E.6 FP Integrity
3GPP43.020Release 17Security related network functionsTS
In case of licensed mode, the CTS-FP while servicing its user(s) should perform as instructed by the CTS-SN. In both licensed and license exempt modes, a potential entry point for various kinds of CTS misuse would be to alter a type-approved CTS-FP. It is therefore of paramount importance that the local CTS security and in particular the CTS-FP itself provide reliable countermeasures against CTS-FP misuses through manipulation of its hardware and/or software. The purpose of this subclause is
a) to identify explicitly the threats
b) to explore ways how to provide protection
c) to consider the verification of protection mechanisms
[Although it is likely that the FP integrity mechanisms will not be standardised it is important that each type-approved CTS-FP has a certain set of minimally required basic integrity/protection mechanisms. Ideally, there should be a way to verify the operation of these basic mechanisms.]
E.6.1 Threats
Threats have been identified and the importance of the corresponding need for a countermeasure was classified. The following ranking was used:
1. Essential; Protection is essential for secure operation of CTS in general;
2. Important; Protection is important but failure has limited impact;
3. Desirable; Protection is desirable but failure has only local impact.
Table E1 shows the sensitive information that the FP contains and the importance of the countermeasure(s) against possible manipulation.
It is understood that when an item is mentioned in Table 1that changing its value in an unauthorised way is a threat.
Table E1: Sensitivity of FP maintained information
|
Item |
Type of data |
Rank |
|
CTS-FP software (note 1) |
constant |
1 |
|
IFPEI |
constant |
2 |
|
IFPSI (licensed mode) |
constant |
2 |
|
CTS-PIN |
constant |
2 |
|
Secret operator Key (KOP) (licensed mode) |
variable |
1 |
|
Supervising authentication key (KiFP) associated with IFPSI (licensed mode) |
constant |
1+ |
|
PLMN permitted |
variable in licensed mode and constant in license exempt mode |
1 |
|
Timers (counters), Limits (note 2) |
variable |
1 |
|
Radio parameters (GFL, etc.) + operation parameters |
variable in licensed mode and constant in license exempt mode |
1 |
|
Local keys (Ka) and security parameters |
variable |
2 |
|
Service parameters (addressing, operator ids) |
variable |
2 |
|
CTS algorithms (A3/A8, MAC) |
constant |
(1,2) |
|
NOTE 1: If the FP software is reprogrammable there should be a mechanism that authenticates the identity of the reprogramming agent (FS algorithm can be a protection against unauthorised reprogramming). NOTE 2: Clock should continue to run or new information should be obtained from the network when FP power is lost or fixed line connection removed. |
||
In case of license exempt mode, it is of prime importance that radio parameters and the list of the mobiles allowed to enroll to that CTS-FP (PLMN permitted) is stored in a secure way and cannot be modified.
E.6.1.1 Changing of FP software
CTS-FPEs will store their software in non-volatile memory that can be (re)programmed at the factory or at authorised service centres. Current technology provides so-called flash memories for this purpose. Reprogrammability is advantageous from production and service point of view but, at the same time, it can be misused to reprogram the FP to operate not according to the standards. Reprogramming may be executed via the manufacturer provided interface(s) or via direct access to the storage. Thus the FP reprogramming protection should protect against:
a) unauthorised reprogramming access via offered interface (test, fixed line, SIM interface, radio interface);
b) Reprogramming via direct access to system software storage;
c) Reprogramming via physical exchange (replacing storage modules).
NOTE: The actual protection mechanisms do not have to be standardised but the level of protection should be defined. There should be no (trapdoor) mechanism to bypass the protection mechanisms.
E.6.1.2 Changing of IFPEI
Each, CTS-FPE contains an identity (IFPEI).The IFPEI can be used (associated to the IFPSI) for local security and network security procedures. The Fixed Part Equipment is uniquely defined by the IFPEI. The IFPEI is stored in a secure way in accordance with the requirements for storage of the IMEI as described in 3GPP TS 42.009.
E.6.1.3 Changing of IFPSI and operator and subscription related keys (KiFP, KOP)
These values are stored in the FP-SIM; the IFPSI can only be read and not updated while the operator and the subscription related keys are used in the FP-SIM and cannot be accessed.
E.6.1.4 Changing of timers and timer limits
The CTS-FP operation is partially under control of timers. When timer values are stored in E2PROM memory there should be a protection against malicious reprogramming. The use of external timer hardware should only be allowed when accompanied with comprehensive protection countermeasures.
E.6.1.5 Changing of radio usage parameters
This annex defines mechanisms to protect the parameters that will set the radio usage characteristics during transport to the local CTS system. In addition these parameters should be protected when stored inside the CTS-FPE.
E.6.2 Protection and storage mechanisms
In this subclause some basic approaches for realising CTS-FP integrity mechanisms are described. The mechanisms are divided into three groups. One group targets the protection of data that is stored
In a static or semi-static way in re-programmable non-volatile memory. The second group targets timer values that change frequently. A third group targets physical protection aspects.
E.6.2.1 Static or semi static values
Data that is stored permanently or changes seldomly are either stored on the FP-SIM (KOP,, KiFP, IFPSI), or might be stored in write-once memory cells (Ka), the place of storage could be defined. Thus some form of physical security is necessary. Furthermore, specific standards in term of technology (e.g. NIST FIPS1-40-1) can be used.
E.6.2.2 Timers
If timer stored values can be accessed (e.g. when they are stored in physically accessible E2PROM) they can be protected in the same spirit as static data but the mechanism should be tailored for frequent update of the values to be protected. Alternatively, these values could be stored in the main processor chip.
E.6.2.3 Physical protection
Physical protection should prevent that it being easy to reprogram (flash) memory with CTS-FP system software through direct physical access to the memory chip or the physical exchange critical hardware components. It should also protect electrical sensing mechanisms against obvious attacks, e.g., by resetting components.