TBA

Security Objective References: TBA

2G SIM access forbidden

TBA

"Access to E-UTRAN with a 2G SIM or a SIM application on a UICC shall not be granted." as specified in TS 33.401, clause 6.1.1.

Verify that access to EPS with a 2G SIM is not possible.

Test environment with HSS. HSS may be simulated.

Include 2G authentication vector in authentication data response from HSS.

MME rejects UE authentication when receiving 2G authentication vector from HSS.

NOTE: When both MME and HSS function correctly 2G authentication vector are never included in authentication data response from HSS to MME.

TBA

Security Objective References: TBA

Inclusion of RAND, AUTS

TBA

"In the case of a synchronization failure, the MME shall also include RAND and AUTS." as specified in TS 33.401, clause 6.1.2.

Verify that Re-synchronization procedure works correctly.

Test environment with UE and HSS. UE and HSS may be simulated.

The MME receives an AUTHENTICATION FAILURE message, with the EMM cause #21 "synch failure" and a re‑synchronization token AUTS.

The MME includes the stored RAND and the received AUTS in the authentication data request to the HSS.

NOTE: When RAND and AUTS are not included in the authentication data request to the HSS then the HSS will return a new authentication vector (AV) based on its current value of the sequence number SQN~HE~ (cf. TS 33.102, clause 6.3.5) A new authentication procedure between MME and UE using this new AV will be successful just the same if the cause of the synchronisation failure was the sending of a "stale" challenge, i.e. one that the UE had seen before or deemed to be too old. But if the cause of the synchronisation failure was a problem with the sequence number SQN~HE~ in the HSS (which should be very rare), and the RAND and AUTS are not included in the authentication data request to the HSS, then an update of SQN~HE~ based on AUTS will not occur in the HSS, and the new authentication procedure between MME and UE using the new AV will fail again. This can be considered a security-relevant failure case as it may lead to a subscriber being shut out from the system permanently.

TBA

Security Objective References: TBA

Integrity check of Attach message

TBA

"If the user cannot be identified or the integrity check fails, then the MME shall send a response indicating that the user identity cannot be retrieved." as specified in TS 33.401, clause 6.1.4.

Verify that secure user identification by means of integrity check of Attach request works correctly.

Test environment with new and old MME. New MME may be simulated.

The old MME receives an Identification Request message from the new MME with incorrect integrity protection.

The old MME sends a response indicating that the user identity cannot be retrieved.

TBA

Security Objective References: TBA

Not forwarding EPS authentication data to SGSN

TBA

"EPS authentication data shall not be forwarded from an MME towards an SGSN." as specified in TS 33.401, clause 6.1.4.

Verify that EPS authentication data remains in the EPC.

Test environment with MME and SGSN. SGSN may be simulated.

The MME receives an Identification Request message from the SGSN.

The response to the SGSN does not include EPS authentication data.

TBA

Security Objective References: TBA

Not forwarding unused EPS authentication between different security domains

TBA

"Unused EPS authentication vectors, or non-current EPS security contexts, shall not be distributed between MMEs belonging to different serving domains (PLMNs)." as specified in TS 33.401, clause 6.1.5.

Verify that unused EPS authentication data remains in the same serving domain.

Test environment with old and new MME in different serving domains. New MME may be simulated.

The old MME receives an Identification Request message from the new MME.

The response to the new MME does not include unused EPS authentication data.

TBA

Security Objective References: TBA

Bidding down prevention

TBA

"The SECURITY MODE COMMAND shall include the replayed security capabilities of the UE." as specified in TS 33.401, clause 7.2.

Verify that bidding down by eliminating certain UE capabilities on the interface from UE to MME is not possible.

Test environment with UE. UE may be simulated.

Attach request message includes security capabilities of the UE.

MME includes the same security capabilities of the UE in the SECURITY MODE COMMAND message.

TBA

Security Objective References: TBA

NAS integrity algorithm selection

TBA

"The MME shall protect the SECURITY MODE COMMAND message with the integrity algorithm, which has the highest priority according to the ordered lists." as specified in TS 33.401, clause 7.2.4.3.1."

NOTE: The text in TS 33.401, clause 7.2.4.3.1 is somewhat incomplete. It should properly read: "...which has the highest priority according to the ordered lists and is contained in the UE EPS security capabilities."

Verify that NAS integrity protection algorithm is selected and applied correctly.

Test environment with UE. UE may be simulated.

The MME sends the SECURITY MODE COMMAND message. The UE replies with the SECURITY MODE COMPLETE message.

1. The MME has selected the integrity algorithm which has the highest priority according to the ordered lists and is contained in the UE EPS security capabilities. The MME checks the message authentication code on the SECURITY MODE COMPLETE message.

2. The MAC in the SECURITY MODE COMPLETE is verified, and the NAS integrity protection algorithm is selected and applied correctly.

TBA

Security Objective References: TBA

NAS NULL integrity protection

TBA

"EIA0 shall only be used for unauthenticated emergency calls." as specified in TS 33.401, clause 5.1.4.1."

Verify that NAS NULL integrity protection algorithm is used correctly.

Test environment with UE. UE may be simulated.

The MME sends the SECURITY MODE COMMAND message after successful UE authentication.

The selected integrity algorithm is different from EIA0.

TBA

Security Objective References: TBA

NAS confidentiality protection

TBA

"The UE...sends the NAS security mode complete message to MME ciphered and integrity protected." as specified in TS 33.401, clause 7.2.4.3.1."

Verify that NAS confidentiality protection algorithm is applied correctly.

Test environment with UE. UE may be simulated.

The MME receives the SECURITY MODE COMPLETE message without confidentiality protection.

If a confidentiality algorithm different from EEA0 was selected the MME rejects the message.

TBA

Security Objective References: TBA

Bidding down prevention in X2-handovers

TBA

"The MME shall verify that the UE EPS security capabilities received from the eNB are the same as the UE EPS security capabilities that the MME has stored." as specified in TS 33.401, clause 7.2.4.2.2."

Verify that bidding down is prevented in X2-handovers.

Test environment with (target) eNB. eNB may be simulated.

The MME is configured to log the event of a UE EPS security capability mismatch.

The MME receives the path-switch message with the UE EPS security capabilities different from the ones stored in the MME for that UE.

The MME logs the event.

TBA

Security Objective References: TBA

NAS integrity protection algorithm selection in MME change

TBA

"In case there is change of MMEs and algorithms to be used for NAS, the target MME shall initiate a NAS security mode command procedure and include the chosen algorithms and the UE security capabilities (to detect modification of the UE security capabilities by an attacker) in the message to the UE (see clause 7.2.4.4). The MME shall select the NAS algorithms which have the highest priority according to the ordered lists (see clause 7.2.4.3.1)." as specified in TS 33.401, clause 7.2.4.3.2."

Verify that NAS integrity protection algorithm is selected correctly.

Test environment with source and target MME. Source MME may be simulated.

The target MME receives the UE EPS security capabilities and the NAS algorithms used by the source MME from the source MME over the S10 interface. The target MME selects the NAS algorithms which have the highest priority according to the ordered lists. The lists are assumed such that the algorithms selected by the target MME are different from the ones received from the source MME.

The target MME initiates a NAS security mode command procedure and include the chosen algorithms and the UE security capabilities.

TBA

Security Objective References: TBA

Idle mode mobility into E-UTRAN forbidden for GSM subscribers

TBA

"In case the MM context in the Context Response/SGSN Context Response indicates GSM security mode, the MME shall abort the procedure." as specified in TS 33.401, clause 9.1.2.

Verify that 2G subscribers cannot obtain service in EPS via idle mode mobility.

Test environment with source SGSN and target MME. Source SGSN may be simulated.

The target MME receives the MM context in the Context Response indicating GSM security mode.

The MME aborts the procedure by acknowledging the Context Response from the SGSN with an appropriate failure cause.

TBA

Security Objective References: TBA

Handover into E-UTRAN forbidden for GSM subscribers

TBA

"In case the MM context in the Forward relocation request message indicates GSM security mode (i.e. it contains a Kc), the MME shall abort the non-emergency call procedure." as specified in TS 33.401, clause 9.2.2.

Verify that GSM subscribers cannot obtain service in EPS via handovers.

Test environment with source SGSN and target MME. Source SGSN may be simulated.

The target MME receives the MM context in the Forward Location Request message indicating GSM security mode.

The MME aborts the procedure by responding to the Forward Relocation Request from the SGSN with an appropriate failure cause.

TBA

Security Objective References: TBA

SRVCC into E-UTRAN forbidden for GSM subscribers

TBA

"If the MME receives a GPRS Kc' from the source MSC server enhanced for SRVCC in the CS to PS HO request, the MME shall reject the request." as specified in TS 33.401, clause 14.3.1.

Verify that GSM subscribers cannot obtain service in EPS via SRVCC into E-UTRAN.

Test environment with source MSC server and target MME. Source MSC server may be simulated.

The target MME receives the GPRS Kc' and the CKSN'~PS~ in the CS to PS handover request.

The MME rejects the request.

TBA

Security Objective References: TBA

Emergency bearer establishment when authentication fails

TS 33.401 [5], clause 15.1.

"The MME or UE shall always release any established non-emergency bearers, when the authentication fails in the UE or in the MME." as specified in TS 33.401, clause 15.1.

Ensure that the MME enforces that only emergency bearers can be used without successful authentication.

Test environment with MME and UE. UE may be simulated. The serving network policy allows unauthenticated IMS Emergency Sessions.

The UE sends the initial attach request for EPS emergency bearer services, then the MME initiates an authentication, which fails. The UE attached for EPS emergency bearer services sends the PDN Connectivity request for EPS non-emergency bearer services.

The MME allows to continue the set up of the emergency bearer, and will reject the PDN Connectivity request for EPS non-emergency bearer services.