Friday, May 28, 2010

Authentication procedure

The purpose of the EPS authentication and key agreement (AKA) procedure is to provide mutual authentication between the user and the network and to agree on a key KASME. The EPS AKA procedure is always initiated and controlled by the network. However, the UE can reject the EPS authentication challenge sent by the network.

A partial native EPS security context is established in the UE and the network when an EPS authentication is successfully performed. During a successful EPS authentication procedure, the CK and IK are computed by the USIM. CK and IK are then used by the ME as key material to compute a new key, KASME. KASME is stored in the EPS security contexts of both the network and in the volatile memory of the ME while attached to the nework, and is the root for the EPS integrity protection and ciphering key hierarchy.
  • Authentication initiation by the network
When a NAS signalling connection exists, the network can initiate an authentication procedure at any time. The network initiates the authentication procedure by sending an AUTHENTICATION REQUEST message to the UE.

The AUTHENTICATION REQUEST message contains the parameters necessary to calculate the authentication response.
  • Authentication response by the UE
The UE responds to an AUTHENTICATION REQUEST message. The UE processes the authentication challenge data and respond with an AUTHENTICATION RESPONSE message to the network. Upon a successful EPS authentication challenge, the UE determines the PLMN identity to be used for the calculation of the new KASME from the authentication challenge data.

Upon a successful EPS authentication challenge, the new KASME calculated from the authentication challenge data is stored in a new EPS security context in the volatile memory of the ME.

The USIM computes the authentication response (RES) using the authentication challenge data received from the ME, and pass RES to the ME.
  • Authentication completion by the network
Upon receipt of an AUTHENTICATION RESPONSE message, the network checks the correctness of RES. If the authentication procedure has been completed successfully and the related eKSI is stored in the EPS security context of the network.

When the network initiates a new authentication procedure, it includes a different eKSI value in the AUTHENTICATION REQUEST message.

Wednesday, May 26, 2010

LTE-Advanced Technology Introduction

Although the commercialization of LTE technology began in end 2009, the technology is still being enhanced in order to meet ITU-Advanced requirements. This application note summarizes these necessary improvements, which are known as LTE-Advanced.

source:RohdeSchwarz | Download PDF

Wednesday, May 5, 2010

EPS Authentication and Key Agreement Procedure

EPS AKA is the authentication and key agreement procedure that is used between UE and EPC Core Network.  EPS AKA produces keying material forming a basis for user plane (UP), RRC, and NAS ciphering keys as well as RRC and NAS integrity protection keys.

The MME sends to the USIM via ME the random challenge RAND and an authentication token AUTN for network authentication from the selected authentication vector. It also includes a KSIASME for the ME which will be used to identify the KASME (and further keys derived from the KASME) that results from the EPS AKA procedure.

At receipt of this message, the USIM verify's the freshness of the authentication vector by checking whether AUTN can be accepted. If so, the USIM computes a response RES. USIM also computes CK and IK which are sent to the ME.

An ME accessing E-UTRAN checks during authentication that the "separation bit" in the AMF field of AUTN is set to 1. The "separation bit" is bit 0 of the AMF field of AUTN.

UE responds with User authentication response message including RES in case of successful AUTN verification and successful AMF verification as described above. In this case the ME computes KASME from CK, IK, and serving network's identity (SN id) using the KDF algorithm. SN id binding implicitly authenticates the serving network's identity when the derived keys from KASME are successfully used.

Otherwise UE shall send User authentication reject message with a CAUSE value indicating the reason for failure. In case of a synchronisation failure of AUTN, the UE also includes AUTS that was provided by the USIM.

The MME checks that the RES equals XRES. If so the authentication is successful. If not or in cause of an authentication failure response by the UE, the MME may initiate further identity requests or authentications towards the UE.