2010-01 Security Level: Internal Use

LTE eNodeB Security

Networking Scheme and Data
Configuration

www.huawei.com

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential

  With the spreading of high-bandwidth data services, the IP
networking is increasingly adopted in communication networking.
While enjoying the easy flat management and high-bandwidth
service performance of IP networking, we also face the threats
posed by vulnerabilities of IP networking on professional
communication networks.
 The security networking scheme targets at the inherent security
defects of IP networks. Huawei fourth-generation base station
LTE system first introduces the concept of security networking.
Through self research, Huawei completed the delivery of this
technical scheme in eRAN1.1.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 2

  By studying this slide, you will learn
 The basic concepts of security networking
 The procedure for implementing the security
networking solution
 The process of deploying a base station
through security networking

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 3

  LTE eRAN1.1 Product Manual

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 4

 Chapter 1 Basic Concepts in IP Security

Chapter 2 Introduction to Security Networking

Scheme

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 5

Security Overview
 Contents of information security
 Confidentiality
 Confidentiality is used to protect the information against attacks such as theft and
unauthorized access.
 Confidentiality includes confidentiality of contents and confidentiality of information
quantity.
 Authentication
 Identify the access user or message source to prevent fraud.
 Integrity
 Ensure that the information is not modified.
 Prevent fraud information.
 Non-repudiation
 Ensure that the message maker or sender cannot deny the fact of making or sending a
message.
 Access control
 Restrict or control the access to the host system and application through identity
authentication.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 6

Encryption Algorithm
 Objectives and Features
 Turning plain text into cipher text
 Recovering plain text from cipher text
 Ensuring the cipher text is hard to crack
 Classification of Encryption Algorithms
 Non-key encryption algorithm
 Before the invention of computer
Original text Cipher text
 Symmetric key algorithm
 After the invention of computer
 Non-symmetric encryption algorithm
 Invented by Diffie-Hellman in 1976

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 7

Encryption Algorithm – Non-Key Algorithm
 Non-Key Algorithm
 Feature: Only the algorithm but no password is required for encryption and
decryption.
 Prerequisite: The algorithm is secure.
 Disadvantage: The algorithm is useless once cracked.
 Example
 The tr tool in Linux has this function.
 tr abcdefg zgmqcde

 Application
 Military applications in ancient times
Plain text Cipher text

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 8

Encryption Algorithm – Symmetric Key Algorithm

 Symmetric Key Algorithm

 Feature: A same key is required for encryption and decryption.
 Common algorithms: DES, DES3, and RC3
 Prerequisite: The key is secure. The security of the key depends on its length.
 Disadvantage: Both parties need to know the key.
 Example
 Encryption and decryption of documents
 Application
 Encryption and identity verification
 Encryption of a large amount of data

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 9

Encryption Algorithm – Non-Symmetric Encryption
Algorithm
 Public Key Algorithm
 Features
 The key used for encryption is different from that for decryption.
 Mutual encryption is supported.
 Common algorithms
 DH: used for key exchange
 RSA: used for key exchange and digital signature
 DSA: used for only digital signature
 Elliptic Curve (EC)
 Application Description
 Generally used for authentication. The encryption and decryption
processes require two keys.
 Data encryption
– One public key (digital certificate) for data encryption
– One private key for data decryption
 Signature
– One private key for data signature
– One public key (digital certificate) for signature verification

 Advantages
 The message sender does not need to exchange the key with the receiver.
 Disadvantages
 Compared with the symmetric encryption algorithm, the non-symmetric
encryption algorithm is slow. For applications that require short response time,
the non-symmetric encryption algorithm is impractical.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 10

 Public Key Infrastructure (PKI)
 PKI
 Universal security infrastructure that is implemented through the principles of non-symmetric encryption
algorithm and that provides security services
 PKI Security Service
 Identity authentication: Identify an entity.
 Data confidentiality: Assure an entity that the key part of the data can be cracked by only the receiver.
 Data integrity: Assure an entity that the data is not modified on purpose or unconsciously.
 Non-repudiation: Guarantee the honesty of entities for their behaviors. This is an additional service
supported by the PKI.

 PKI Composition
 Digital certificate/CRL storage library: used to store the digital
certificate or Certificate Revocation List (CRL) issued by the CA
system
 Registration Authority (RA): used for information entry and
qualification of the digital certificate requestor
 Certification Authority (CA): used to issue and manage digital
certificates

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 11

Message Digest
 Purpose
 To obtain the information abstract for digital signature, improving the encryption and
decryption efficiency
 To turn a long message into a short digest of a certain length
 Features of Message Digest Algorithm
 Uniqueness. The digest of a message is unique.
 Irrecoverability. The message digest cannot be used to restore the contents of the original
packet.
 Implementation
 Generally, the unidirectional HASH algorithm is adopted.
 Main Algorithms
 MD2, MD5, MDC2, and SHA (SHA1)
 DSS
 Mainly Used to Generate the Message Message
Original Digest
Authentication Code (MAC) Message
 Such as HMAC-MD5 and HMAC-SHA1

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 12

Digital Signature
 Purpose
 To prevent other people from damaging the transmitted data
 To identify the message sender
 Used in source authentication in security service, integrity service, and non-repudiation
service
 Theoretical Basis
 Public key algorithm
 Auxiliary Tool
 Digest algorithm: to improve the efficiency of signing and signature verification
 Principle Diagram of Digital Signature Decrypt by using
the public key
DS DS' MD'

Encrypt by
using the private
key Compare the two
MD MDs. If they are
Package for Decompress the same, it
sending the package indicates that
verification
succeeds.

Message Message' MD''

Use Hash algorithm to obtain

the digest of a message

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 13

Certificate
 Introduction
 Digital certificate is also called public key certificate.
 Digital certificate means a series of data used to identify all the parties in network
communication. The function of digital certificate is similar to the citizen identity card in real life.
People can use the digital certificate to identify the peer party in communication.
 Digital certificate is a digital file that contains the digital signature of the authentication
authority. The digital certificate contains the information about the public key owner, public key,
issuer, validity period, and certain extension information.
 Digital certificate is the most important application of PKI.
 Classification
 By storage medium
 Key, IC card, and soft disk with USB interface
 By purpose
 Individual certificate, enterprise certificate, and server certificate
 By format
 Single certificate: Digital signature and encryption use the same certificate.
 Dual certificate: The storage medium stores two certificates: signature certificate and encryption
certificate. These two certificates cannot be mixed. Dedicated communication software must be
adopted.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 14

Certificate Contents
 X.509 Standard (v3)
 Main body information: including the identity information of the verified entity and its public
key
 Certificate issuer information: including the identity information of the certificate issuer and
its signature
 Certificate validity period: valid start time and end time of the certificate
 Administration information: information such as the version, encryption
algorithm mark, and sequence number of the certificate
 Extension information: including the basic constraints and relevant mark
 Field Information Contained in the Identity Information
Field Abbreviation Description Example
Common Name CN Name CN=IMAPM
Organization or
O Organization or company name O=Huawei Technologies Co.,Ltd.
Company
Organizational name of
Organizational Unit OU OU=Central Platform Development
organization or company
City/Locality L City L=Shenzhen
Province or municipality directly
State/Province ST governed by the central ST=Guangdong
government
Country C Code of the country (ISO code) C=CN

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 15

Requesting and Issuing a Certificate
 Certificate Application and Issuance Process
 The user generates a key pair. The user keeps the private key. The public key is
used to apply for certificate.
 The user proposes a CSR to the RA.
 The RA audits the user.
 The CA issues the digital certificate according to the information and public key
provided by the user, thus binding the key with the user.
 The digital certificate is delivered to the user.
 Legend

Prepare documents Generate CSR CSR Audit and authorization

Requestor identity
information

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 16

Certificate – CA
 CA
 CA
 The CA is an authority responsible for issuing and managing digital certificates.
 The CA must be a trustable third-party organization in strict sense.
P_C1
 The CA is the core authentication organization of PKI.
 Functions of the CA CA_1
 Application, approval, and issuance of certificate P_C2
 Update of certificate
 Query of certificate CA Root
 Deregistration of certificate
P_C3
 Filing of certificate
 Management of the CA itself CA_2
 CR/CRL Storage Library P_C4
 Used to store the digital certificate or CRL issued by the CA system
 Exists in the form of FTP, Web, or LADP server (FTP server is supported at present)
 CA Root Certificate
 The CA owns a key pair which are the core secret of the CA. The CA uses its own private key to issue the
public key certificate of a user.
 The root certificate is a digital certificate issued by the upper-level CA to the local CA. It is the own public
key certificate of the CA.
 The certificate trust chain is formed: CA root certificate→public key certificate of the user→user

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 17

 Chapter 1 Basic Concepts in IP Security

Chapter 2 Introduction to Security Networking

Scheme

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 18

 Chapter 2 Introduction to Security Networking

Scheme

Section 1 Theoretical Architecture of Security

Networking

Section 2 Introduction to Site Deployment in

Security Networking

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 19

Security Network Model
 Application Layer Protocol: PGP
 The Pretty Good Privacy (PGP) protocol is a free confidential email program designed by
Philip Zimmerann.

 Transport Layer Security Protocol: SSL

 Security Socket Layer (SSL) is a security protocol
Application
proposed by Netscape. At present, the version has WWW, FTP, TELNET
layer (PGP)
evolved to SSL v3. The standard version is
Transport
TCP, UDP
Transport Layer Security (TLS). layer (SSL)
 Network Layer Security Protocol: IPSec Network
IP
 IP Security Protocol (IPSec) is formulated by the layer (IPSec)

Internet security protocol workgroup for IP security Link layer protocol Link layer
protocols and key management mechanisms under
Physical layer Physical
the IETF. Through years of efforts, this workgroup
protocol layer
has proposed a series of protocols that form a
security system, which is collectively called IP ISO network
protocol model
Security Protocol.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 20

IPSec Architecture

 IPSec Security Policy

 For different types of data, users have different security requirements. IPSec provides agroup of
customizable security policies to meet various security requirements. A user needs to configure at
least one IPSec security policy for IPSec to work.
 Components of the IPSec Security Policy
 Internet Key Exchange (IKE)
 Providing identity authentication for both communication parties to establish an IPSec security channel
 Generating a shared key for both communication parties in security services provided by IPSec (such as
encryption and integrity protection)
 Implementing identity authentication in the IKE through digital
certificate authentication
 IPSec Security Proposal
 Used to describe how to protect data.
 Access control list (ACL)
 Determine the data to be protected by
defining the ACL rules.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 21

IKE
 Components of the IKE Security Proposal
 IKE encryption algorithm and verification algorithm
 The encryption algorithm and verification algorithm used by the IKE do not support null algorithm.
 Encryption algorithm and verification algorithm are configured through EncrAlg and AuthAlg
respectively.
 Authentication method
 Method for verifying the identity of the peer end during IKE key exchange. The authentication method
includes authentication through pre-sharing of key and digital certificate.
 DH group identity
 The IKE supports calculation of a shared key through exchange of a series of data while no key is
transferred. Even if a third party intercepts all the exchange data used by both parties for key
calculation, the real key cannot be calculated. The core technology is the Diffie Hellman (DH) algorithm.
 The DH group is configured through DHGroup. During negotiation, the equivalent entities select the
same DH group. That is, the length of the key material must be the same. Otherwise, negotiation is
doomed as failed.
 Survival period of the IKE security alliance
 It is also known as ISAKMP SA. This is a collection of elements agreed for establishing IKE negotiation.
The IKE security alliance has a survival period.
 IKE Version
 IKE V1 and IKE V2

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 22

IPSec
 IPSec Uses AH and ESP Communication Protocols to Protect IP Packets
 Authentication Header (AH) integrity ensures that an IP packet is not modified
during transmission. Once the contents of the packet are modified during
transmission, the receiving end will sense the change.
 Encapsulating Security Payload (ESP) confidentiality encrypts an IP packet before
transmission. Therefore, even if the packet is captured by a third party, the packet
cannot be decrypted.
 Two IPSec Modes
 Transport Mode
 Verify or encrypt IP packets directly through AH or ESP.
 Tunnel Mode
 Verify or encrypt an IP packet through AH or ESP, and then add a new IP header to this
packet. The destination address of this new IP header points to a tunnel endpoint
(generally to a gateway on the internal network). After the packet reaches the destination,
the IP header is removed, and then the packet is sent to the original destination of the
packet.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 23

IPSec
 Security Protocol Data Encapsulation Format

 Current Implementation
The eNodeB supports the following verification algorithms:
 NULL: not to perform integrity check for IP packets.
 MD5: Enter a message of any length to generate a 128-byte message digest.
 SHA-1: Enter a message smaller than 264 bytes to generate a 160-byte message digest.
Comparison and configuration of three verification algorithms
 SHA-1 has the highest security level while NULL has the lowest.
 AH is configured through AHAuthAlg, while ESP is configured through ESPAuthAlg. The verification
algorithms at both ends must be consistent.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 24

ACL
 ACL
 Used to determine the IP packets that need to be protected. The valid range of IP
packets to be protected are filtered according to the ACL rules. One ACL rule
represents one category of IP packets to be protected.
 ACL Rules
 ACL operation (prohibit or allow): Action
 Protocol type: ProtocolType
 Source IP address: SrcIP
 Source address wildcard: SrcWildcart
 Destination IP address: DstIP
 Destination address wildcard: DstWildcart
 Data packet priority: MatchDSCP
 Current Implementation
 Fuzzy match
 Supported types: hextuple (Protocol, SIP, DIP, Sport, DPort, DSCP)

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 25

 Chapter 2 Introduction to Security

Networking Scheme

Section 1 Theoretical Architecture of Security

Networking

Section 2 Introduction to Site Deployment in

Security Networking

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 26

Non-Security IP Networking Scenario
 Introduction to Self-Discovery Site Deployment in Non-Security
Scenarios
 The eNodeB and M2000 are located in the same security zone as the core network.
 The process of self-discovery site deployment in non-security scenarios is as
follows:
 After power on, the eNodeB initiates a DHCP request. The DHCP server returns the
parameters for establishing an OM link according to the ESN (or longitude and latitude
information/unique ID) in the request: OMIP and interface IP.
 The M2000 establishes an OM link with the eNodeB to download and configure software.
The DHCP server is deployed on the M2000.

M2000
DHCP SERVER
Core Network

Obtain parameters such as OMIP and interface IP

eNodeB

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 27

Security IP Networking Scenario
 Introduction to Self-Discovery Site Deployment in Security Scenarios
 The access network and core network are located in different security zones. The
eNodeB must be connected to the core network to establish a security channel, and
pass the authentication of Security GW.
 After the security channel is established,
the M2000 deploys a site through
self discovery. M2000/DHCP
S-GW SERVER
MME
Core Network

Inner DNS

DNS
Access secuGW
Network
Public DHCP
SERVER

eNB

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 28

Introduction to Digital Certificate Scheme
 Certificate Application and Management Scheme
HW production Existing TMO network
Issue cross certificate
HW root CA TMO root CA
HW TMO

Certificate library Certificate library

CRL library CRL library

HW device CA TMO device CA

Issue device
certificate

Issue device certificate

Produce eNodeB

Delivery to the site

for deploment
eNodeB device certificate

eNodeB SeGW
SeGW device certificate

Before deployment, the During deployment, obtain After deployment, the

Preset the certificate SeGW of the existing the root CA certificate and certificate is replaced by
issued by Huawei network needs to configure CRL (in blue dotted line) of the certificate issued by the
CA upon delivery of Huawei’s root CA certificate the operator. CA of the operator (in dark
the equipment and CRL (in red dotted line). green and real line).

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 29

Introduction to Digital Certificate Scheme
 Certificate Change

 The operation and maintenance personnel of the eNodeB sends orders to the eNodeB through the M2000 to instruct the
eNodeB to generate a certificate request file.
 Upon receipt of the request, the eNodeB generates a key pair (if required) and certificate request file.
 The maintenance personnel downloads the certificate request file to the local computer.
 The maintenance personnel submits the certificate request file to the CA administrator for certificate registration.
 The CA administrator submits the request after review to the CA system for issuance, and issues the request to the
certificate library.
 The maintenance personnel downloads the certificate to the local computer.
 The maintenance personnel configures a new certificate for the eNodeB through the M2000.

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 30

Self-Discovery Site Deployment Process in Security
Networking
Interaction of internal modules of the
M2000. The user needs to bind the
Returned parameters: OMIP and mask, interface IP ESN and eNodeB in step 4.
and mask (not required in security networking),
VLAN ID (required only in the case of VLAN
networking), and address of the serving secuGW.

M2000

DHCP SERVER Core 6 Establish an OM link, and download

(provided by the M2000) Network the software and configuration file
4 Obtain parameters such as
the internal network OMIP Process description:

1. When is the Public SecuGw used?

Serving secuGW When the public DHCP server
Public secuGW cannot distribute the associated
5 serving secuGW according to the
3 eNodeB, the public secuGW is
Establish the IPsec tunnel
required.
DNS
Access Network 2 The domain name of the security 2. In step 4, the binding between
gateway is converted into an IP eNodeB and configuration file must
address. be established.
1 eNB
Obtain DHCP In step 6, the M2000 establishes
Public DHCP SERVER
parameters the OM link. The OSS sends an
order to instruct the eNodeB to
Obtain the following parameters: standard download Bootrom, software,
DHCP parameters (external network IP,
external network mask, next-hop IP, and DNS configuration, patch, and license
IP), IP address of the DHCP server of the (provide the workflow and
M2000, and public secuGW address. download file list).

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 31

Security Information for Deploying a Site in Security
Scenarios
 Methods for Obtaining General
Security Information
 General USB
 External DHCP server
 Universal Security Information

Security Information Source Information Item Purpose

IP address/domain name To establish connection with the Public SecuGW

Public SecuGW information
Local ID of the public security gateway used to
Local name
mark the security gateway entity
IP address/domain name To establish connection with the CR/CRL server

User name and password To log in as an authorized user

CR/CRL server information
Cross certificate path To find and read the cross certificate

CRL file path To find and read the CRL file

M2000 DHCP server To establish connection with the M2000 DHCP
IP address/domain name
information server

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 32

Involved MML Parameters
 Parameters Involved in Basic  Parameters Involved in Digital Certificate
Security Configuration Replacement
 ACL  CERTREQ
 CERTMK
 ACLRule
 APPCERT
 IKEPeer
 Used to replace certificate
 IKEProp
 CROSSCERT
 IPSecProp
 TRUSTCERT
 IPSecPolicy  Certificate on the certificate chain
 IPSecBind  CRL
 IKECfg  Certificate list canceled regularly. The CRL
needs to be downloaded from a server.
 CRLTASK
 CERTCHKTSK
 CRLPOLICY

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 33

 1. Basic security concepts: PKI, IPSec, digital certificate

2. Brief Huawei security networking scheme:

a) Two authentication modes

b) Two modes of obtaining security information

HUAWEI TECHNOLOGIES Co., Ltd. HUAWEI Confidential Page 34

Thank You
www.huawei.com