Subscribe

Back to (LTE) basics

LTE traffic can be secured from the handset to the base station, but that's all.

Siphiwe Nelwamondo
By Siphiwe Nelwamondo, technical marketing manager with Aviat Networks.
Johannesburg, 16 Jan 2014

As the new year begins, it's a good time to look back and see what was learned in 2013, and what knowledge is still required in 2014. I've detailed how, now that African mobile network operators (MNOs) are joining the long-term evolution (LTE) party, security is not necessarily at the top of the agenda. For security concerns within LTE microwave backhaul networks, it can be seen that security management problems can originate both from external and internal sources, as discussed in previous Industry Insights.

In addition, I have begun to show that the very traffic of the LTE network (ie, payload) can be vulnerable on the microwave backhaul. As the next-generation mobile phone protocol, LTE does provide native security between the handset and the base station - but that's all.

In the interest of 'flattening' the telecoms architecture, LTE security of voice and data traffic ends at the base station, forcing the subscriber's payload to continue on naked across the backhaul, undefended and unaware. Generally, to protect the LTE payload through the backhaul to the network core, the solution is to encrypt, or encode, it.

For the top MNOs, IPSec (Internet Protocol Security) has been contemplated as the traffic protection (ie, payload encryption) solution of choice for LTE, especially because that's what is defined by the 3GPP, the world body for LTE standards. IPSec is no new technology, as it's been known since the 1990s as the de facto security standard for fixed terrestrial wireline LANs. And while IPSec could provide payload encryption from the handset to the base station to the network core, it comes at a cost.

Hundreds of millions for defence?

The first segment of security from the LTE-enabled handset to the base station is straightforward, and relatively inexpensive to implement, with IPSec termination in the eNodeB of the base station. However, to extend IPSec from a remote wireless site to the network core requires additional, expensive equipment in the form of IPSec security gateways to terminate the traffic at the central office.

And, truth be told, even if all MNOs wanted to protect their subscribers from the prying eyes of America's National Security Agency, IPSec is just too cost prohibitive to use all the way across the core network for many operators. Equipping a mobile operator's entire LTE microwave backhaul network with security gateways can easily cost into the hundreds of millions of rand - tens of millions of dollars!

But, there is a better and more affordable way - payload encryption based on the Advanced Encryption Standard (AES). As defined by FIPS-197 publications from the Computer Security Resource Centre (CSRC), AES encryption can take the handoff of subscriber voice and data payload from the eNodeB termination of LTE native security and randomly encode it in 128- or 256-bit encryption for secure transport across the microwave backhaul to the central office. AES-enabled microwave radios are able to defend LTE payload over the backhaul, without costly third-party security gateways, with only the addition of a simple line card into the chassis.

AES payload encryption

Typically, AES payload encryption comes in two strengths: 128- and 256-bit encryption. In combination with a symmetric key using the industry-standard Diffie-Hellman Key agreement method with modulo of at least 2 048 bits, no payload encryption combination will be repeated within 835 years. This means without the benefit of random chance, someone seeking to successfully hack into an AES-defended LTE microwave backhaul would need more time to exhaust every possible security combination for deciphering the payload than has elapsed since the time of the medieval knights.

Of course, hackers and other technologically savvy cyber criminals are always looking for innovative ways to perpetrate their electronic exploits. But at the very least, AES payload encryption for LTE microwave backhaul implemented in the foregoing manner would provide the strength of security recommended by CSRC for data that must be protected until the year 2030. With this amount of encryption, CSRC does not anticipate it will be practicable that data so encoded could be made unsecure until that time, given today's level of computing power.

Such payload encryption safeguards could have been enough to secure the mobile phone usage of Angela Merkel, chancellor of Germany, from illegal wireless interception by US espionage. Any eavesdropping equipment (ie, wireless 'sniffers') along the transmission path between links or within the vicinity of a microwave radio transmitter's Fresnel zone would only receive a garbled transmission of static.

IPSec is just too cost prohibitive to use all the way across the core network for many operators.

Other benefits of AES payload encryption to LTE microwave backhaul include protection from so-called 'replay' attacks, where sinister third-parties are prevented from recording legitimate radio network management traffic and played back at a later date. By way of this safeguard, AES encryption provides another layer of security to management commands so that they cannot be eavesdropped on by unauthorised users, and potential 'memorisation' of encrypted blocks that could be retransmitted in an attempt to access radio messages.

Security or performance?

In addition to the exorbitant capital expenditure necessary to deploy IPSec with the LTE microwave backhaul for security, MNOs need to contend with the performance hit entailed with this wireless defence strategy.

Using IPSec security gateways to carry encrypted payload across the LTE microwave backhaul can easily bring total delay to 20 to 30 milliseconds of latency. For some LTE services, 20 to 30 milliseconds of latency may not amount to much, but compared to AES payload encryption, which offers statistically negligible latency where the delay is virtually undetectable, MNOs have to ask themselves: "Why pay more to get less?"

Not to mention, IPSec adds overhead to all packets encrypted, hence it will put an additional burden on the LTE microwave backhaul network.

Industry standards

In closing, I have to say a cost-effective solution that will protect LTE subscriber voice and data payload across the microwave backhaul network is essential to strong security from the base station to the network core. To keep a strong security solution cost-effective and compatible with other mobile network equipment, it must be based on industry standards that do not force MNOs to compromise performance for security.

Transplanting security technology originally designed for corporate networking environments puts too much drag on all the best promises of LTE mobile: speed, capacity, coverage. And the chimera of proprietary third-party security devices added onto the LTE microwave network could prove costly to MNOs, because once these solutions are in place, operators could face formidable barriers to upgrading or changing solutions as the threat landscape continues to evolve.

Security built into LTE microwave backhaul radios from the start offers the best combination of protection, cost-effectiveness, upgradeability and time to market.

Share