly across multiple platforms, giving
customers the freedom to use the devices of their choice and to access, store
and transmit information anytime, anywhere.

We ensure that sensitive data is protected through all phases of its use. This
information-centric approach makes data protection more intelligent, policy-
driven and easier to manage. By leveraging our already rich experience in
securing and managing information, Symantec has rounded out the portfolio by
acquiring new capabilities, building new solutions, and integrating encryption and
policy management capabilities to the authentication services.

Symantec has a strong focus on the communication service provider industry. With
its solutions it protects 9 out of the 10 largest telecom companies worldwide.
Symantec operates the largest and most comprehensive PKI solutions for enter-
prises and service providers available on the market today, and has been doing
so since 1995. More than 200 million device certificates have been issued to date.