5 Security context

21.1333G security3GPPSecurity threats and requirementsTS

The purpose of this clause is to describe the context in which the 3G security features are designed. This specification assumes the system assumptions, network architecture and functional roles given in UMTS 23.01 [11] and UMTS 30.01 [12], the service description given in UMTS 22.01 [9] and the UMTS Phase 1 description given in UMTS 22.00 [8].

In subclause 5.1 the system assumptions that describe 3G in general and especially those that have a significant bearing on security are listed.

In subclause 5.2 roles that have a significant bearing on security are defined.

In subclause 5.3 various architectural components that have an impact on the design of 3G security features are defined.

In subclause 5.4 various identities used in 3G that have an impact on the design of 3G security features are defined.

In subclause 5.5 data types and groups that are used to help identify security threats and requirements are defined.

5.1 System assumptions

In this subclause 3G system assumptions that have an impact on the design of 3G security features are listed. These assumptions are derived from UMTS 30.01 [12], UMTS 22.01 [9] and UMTS 22.00 [8].

5.1.1 Type of services and service management

a) 3G shall support the full range of services from narrow-band (most important: speech) to wide-band (2 Mbps as target) based upon an advanced highly efficient and flexible radio access scheme. [12]

b) 3G shall allow service creation. It shall allow the creation of innovative services and individualised service profiles and support the ability to download these services to users. [9] [12]

c) 3G shall support both interactive and distribution services. [9]

5.1.2 Access to services

a) 3G is a wireless mobile system. Mobility must include user and terminal mobility to permit roaming. 3G shall allow national and international roaming between networks subject to regulations and inter-operator agreements. These agreements may be set-up statically or dynamically. [12]

b) 3G shall accommodate a variety of terminals ranging from those which are small enough to be easily carried on the person to those which are mounted in a vehicle. [12]

5.1.3 Service provision

a) Home environment specific services based on the VHE concept shall be provided in 3G. [8] [10]

5.1.4 System architecture

a) The UTRAN (including both W-CDMA and TD-CDMA radio interfaces) is considered to be part of the 3G access network. Other types of access networks (e.g. fixed wireline access) are also to be considered. [8]

b) Standardised protocols for operation, administration and maintenance of 3G shall be defined in co-operation with ETSI TMN. [30.01, 22.00]

c) 3G base stations may need to be installed in an uncoordinated manner for private and business applications (to the extent that no frequency planning is necessary and co-existence of licensed and licence-exempt use is anticipated) [12].

5.1.5 Security management

a) 3G security shall be based on the use of a physically secure device i.e. a UICC, as defined in [14], that can be inserted and removed from terminal equipment. This UICC shall contain one or more applications at least one of which must be a USIM.

b) A USIM contained in a UICC shall be used to represent and identify a user and his association with a home environment in the provision of 3G services.

c) The USIM shall be developed on the basis of the phase 2+ GSM SIM. [8]

d) 3G terminal equipment shall support GSM phase 2 and phase 2+ SIMs as access modules to 3G networks. This will result in security being limited in extent and quality to GSM level. For this reason 3G operators shall be able to decide whether or not to accept GSM SIMs as access modules to 3G services. [8]

e) Simultaneous activation of multiple USIMs on one terminal equipment is not required in 3G phase 1. [8]

5.1.6 Interworking and compatibility

a) 3G shall admit the connection of users to other 3G users and shall support interworking with other networks (e.g., PSTN, N-ISDN, GSM, X.25 and IP networks). [8]

b) 3G is planned as a member of the IMT-2000 family. It is intended to support roaming with other members of the IMT-2000 family based on market need and business viability. The 3G access system has been specified as a candidate system to the ITU. 3G shall meet or exceed the essential ITU minimum requirements. [9]

c) 3G shall admit the provision of services in an environment of multiple serving networks and home environments, public or private, some of which will be in direct competition. [9]

d) 3G shall support secure Global Cross-standard Roaming. [12]

5.1.7 Charging and billing

a) 3G shall support the generation of standardised charging records. [8]

b) 3G shall support on-line billing. [8]

c) 3G shall support the billing of third party value-added services with the concept of one-stop-billing using standardised procedures. [8]

5.1.8 Supplementary services

a) The specification of supplementary services for 3G may not be within the scope of standardisation. [9]

b) Support for GSM supplementary services in 3G is for further study. [8]

5.2 3G roles

This subclause provides a description of the various parties or organisations involved in the use, provision, and regulation of 3G services and the relationships between them. The roles are defined from a security perspective to enable security threats to be identified and corresponding security requirements to be constructed in a systematic manner. These roles are derived in part from those defined in UMTS 33.20 [13].

It should be noted that these roles represent purely logical entities, and are not intended to reflect actual legal entities, commercial parties, human beings, or physical machines.

In many cases, some of the parties involved in the provision and use of 3G will be grouped into a single entity. For example a particular company may act as both a home environment and a serving network. Similarly, a person could be both a subscriber and a user.

5.2.1 User domain

Subscriber: a person or other entity which has an association with a home environment on behalf of one or more users. A subscriber is responsible for the payment of charges to that home environment (which may be before or after service delivery, i.e. pre-pay or subscription).

User: a person or other entity that has been authorised to use 3G services by a subscriber. His usage is delimited and described in the user’s service profile. A user may have limited access to his service profile, in order to read or modify certain service parameters.

Other Party: a telecommunications user who is either the calling party in a call to a 3G user, or the called party in a call from a 3G user. Such a party is not necessarily a 3G user. There may exist legal requirements on the protection of such other parties.

5.2.2 Infrastructure domain

Home Environment: the role that has overall responsibility for the provision of a service or set of services to users associated with a subscription because of the association with a subscriber.

Home environment responsibilities include the following:

– The provision, allocation and management of subscriber accounts, including the allocation and management of subscriber account identifiers, user identities, user numbers and subscription charges. It also includes all billing mechanisms required to bill subscribers for charges and to pay network operators for user charges.

– The provision and maintenance of service profiles for users, including the provision and control of access to service profiles by users.

– Negotiation with network operators for network capabilities needed to provide 3G services to its users, including off-line agreements to allow service provision, and on-line interaction to ensure that users are properly identified, located, authenticated and authorised to use services before those services are provided to them.

Serving Network: the role that provides radio resources, mobility management and fixed capabilities to switch, route and handle the services offered to the users. Serving network capabilities are provided on behalf of home environments, with which the serving network has an appropriate agreement, for the benefit of the users associated with those home environments. Serving network capabilities in this context include access network capabilities; a separate access network role is not defined.

Serving network responsibilities fall into four main areas:

– The provision and management of radio resources, including the provision and management of any encrypted bearers needed to ensure confidentiality of user traffic

– The provision and management of fixed resources, bearer capabilities, connections and routing.

– The collection of charging and accounting data and the transfer of such data to home environments, and other network operators.

– The interaction with and provision of facilities for home environments to identify, authenticate, authorise and locate users.

Value Added Service Provider (VASP): A subscriber may subscribe to services also from a VASP that may not have any association with the Home Environment of that subscriber, although the VASP would use (parts of) the services of the subscriber’s Home Environment to offer the subscriber access to the VASP services. VASP is defined in UMTS 22.21 on Virtual Home Environment.

5.2.3 Non-3G infrastructure domain

Non-3G network operators: the role that provides telecommunication network resources other than 3G resources and may be involved in the provision of 3G services. The security provided by a 3G network should not depend on other non-3G networks, e.g., if security parameters are passed from one 3G network to another through an intermediate network, then the intermediate network should not be relied upon to maintain the integrity or confidentiality of those parameters.

NOTE: The GSM/3G interworking on terminal and/or SIM basis is not clear yet.

5.2.4 Off-line parties

Regulators: the role of any body which is authorised to set laws or guidelines governing the provision or use of 3G services, or 3G terminal or networking equipment. Examples of regulators are national governments and their agencies, including law enforcement agencies, national security agencies, export control authorities, etc. The 3G security features and mechanisms must be such that they do not inhibit the legitimate activities of such organisations.

5.2.5 Intruders

Intruders: the role of a party who attempts to breach the confidentiality, integrity or availability of 3G, or who otherwise attempts to abuse 3G in order to compromise services or defraud users, home environments, serving networks or any other party. An intruder may, for example, attempt to eavesdrop on user traffic, signalling data and/or control data, or attempt to masquerade as a legitimate party in the use, provision or management of 3G services.

5.3 3G architecture

In this subclause various architectural components of the 3G system that have an impact on the design of 3G security features are listed.

User Services Identity Module (USIM): an application that represents and identifies a user and his association with a home environment in the provision of 3G services. The USIM contains functions and data needed to identify and authenticate users when 3G services are accessed. It may also contain a copy of the user’s service profile. It may also provide other security features. The USIM contains the user’s IMUI and any security parameters which need to be carried by the user. The USIM is always implemented in a removable IC card called the UICC.

5.4 3G identities

In this subclause various identities used in the 3G system that have an impact on the design of 3G security features are listed.

International Mobile User Identity: The IMUI uniquely identifies a user. The IMUI is stored in the USIM and the home environment database; but need not be known to the user or subscriber.

5.5 3G data types and data groups

Different types of data will require different types and levels of protection. Therefore, to be able to derive security requirements we must first distinguish the various types of data that can arise in 3G. The following subclauses list a number of data types and data groups.

5.5.1 3G data types User traffic

User traffic: This type comprises all data transmitted on the end-to-end traffic channel by users to other users. The data could be digital data, voice, or any other kind of data generated by the user. Signalling data

Charging data: This type comprises data relating to charges incurred by users whilst using network resources and services. Such data would normally be generated by and passed among network operators.

Billing data: This type comprises data relating to charges incurred by subscribers for charges made by their users. Such data is generated by a home environment (using charging data obtained from network operators) and passed to subscribers.

Location data: This type comprises location data regarding a user (or terminal equipment). Such data is generated by a network operator and passed to the user’s home environment (it may or may not be retained by the network operator).

Addressing data: This type comprises data relating to addresses associated with end users (and possibly terminal equipment). Such data is generated by home environments and distributed to users. It is transferred from a user to network operator to initiate a call, and then passed by the network operator to the associated user’s home environment.

Identity data: This type comprises data which determines the identity of an entity. The entities of interest are usually users. User identities are generated by the appropriate home environment, and are stored on the home environment’s database and on the USIM. User identities may accompany user-related data such as charging, billing, and location data when it is passed between entities.

Security management data: This type comprises data relating to security management. It includes data such as encryption keys and authentication messages, and may be generated by a third party or the involved entities themselves. Control data

Routing data: This type comprises data passed through the network to enable correct routing of calls. Such data will be generated by home environments or network operators (using location and addressing data) and passed amongst network operators.

Network resource management data: This type comprises data relating to the physical access of a terminal to the network operator and to the physical interface between network operators. Such data is generated by network operators and passed amongst network operators and terminals.

Access control management data: This type comprises data relating to access control to terminal equipment, network resources and service profiles. Such data may include PINs generated by users, and databases of identities generated by home environments and network operators. It is generally stored by the generating entity.

Service profile data: This type comprises data regarding the service profiles of users. Such data is generated and passed between a user and the home environment.

Additional call control data: This type comprises all data needed to set up, maintain, or release a call, other than identity, addressing and routing data. Such data will be generated by users or network operators and passed between users and network operators, or between network operators.

5.5.2 3G data groups User-related data

User-related data includes user traffic, charging data, billing data, location data, addressing data, identity data, security management data, access control management data and service profile data.