LTE (Long Term Evolution) is the last step toward the 4th generation (4G) of radio technologies designed to increase the capacity and speed of mobile telephone networks. Many vendors are simply branding their LTE implementations "4G". Most major mobile carriers in the United States and several worldwide carriers have announced plans to convert their networks to LTE beginning in 2009. LTE is a set of enhancements to the Universal Mobile Telecommunications System (UMTS) which has been introduced into the 3rd Generation Partnership Project (3GPP) Release 8.
The LTE specification is all IP-based, and provides downlink peak rates of at least 100 Mbps. Part of the LTE standard is the System Architecture Evolution, a flat IP-based network architecture designed to replace the old GPRS Core Network and ensure support for, and mobility between legacy systems like GPRS and WiMax.
LTE is much faster than previous cellular technologies, and offers network providers an "all-IP" network model, which should simplify their network management and lower costs. LTE includes substantial changes to both sides of the mobile network - both the radio access network and the core network. But while it will require significant capital investment, LTE is expected to unlock new revenue streams and provide better competitive positioning by allowing mobile network operators to offer broadband services and a better quality of service in a way that greatly improves the efficient use of network resources.
The LTE standards specify a specific way of achieving the following features, using IPSec/IKE and a public key infrastructure based on X.509 digital certificates:
User authentication, authorization, and auditing
Secure infrastructure, protocols, communication, and data storage
Software integrity
End to end compliance
Secure network control, signaling and management
You could, but it's technically complex. Security and the difficulty of implementing it are the primary concerns slowing LTE adoption today. Engineers with the necessary cryptographic expertise are scarce and expensive. It's worth noting that LTE devices are virtually impossible to secure using open source code because of the specificity of the algorithms required in the LTE standard and the large footprint, performance and quality-of-service problems with open source crypto implementations.
Authentication and key agreement in LTE is based on UMTS AKA (Authentication and Key Agreement) which is re-used for SAE. Subscriber Identity Module (SIM, as used in GSM) access to LTE is explicitly excluded and only Release 99 or later Universal Subscriber Identity Modules (USIMs) are allowed.
As far as signaling protection is concerned, core network signaling (Non-Access Stratum (NAS)), integrity and confidentiality terminates in the Mobility Management Entity (MME). Integrity and confidentiality for radio network signaling (Radio Resource Control, RRC) and for MME is maintained between the User Equipment and the eNodeB, as is encryption for user plane protection. Network domain security is used to protect the internal interfaces.
Two new sets of cryptographic algorithms have been developed for SAE/LTE: one set is based on AES and the other on SNOW 3G. The rationale behind specifying two different algorithms was that the two should be as different from each other as possible, to prevent similar attacks being able to compromise both. The ETSI Security Algorithms Group of Experts (SAGE) was tasked with choosing the algorithms.
SAE/LTE enables efficient interoperability with non-3GPP networks. In this scenario, trust models become more complex and a deeper key hierarchy than that used in UMTS will be needed for SAE/LTE. A (one-way) Key Derivation Function (KDF) will be used for SAE/LTE. The extended key hierarchy will also enable faster intra-LTE handovers. Interworking with non-3GPP networks is based on EAP-AKA, where the EAP (Extensible Authentication Protocol) server is the 3GPP AAA server residing in the Evolved Packet Core (EPC). In circumstances where the non-3GPP network is un- trusted, an IPSec tunnel is used.
Designers of LTE eNodeB Base Stations and LTE Serving Gateways will probably find Mocana's products most useful.
Mocana's NanoCert LTE product was designed specifically for large-scale telecom carrier rollouts and scales to secure millions of devices. Mocana’s new software dramatically lowers the development costs associated with securing new LTE devices, and enables design teams to get new, more secure LTE products to market much faster than before. NanoCert LTE is one of three new editions of Mocana’s NanoCert product line, which also includes NanoCert Client and NanoCert Advanced. LTE appliance manufacturers and development teams can request a free trial copy of NanoCert LTE at http://mocana.com/nanocert.html.
Over 100 major OEM companies including Motorola, Cisco, Intel, General Electric, Honeywell and Siemens already rely on Mocana software to guarantee device integrity for their products in the consumer, medical, industrial, IT and military markets. NanoCert LTE is part of the new 5.1 release of Mocana’s Device Security Framework, the industry’s most comprehensive suite of embedded security solutions for non-PC devices.
Certificate-based authentication is a prerequisite for Public Key Infrastructure (PKI) and for securely administering networked devices and services that participate in it. PKI is widely deployed, and many wireless technologies and protocols depend upon it, including LTE (aka 3GPP or 4G). Certificates need to be updated frequently to ensure the device is only operated by the assigned user, that the device has the most updated user privileges, and that the device has the most recent upgrades in its service. But manually updating certificates is error-prone, inefficient and simply doesn’t scale -- especially when you’ve got tens of millions of devices in the field.
NanoCert LTE combined with Mocana’s best in class IPSec solution NanoSec, secures connections between LTE eNodeB base stations and LTE Serving Gateway (SGW) devices. It also uses CMPv2 to secure LTE (Long Term Evolution) infrastructure devices for device-to-device and subscriber authentication, as specified under the international 3GPP standards. NanoCert LTE’s LDAPv3 (Lightweight Directory Access Protocol) client automatically retrieves appropriate certificates and certificate revocation lists (CRLs) from LDAP servers.
NanoCert LTE includes an integrated Oracle database for scalability, and features robust and fast boot-up and recovery, with sophisticated logging capabilities. NanoCert LTE’s IKE implementation pre-authenticates and pre-validates certificates to prevent dialing delays, even under heavy loads or network outages. Finally, NanoCert LTE is highly configurable adapts easily to differing operator environments.
Mocana offers an optional binary FIPS 140-2 level 1 validated cryptographic library for key generation and all cryptographic operations, a prerequisite for the most security-conscious buyers. NanoCert LTE is also available in cross-platform ANSI-C source code, and both source and binary versions include full support for NSA’s Suite B algorithms that provide government agencies and contractors another option for secure communications when classified “Suite A” algorithms are inappropriate, or not available to them.
Finally, for ensuring the confidentiality of LTE connections, Mocana offers NanoSec - NanoSec is our ultra-optimized, micro-footprint IPsec/IKE built just for device environments, and it's perfect for securing LTE devices and communications. It's much faster and smaller than open source, and a lot easier to work with, too. Plus it's available with a FIPS 140-2 level 1 validated cryptographic core, for especially security-conscious customers.
