SlideShare uma empresa Scribd logo
1 de 16
Baixar para ler offline
Secure and trusted Femtocells




                              Secure and trusted Femtocells



                                                   Technical White Paper
                                                                    V1.1
                                                               June 2011
                                                2nd edition February 2012




                                                          Mindspeed Ltd
                                                    Upper Borough Court
                                                    Upper Borough Walls
                                                           Bath BA1 1RG
                                                                     UK




Mindspeed Technologies, Inc                        Page 1 of 16
Secure and trusted Femtocells

                                                                                      +44 1225 469744
                                                                                   www.mindspeed.com




Contents
1     Introduction                                                                                 4
   1.1      Network Considerations                                                                 5
   1.1      RF Considerations                                                                      7
   1.2      Synchronization                                                                        7
   1.3      Provisioning                                                                           7
2     Low-Cost Implementation                                                                      7
3     Security                                                                                     9
   3.1      TrustZone Technology                                                                  10
   3.2      Secure boot                                                                           11
   3.3      Untrusted CMs and ODMs                                                                11
   3.4      Prevention of unauthorised baseband software                                          12
   3.5      Use of TrustZone to provide digital certificate authentication                        12
   3.6      Air-interface encryption                                                              13
4     Conclusions                                                                                 15
References                                                                                        16
Glossary                                                                                          16




Mindspeed Technologies, Inc                                                        Page 2 of 16
Secure and trusted Femtocells


Executive Summary
Femtocells (or, more generally, small cells) have emerged as a key enabler of future communications network
development. More than a useful add-on that delivers better service to the consumer and increased revenue
to operators, they are also an essential part of future network architectures.
The concept is simple: making a basestation cheap enough to be deployed in high volume for residential use,
connected to the core network via broadband. This can deliver to a subscriber the same service and benefits as
a fixed-mobile convergence (FMC) offering such as voice-over-WiFi, but using existing standard handsets.
Moreover, the use of femtocell and small cell architectures can help to surmount many of the technical
challenges that have become evident as operators deploy 3G networks: and that look set to worsen with the
advent of 3G Long Term Evolution (LTE) and WiMAX.
These are challenging times for mobile operators: many markets are approaching saturation; price
competition is intensifying; new competitors are entering the market, often as mobile virtual network
operators (MVNOs) with attractive cost structures and powerful brands.
In some markets carriers have problems with coverage: this is a major cause of customer dissatisfaction and
churn. In addition, operators face ‘the bandwidth tsunami’ as usage explodes, but revenues are squeezed
Femtocells provide many of the answers delivering capacity and coverage exactly where needed, but
challenges remain in their deployment: network integration, security, provisioning, radio interference and the
like. However, these can be solved.
One of the key issues has been the cost of the femtocell, especially in residential applications. Low-cost
hardware is critical to make the business case viable. Once more, this is now realistically achievable.
The benefits to the consumer include better coverage, clearer voice connections, better battery life, faster
data rates, cheaper calls and the great convenience of using a single handset. The benefits to operators are
measured in increased average revenue per user (ARPU), reduced churn and increased customer loyalty.
However, femtocells potentially open up a number of very serious security concerns.
There are risks that eavesdroppers could intercept cellular traffic, while carriers have worries that an attack
could use femtocell as an entry to their core network. These concerns have all been addressed and femtocell
security is strong: this paper explains the techniques used.


Mindspeed small cell SoC exceed all the requirements from 3GPP and Small Cell Forum. The devices support a
variety of security measures in hardware (secure boot, OTP, Trustzone®) that can be combined with good
practice and security in he software domain to protect the carrier and users from any security worries.




Mindspeed Technologies, Inc                                                                Page 3 of 16
Secure and trusted Femtocells


1 Introduction
Only a few years ago, the idea of a cellular basestation in the home would have seemed impossible, especially
given the public perception of a basestation: never enough of them to make a call, but not something that
should be seen. The reality today is very different, with the industry moving to extremely low-power home
basestations, or femtocells, the same size as existing in-home wireless equipment. These small devices have a
low price tag to match: they are affordable as consumer products in themselves, and present an economically
viable case for operator subsidy.
Over 40 femtocell deployments have now been rolled out globally, with many more operators expected to
join them by the end of this year.
Small cells are in fact still a relatively new technology. The first developments and prototypes were on show at
conferences in 2007, but real products have only been available since 2009. Roughly speaking, the technology
‘arrived’ in 2007. The bulk of the technological issues were solved in 2008, these being mainly the
development of the Iuh standard for connection; proof that interference was something that could be solved
and proof that femtocells would not ultimately break the macro network). The first trial; (“friendly customer”)
launches were in 2009, but there was still work to do on productizing, this being sorting out OSS/BS,
provisioning, billing and other “boring but essential work”. Those issues are all now solved and as a result
carriers have been shipping in high volumes.

The technology behind femtocells is far from trivial. Operators have approached their deployments carefully,
ensuring they “cover all bases” to give consumers confidence in the solution. But long before the deployment
stage, companies in the femtocell ecosystem were working hard on overcoming the substantial technological
hurdles involved.

Femtocells actually include far more intelligence than traditional basestations. Because of this change in the
way tasks are partitioned in the network, femtocell chips like the Transcede(r) family from Mindspeed need to
provide enhanced security features for authentication, location detection, and encryption as well as the
prevention of denial of service attacks.

Conventionally, the "Node B" (3GPP jargon for "basestation") is the Radio Stage, while the Radio Network
Controller (RNC) handles the intelligence and management. The RNC sets up and tears down calls, controls
power levels and session parameters, allocates bandwidth to users, and supports handoff between sectors or
cells. It is the bridge between the radio access network (RAN) of basestations and the core network. One RNC
can control many basestations but when the number of basestations is to be measured in millions per network
this architecture doesn’t scale well. In a femtocell, all of this intelligence is localized. Managing calls,
controlling interference (which is crucial, so femtocells don’t degrade the network by transmitting
inappropriately), and interfacing the radio with the broadband network securely all are RNC functions. So a
femtocell isn’t just a basestation, it also integrates the smarts of the RNC—and a lot more too.

The security issues were not only solved but also provided another reason why small cell rollouts on an
enterprise or citywide scale are more effective than Wi-Fi. To begin with, everything in wireless is secured with
strong encryption. There are theoretical attacks. But even GSM, which is an old technology, is still robust
against all practical attacks, and 3G is stronger still.

Then there are end-to-end techniques. For example, the core must authenticate the handset, but also vice
versa, so it is very hard to intercept. Cellular was designed to be secure in a way that Wi-Fi never was. (There is
a value to calls.) Finally, it is hard to eavesdrop or intercept calls if you do not know who to listen to. A perhaps
surprising fact is that the phone number is not used. An IMSI number that only maps to the phone number in
the core identifies the handset.


This paper addresses the issues facing the successful deployment of femtocells and argues that the technology
will play a vital part in future networks and service offerings. The arguments apply equally to 3G and to
emerging wireless broadband technologies such as WiMAX and 3G LTE.




Mindspeed Technologies, Inc                                                                  Page 4 of 16
Secure and trusted Femtocells

1.1 Network Considerations
The Radio Access Networks in use today comprise hundreds of base stations connected to a single Radio
Network or Base Station Controller (RNC/BSC). The interface is the Iub running the ATM protocol over
dedicated leased line


Accommodating hundreds of thousands of femtocells connected over the Internet raises a number of
important questions:
     1.   Is it scalable?
     2.   Is it secure?
     3.   Is it standardized?


A number of different 3G femtocell architectures have been proposed to accommodate the potential increase
in home basestations, however one has been adopted by 3GPP as a reference architecture for the evolution to
femtocell networks. As such it is the approach most likely to find adoption amongst the W-CDMA community.
It defines two new network elements, the Home Node-B (the femtocell itself) and a concentrator type
element, the HNB Gateway (HNB-GW). Communication between them is via a new standard interface, Iuh.
This network architecture is given in Figure 1
This approach allows functions to be partitioned differently between the Node-B and RNC, enabling the HNB-
GW to handle multiple Node-Bs. It fits seamlessly into a mobile network operator’s RAN by supplementing or
replacing its current RNCs with the concentrator element to service thousands of femtocells.
The Home Node-B (HNB) itself can handle the radio resource management functions formerly residing in the
RNC. The HNB-GW aggregates traffic into the existing core network. Amongst other things, the Iuh interface
provides important security functions, control signaling and a new application protocol (HNBAP) designed to
ease HNB deployment.




Mindspeed Technologies, Inc                                                            Page 5 of 16
Secure and trusted Femtocells

                          Figure 1: Concentrator/RNC (HNB-GW) using Iuh




Mindspeed Technologies, Inc                                               Page 6 of 16
Secure and trusted Femtocells


1.1 RF Considerations
In the early days observers had questioned whether the deployment of large numbers of femtocells would
create insurmountable RF management problems. However with some intelligent design by equipment and
semiconductor manufacturers – as well making use of some of the inherent benefits of the femtocell approach
– it has proved possible to allay these fears.



1.2 Synchronization
3GPP specifies that basestation transmit frequencies must be very accurate and closely synchronized,
requiring precise clock references. For larger basestations the accuracy is 0.05 parts per million (ppm),
although this has been relaxed to 0.1ppm for picocells in Release 6 [] and 250ppb (0.25ppm) for femtocells in
Release 8. There have been proposals that future versions of the standard, or even operator-specific waivers,
would relax this constraint.
For a low-cost femtocell implementation, implementing such synchronization starts to become a significant
part of the bill-of-materials (BoM) making alternative solutions vital. In fact, the constant pressure to reduce
basestation costs, whatever the equipment size, has meant that lower-cost synchronization solutions are
considered. The most common is NTP (Network Timing Protocol) although there are alternatives. These
include IEEE1588 and GPS as well as using innovative, low-cost/high-stability TCXOs.



1.3 Provisioning
Just as consumers are able to buy and successfully install a WiFi access point in the home, installing the
femtocell must ideally be the same: seamless and without the need for on-site assistance. But unlike WiFi,
which in its simplest form is a standalone network, the home basestation must be detected and integrated
into the overlaying mobile network – all without user intervention with a high level of security to prevent
fraudulent use.
Registration and authentication may be carried out using the same techniques as are used by many cable and
ADSL network operators. Indeed, a standard already exists for the remote provisioning and management of
DSL gateways (TR-069) which this has been extended (TR-196) to include specifics for femtocells.

2 Low-Cost Implementation
In the past, equipment cost has been a major hurdle for in-home communications, but advances in technology
and performance are now opening up new possibilities. In fact, the approach to the femtocell has more in
common with handset design than a basestation. And, like handsets, having the ability to provide software
upgrades is becoming increasingly important as standards evolve and enhancements are made.
In fact, femtocells are very cost-effective. In many respects they can be made more cheaply than a handset.
Although the baseband is more complex, there is no need for the expensive color screen or battery; power
constraints are less stringent, and there is no need to use the most costly, miniaturized manufacturing
techniques.
Figure 3 shows the Mindspeed PC8208/PC8209 femtocell software reference design. At the heart of the design
is one of the company’s latest multi-core DSP chips: the PC30xx series [2]. As well as the proven picoArray –
multiple DSPs interconnected by a high-speed bus and programmable switches providing a fully deterministic
processing core – new functionality has been integrated to meet the needs for improved performance at lower
cost.
As well as a number of dedicated hardware function accelerators (HFAs), the device includes an embedded
ARM1176JZ-S core [3] that reduces external chip count. This means the PC30xx series lends itself well to low-
cost solutions such as the home basestation.




Mindspeed Technologies, Inc                                                                Page 7 of 16
Secure and trusted Femtocells

A unique feature of this architecture is that the bulk of the functionality is in software running on the PC30xx
series. All of the 3GPP baseband processing is coded on the picoArray, while all of the control functions and
higher-layer processing are on the ARM core. The two software environments are integrated onto the same
device and booted from one Flash memory. Upgrades are therefore a straightforward software change, and
can be performed remotely over the Internet connection.
The Mindspeed WCDMA reference design is compliant with the 3GPP Release 8 specifications [4], and delivers
42Mbps high-speed downlink packet access (HSDPA) shared by up to 32 users. It implements all of the
required baseband processing (including sample rate, chip rate and symbol rate operations), as well as MAC-hs
scheduler, operations and management (OAM) functionality and protocol termination.
An Application Programming Interface (API) supports the exchange of internal data and control messages
between the picoArray and the ARM core. Figure 3 shows the protocol stack and breakdown of functions for a
Iuh network architecture. For the microprocessor this includes the network interface software and Operations
and Maintenance (OAM) functionality.




                                               DDR3       NAND
                                              SDRAM       FLASH
                       SIM                                                   VCTCXO
                     Interface


 10/100              10/100
                                                 PC323                         RF                 PA
Interface             PHY




                                               Power Supply




                            Figure 2: Standalone Femtocell with Ethernet interface




Mindspeed Technologies, Inc                                                                Page 8 of 16
Secure and trusted Femtocells




                             Figure 3: Network Interface, NBAP and OAM support




3 Security
Driving the acceptance of femtocells has been accelerated by the formation of an industry body - the Femto
Forum. This organisation has been set up to enable and promote femtocells and femtocell technology
worldwide. The Forum is chartered to encourage the growth of a partner ecosystem committed to innovation
in standards-based network infrastructure and to achieve high levels of collaboration and product
interoperability. Some of the work carried out by this forum has been accepted by 3GPP and this has been
published as technical specifications. One such document is TS33.320, which specifies the security of "Home
node B" and "Home evolved node B" ” (the 3GPP terminology for HSPA and LTE versions of femtocell aka
H(e)NB). In this specification a number of threats have been identified which the providers of femtocells must
address. The solutions need to be such that the BoM is still as low as possible. In other words, addressing the
identified threats and indeed others need to considered as part of the main femtocell device.
The specification identifies a number of security requirements and principals and also details a series of
security features. In particular, the specification defines a Trusted Environment (TrE) needed to perform
sensitive functions and store sensitive data. This data must be unknowable to unauthorised entities.
    •    The TrE must be built from a hardware root of trust
    •    The Integrity of the TrE must be verified during the boot process
    •    The TrE must verify the integrity of the rest of the system software
    •    The TrE must perform the required sensitive functions to validate the device and device integrity
    •    The TrE must perform the required sensitive functions to authenticate the device with the operator
         network.
This section provides an overview of the approaches Mindspeed has taken in order to address not only the
identified threats in TS33.320, but also the threats in the manufacturing chain of the femtocells. Instead of
Mindspeed employing specific silicon hardware for all the threats, and hence increase the cost of the femtocell
solution, it has adopted the more flexible approach of utilising ARM's patented system wide security,
TrustZone® technology, in addition to simple, generic hardware on silicon to provide the required Trusted
environment.
Using this in conjunction with a secure root of trust boot strapping mechanism, ensures a secure and trusted
system.




Mindspeed Technologies, Inc                                                               Page 9 of 16
Secure and trusted Femtocells




                              Figure 4: PC30xx series 30xx series Transcede SoC


Figure 4 shows the major blocks within the PC30xx series. In particular it shows the internal boot ROM, Cipher
engines, e-Fuse and SRAM. These are used in conjunction with the ARM TrustZone technology to create a
secure and trusted system.
In the following sections a number of security aspects are highlighted and solutions used by customers are
given.



3.1 TrustZone Technology
ARM TrustZone technology is an integral feature of the ARM1176JZ-S™ processor and was introduced through
the ARM Architecture Security Extensions. These extensions provide a consistent programmer's model across
vendors, platforms, and applications while providing a true hardware backed security environment.
TrustZone is the set of architectural security extensions found in many of ARM's newer, such as the
ARM1176JZ-S and Cortex™-A series processors which partition a system-on-a-chip's (SoC's) hardware and
software resources into secure and normal worlds. The Secure world is used to provide the Trusted
environment (TrE). The normal world is used for everything else. The hardware logic in the AMBA®3 AXI™ bus
fabric ensures that resources marked as secure cannot be accessed from the normal (non-secure) world
enabling a strong security perimeter to be built between the two.

The security extensions provide a set of well defined mechanisms to transfer control between the two worlds
in the CPU core allowing it to perform both secure and normal functions in a time-sliced fashion removing the
need for a dedicated security core.

The CPU core and the bus interconnect use a non-secure (NS) bit to indicate the origin of any request and only
permits accesses from the secure world to secure resources to complete successfully. An access to a secure
resource from the normal world will result in an abort and the secure world may access both secure and
normal resources.

Extensions in the virtual memory system allow memory regions to be marked as non-secure such that both
worlds may share cache lines to maintain coherency and achieve high performance shared memory
communication.



Mindspeed Technologies, Inc                                                             Page 10 of 16
Secure and trusted Femtocells


A new operating mode "monitor mode" is introduced to the core to permit switching between secure and
normal worlds. This mode always runs in secure mode and can be entered by the new Secure Monitor Call
(SMC) instruction, and the IRQ, FIQ, external data abort and external prefetch abort exceptions. The SMC
instruction always traps to the SMC vector and the behaviour of the other exceptions can be configured by
software depending on the system software design. The monitor mode software will typically save the state of
the current world into secure on-chip memory and load the state for the other world. This is typically an
inexpensive operation and only consists of saving the general purpose registers for cores without additional
coprocessors such as a VFP.

A range of peripherals are available to secure a system including the TrustZone Protection Controller (TZPC)
and the TrustZone Memory Adapter (TZMA). The TZPC is a configurable controller that marks peripherals on
the AMBA3 AXI bus as being a secure or normal peripheral which in turn controls the protection signals on the
bus to prevent the non-secure world from making accesses to secure peripherals. The TZMA allows on-chip
memory to be partitioned in to secure and non-secure regions allowing secure software to run entirely on-chip
without allowing accesses to the normal world but still reserving a portion of on-chip memory for the normal
world. The TCM's (Tightly Coupled Memories) may also be marked as secure or normal and can be a valuable
resource for implementing a secure software system.
Mindspeed's PC30xx Transcede family of devices incorporate the TZMA and TZPC so that the chip can be
partitioned into secure zones depending upon the operation being performed and where in the manufacturing
or provisioning chain the femtocell is.
All of the peripherals shown in Figure 4 can be configured to be in the secure or non-secure zones. This
includes the internal SRAM, where regions can be in secure or non-secure as well as the picoArray itself.

3.2 Secure boot
The Transcede devices from Mindspeed have a secure boot mechanism which ensures the device uses the on-
chip bootrom and the security features within the device. In addition to the bootrom there is an e-fuse and
also an OTP block. The efuse macro is used for informational and control operations.
At reset the device enters the bootrom which determines whether the system is to be decrypted and
authenticated before control is passed to the application code. It also determines where the next level of the
bootstrap is obtained, e.g. flash or MII. The bootrom, creates the first link in the chain of trust, makes use of
the e-fuse block to obtain the secret information to decrypt and authenticate the subsequent next level of
bootstrap. The on-chip cipher engines are used to perform the authentication and the bootrom clears up any
memory used by it prior to transferring control to the next level. This ensures no leakage of secret information
takes place.
The e-fuse also has the facility to control access to certain parts of the PC30xx series, for example, the fuse
block can be programmed to disable intrusive and non-intrusive debugging of the ARM. This ensures a
potential attacker cannot gain access to the secret information stored in the fuse block.
Should the customer require a different authentication or bootstrap mechanism the PC30xx series can be
configured to jump directly to OTP. In this case the customer specific code residing in the OTP would be
responsible for authentication of subsequent bootstraps and establishing a root of trust.
This process can be repeated over more iterations to bootstrap more complex software systems before
switching into the normal world preventing malicious accesses to the secret data.



3.3 Untrusted CMs and ODMs

In most consumer markets, devices are manufactured in high-volumes by third party companies. These may be
Contract Manufacturers (CM), who only manufacture according the supplier’s design, or ODMs (Original
Design Manufacture) who integrate both design and manufacture.




Mindspeed Technologies, Inc                                                                 Page 11 of 16
Secure and trusted Femtocells

These organisations will have access to information, including copies of code and potentially access to keys (if
those are to be blown into OTP during manufacture) and as such are a potential security vulnerability.
To protect against this, information is partitioned and controlled so that even if the CM / ODM does leak
information it is not sufficient to compromise the security of the device as a whole.
The device will boot securely from the internal ROM and load the second stage of the bootstrap into internal
SRAM. The internal ROM will authenticate the loaded bootloader and if successful will start to execute it. The
code loaded will provide a secure monitor which will relocate itself into the TCMs of the ARM1176JZ-S. The
code will check whether a public key is already present in the e-fuses. If it is then subsequent code is
authenticated using this key. Otherwise the monitor code will program the public key into the e-fuses.
Once these operations are complete the device is ready to perform any of the OEM defined actions as all
subsequent code will be authenticated using the OEM's public key and therefore deemed secure.



3.4 Prevention of unauthorised baseband software
In certain regions of the world an OEM may wish to prevent a particular SDR from being loaded in the
picoArray. There may be many reasons for this ranging from immature SDR to value proposition of higher
specification baseband.
By making the loading of the picoArray's SDR the responsibility of the secure monitor this cannot happen. All
requests by the normal world software to load the SDR will go through the hypervisor which will authenticate
the baseband image prior to downloading onto the picoArray. If this authentication fails the picoArray will not
be loaded.



3.5 Use of TrustZone to provide digital certificate authentication

As shown in Figure 5, the H(e)NB connects to the core network through the Security Gateway (SeGW) over an
insecure connection and both parties must be authenticated and communications secured. To prevent
unauthorised H(e)NBs from connecting to an operators core network, each device can be provisioned with a
public/private key pair and the SeGW's certificate and public key along with the root certificate(s) of one or
more certificate authorities to establish a chain of trust. This data is stored in the H(e)NB in secure storage
such as OTP or eFuses that are only accessible to the TrustZone secure world and can be generated on the
device at time of manufacture such that the private key never leaves the device.


                                                                                Operator’s             AAA
                                                                                core network        Server/HSS
                     L-GW
  UE                H(e)NB              insecure link                  SeGW
                                                                                        H(e)NB-GW


                                                                                                  H(e)MS
                                                                     H(e)MS

                                    Figure 5: System Architecture of H(e)NB

The authentication of both the H(e)NB and the SeGW can be established by using certificate based
authentication to construct an IPSEC tunnel using IKEv2 that will later provide the confidentiality and integrity
of the communications between both parties. During the authentication phase the H(e)NB is required to sign
the authentication data of the IKE_AUTH request using the H(e)NB's unique private key. In most H(e)NB's the
IKEv2 daemon will be running in the nonsecure world of a TrustZone enabled system to leverage the full IP
stack of a rich, unmodified, operating system such as Linux and as such cannot be trusted with the H(e)NB




Mindspeed Technologies, Inc                                                                Page 12 of 16
Secure and trusted Femtocells

private key. To perform the signing operation, we can use TrustZone to pass the data to be signed over a well
defined channel into the secure world where the data can be signed and returned to the nonsecure world
without leaking the key.

To implement the signing process the H(e)NB has a lightweight hypervisor running in monitor mode that is
responsible for performing the switch between secure and nonsecure world and use the Secure Monitor Call
(SMC) instruction to provide entry into the secure world from the rich OS. An ABI between the secure and
nonsecure world is defined using general purpose registers to pass
a call identifier and optional parameters which may utilise shared memory to transfer larger amounts of data.
The SMC call traps to the monitor mode SMC vector and the monitor mode transfers control into the secure
kernel which decodes the call identifier and runs the appropriate handler. To perform the signing, the secure
kernel validates the address of the payload and copies it into secure onchip memory to prevent any possible
race between the request and sampling of the data during the ciphering process. The secure kernel retrieves
the private key from OTP memory and then may either perform the ciphering using hardware offload engines
or a trusted software implementation.
After the signing process has been completed the secure kernel copies the signature to a buffer supplied as an
argument to the SMC call after verifying that this address is a valid nonsecure address and returns control to
the nonsecure world through another SMC call.

Optionally, the H(e)NB can use symmetric key cryptography to utilise the external non-volatile storage to
provide a larger secure vault to hold certificates and private keys allowing the H(e)NB to handle revoked keys
without running out of space in the OTP/eFuses.

 This approach satisfies the requirements in TR33.320, which the H(e)NB’s TrE shall be used to provide the
following critical security functions supporting the IKEv2 and certificate processes:

    •   The H(e)NB’s identity shall be stored in the TrE and shall not be modifiable.

    •   The H(e)NB’s private key shall be stored in the TrE and shall not be exposed outside of the TrE.

    •   The root certificate used to verify the signatures on the SeGW certificate shall be stored in the
        H(e)NB’s TrE and shall be writable by authorized access only. The verification process for signatures
        shall be performed by the H(e)NB’s TrE.

    •   The H(e)NB’s TrE shall be used to compute the AUTH payload used during the IKE_AUTH request
        message exchanges.


Through this process the H(e)NB can perform all security sensitive operations without the possible leakage of
confidential data whilst utilising all of the services that a rich operating system offers. By using TrustZone we
can provide mechanisms to update the cryptographic algorithms being used for the signing and revoke keys or
certificates whilst reducing the risk of designing a fixed function system.




3.6 Air-interface encryption

Although not directly related to the integrity of the femtocell as a unit, it is worth saying that the Mindspeed
Transcede devices support the latest encryption and security mechanisms over the air-interface.

The PC30xx series of devices support the new SNOW3G standards as well as the current Kasumi algorithm.

Kasumi was derived from MISTY cipher, but 3GPP simplified MISTY to make it computationally less intensive.
This weakens it (from 2^128 to 2^32 search complexity) and in January 2010 a practical attack of Kasumi was
revealed.




Mindspeed Technologies, Inc                                                                 Page 13 of 16
Secure and trusted Femtocells

3GPP had anticipated this possibility, and mandated SNOW3G for all Rel-7 UEs.

It is probable that a switch to SNOW3G will be mandated once Kasumi is cracked. This is not a problem for
small cells based on PC30xx as SNOW3G is fully supported.

Other devices in the Transcede family (eg T22xx/T33xx) also support the ZUC algorithm.




Mindspeed Technologies, Inc                                                              Page 14 of 16
Secure and trusted Femtocells


4 Conclusions
  As can be seen from this paper, the femtocell is a complex system - a condensed version of most of the
  elements typically found in conventional macrocell base stations and radio network controllers of a cellular
  network. Normally the elements of an operator's network are not directly exposed to the general public in the
  manner of a residential CPE so it has been essential to ensure these are free from any potential vulnerabilities
  that might provide access into the mobile operators network as femtocells are directly connected to the
  operators core network over the customer's broadband connection. In addition, manufacturers of femtocells
  need to ensure their products cannot be cloned, or counterfeit versions produced, in order they protect their
  revenues and reputations.

  These requirements must be satisfied in a very cost sensitive market; rapid uptake of femtocells is dependent
  on aggressive commoditisation of a traditional infrastructure market to enabling various operator business
  models and tariff options.

  The most cost effective approach to providing a flexible and secure system is not to design in a large amount
  of fixed-function security but rather provide a mechanism by which, under a secure root of trust, the
  underlying software can make use of low-level and reusable hardware to configure a secure system for the
  target deployment. ARM's TrustZone technology enables just such a system and the only femtocell devices
  available in the market today with this capability are Mindspeed's PC302 and PC3x3 family of devices.




  Mindspeed Technologies, Inc                                                               Page 15 of 16
Secure and trusted Femtocells

References

1.    IEEE 1588 Homepage – http://ieee1588.nist.gov/
2.    Mindspeed Wireless Communications Processors, “PC30xx series Integrated Baseband Processor”,
      Product Brief.
3.    ARM Ltd, “ARM1176JZ-S System-on-Chip Java™ and DSP enhanced processor”,
4.    3GPP Technical Specification TS 23.234, “3GPP system to Wireless Local Area Network (WLAN)
      interworking; System description”.
5.    Mindspeed Software Reference Design, “PC8229 3GPP HSDPA/Release 8 Femtocell Basestation PHY”,
      Product Brief.

Glossary

3GPP         Third-Generation Partnership Project         MSC         Mobile Switching Centre
AAA          Authentication, Authorization, Accounting    MVNO        Mobile Virtual Network Operator
ABI          Application Binary Interface                 NBAP        Node B Application Part
ADSL         Asymmetric Digital Subscriber Line           NTP         Network timing protocol
AMR          Adaptive Multi-Rate                          OAM         Operations & Maintenance
API          Application Programming Interface            PHY         Physical layer
ARPU         Average Revenue Per User                     PSTN        Public Switched Telephone Network
BSC          Basestation Controller                       QoS         Quality of Service
DDR          Dual Data Rate                               RAN         Radio Access Network
DECT         Digital Enhanced Cordless Telephone          RFIC        RF Integrated Circuit
DHCP         Dynamic Host Configuration Protocol          RLC         Radio Link Control (3G protocol)
DSP          Digital Signal Processor                     RNC         Radio Network Controller
EV-DO        Evolution-Data Optimized                     RRC         Radio Resource Control (3G protocol)
FMC          Fixed-Mobile Convergence                     SCTP        Stream Control Transmission Protocol

FTP          File Transfer Protocol                       SeGW        Secure Gateway
GPS          Global Positioning System                    SIM         Subscriber Identity Module
GSM          Global System for Mobile communications      SIP         Session Initiated Protocol

H(e)MS       Home eNodeB Management System                SMC         Secure Monitor Call
HFA          Hardware Functional Accelerator              SNMP        Simple Network Management Protocol
HNB          Home Node B                                  TCP         Transmission Control Protocol
H(e)NB       Home evolved Node B                          TCXO        Temperature controlled crystal oscillator
HSDPA        High-Speed Downlink Packet Access            UDP         User Datagram Protocol
HSS          Home Subscriber Server                       UE          User Equipment
HSUPA        High-Speed Uplink Packet Access              UMA         Unlicensed Mobile Access
IMS          IP Multimedia Subsystem                      UMAN        UMA access Network
IP           Internet Protocol                            UNC         UMA Network Controller
IPsec        IP security (protocol)                       VCTCXO      Voltage Controlled, Temperature
                                                                      Compensated Crystal Oscillator
LGW          Local Gateway                                VoIP        Voice over Internet Protocol
ISP          Internet Service Provider                    W-CDMA      Wideband Code Division Multiple Access
LTE          Long term evolution                          WiFi        IEEE 802.11 wireless technology
Iub          Interface between 3G basestation & RNC       WiMAX       IEEE 802.16 wireless technology
MAC          Media Access Control (protocol layer)




Microsoft                                                                                            Page 16 of 16

Mais conteúdo relacionado

Mais procurados

Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@Persistent
Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@PersistentLife & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@Persistent
Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@PersistentPersistent Systems Ltd.
 
StarSight Wireless CCTV
StarSight Wireless CCTVStarSight Wireless CCTV
StarSight Wireless CCTVSpontane_IT
 
Cisco Cloud Briefing and Experiences for Cloud Slam 2011
Cisco Cloud Briefing and Experiences for Cloud Slam 2011Cisco Cloud Briefing and Experiences for Cloud Slam 2011
Cisco Cloud Briefing and Experiences for Cloud Slam 2011Cisco Collaboration
 
Video Conferencing and Security
Video Conferencing and SecurityVideo Conferencing and Security
Video Conferencing and SecurityVideoguy
 
Catalogo Siemon da Spark Controles
Catalogo Siemon da Spark ControlesCatalogo Siemon da Spark Controles
Catalogo Siemon da Spark ControlesSpark Controles
 
Unify Your Unified Communications Australia
Unify Your Unified Communications AustraliaUnify Your Unified Communications Australia
Unify Your Unified Communications AustraliaAcmePacket
 
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCisco Service Provider
 
[M2M-Frukostseminarium] Richard Savage, Qualcomm
[M2M-Frukostseminarium] Richard Savage, Qualcomm[M2M-Frukostseminarium] Richard Savage, Qualcomm
[M2M-Frukostseminarium] Richard Savage, QualcommMobilbusiness
 
Presentación Data Center Cablevisión Day 2010
Presentación Data Center Cablevisión Day 2010Presentación Data Center Cablevisión Day 2010
Presentación Data Center Cablevisión Day 2010Logicalis Latam
 
FCM Sustainable Communities, Panel February 9 2012
FCM Sustainable Communities, Panel February 9 2012FCM Sustainable Communities, Panel February 9 2012
FCM Sustainable Communities, Panel February 9 2012Rick Huijbregts
 
The Net Effect: It's Not What We Make, It's What We Make Possible
The Net Effect: It's Not What We Make, It's What We Make PossibleThe Net Effect: It's Not What We Make, It's What We Make Possible
The Net Effect: It's Not What We Make, It's What We Make PossibleCisco Services
 
Industrial Laser Solutions
Industrial Laser SolutionsIndustrial Laser Solutions
Industrial Laser Solutionsta_ha_nuk
 
Ucs overview sap-rnicola
Ucs overview sap-rnicolaUcs overview sap-rnicola
Ucs overview sap-rnicolaRobert Nicola
 
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoIl Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoCA Technologies Italia
 
Smart + Connected Real Estate
Smart + Connected Real EstateSmart + Connected Real Estate
Smart + Connected Real EstateCisco Canada
 

Mais procurados (20)

Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@Persistent
Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@PersistentLife & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@Persistent
Life & Work of Dr. Vinton Cerf and Dr. Robert Kahn | Turing100@Persistent
 
La experiencia de la Colaboración
La experiencia de la ColaboraciónLa experiencia de la Colaboración
La experiencia de la Colaboración
 
StarSight Wireless CCTV
StarSight Wireless CCTVStarSight Wireless CCTV
StarSight Wireless CCTV
 
Cisco Cloud Briefing and Experiences for Cloud Slam 2011
Cisco Cloud Briefing and Experiences for Cloud Slam 2011Cisco Cloud Briefing and Experiences for Cloud Slam 2011
Cisco Cloud Briefing and Experiences for Cloud Slam 2011
 
Video Conferencing and Security
Video Conferencing and SecurityVideo Conferencing and Security
Video Conferencing and Security
 
Catalogo Siemon da Spark Controles
Catalogo Siemon da Spark ControlesCatalogo Siemon da Spark Controles
Catalogo Siemon da Spark Controles
 
Unify Your Unified Communications Australia
Unify Your Unified Communications AustraliaUnify Your Unified Communications Australia
Unify Your Unified Communications Australia
 
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
 
[M2M-Frukostseminarium] Richard Savage, Qualcomm
[M2M-Frukostseminarium] Richard Savage, Qualcomm[M2M-Frukostseminarium] Richard Savage, Qualcomm
[M2M-Frukostseminarium] Richard Savage, Qualcomm
 
Innovacion Abierta en Cisco
Innovacion Abierta en CiscoInnovacion Abierta en Cisco
Innovacion Abierta en Cisco
 
Cim 20070301 mar_2007
Cim 20070301 mar_2007Cim 20070301 mar_2007
Cim 20070301 mar_2007
 
Presentación Data Center Cablevisión Day 2010
Presentación Data Center Cablevisión Day 2010Presentación Data Center Cablevisión Day 2010
Presentación Data Center Cablevisión Day 2010
 
FCM Sustainable Communities, Panel February 9 2012
FCM Sustainable Communities, Panel February 9 2012FCM Sustainable Communities, Panel February 9 2012
FCM Sustainable Communities, Panel February 9 2012
 
LTE World Summit 2010 Amsterdam
LTE World Summit 2010 AmsterdamLTE World Summit 2010 Amsterdam
LTE World Summit 2010 Amsterdam
 
The Net Effect: It's Not What We Make, It's What We Make Possible
The Net Effect: It's Not What We Make, It's What We Make PossibleThe Net Effect: It's Not What We Make, It's What We Make Possible
The Net Effect: It's Not What We Make, It's What We Make Possible
 
Industrial Laser Solutions
Industrial Laser SolutionsIndustrial Laser Solutions
Industrial Laser Solutions
 
Ucs overview sap-rnicola
Ucs overview sap-rnicolaUcs overview sap-rnicola
Ucs overview sap-rnicola
 
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoIl Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
 
Smart + Connected Real Estate
Smart + Connected Real EstateSmart + Connected Real Estate
Smart + Connected Real Estate
 
101 cd 1630-1700
101 cd 1630-1700101 cd 1630-1700
101 cd 1630-1700
 

Destaque (14)

Social
SocialSocial
Social
 
White Paper: LTE Needs Small Cells
White Paper: LTE Needs Small CellsWhite Paper: LTE Needs Small Cells
White Paper: LTE Needs Small Cells
 
Small Cells: Enterprise, Metro & Rural
Small Cells: Enterprise, Metro & RuralSmall Cells: Enterprise, Metro & Rural
Small Cells: Enterprise, Metro & Rural
 
Social
SocialSocial
Social
 
ELCC Win and Succeed RTT Presentation
ELCC Win and Succeed RTT PresentationELCC Win and Succeed RTT Presentation
ELCC Win and Succeed RTT Presentation
 
ELCC powerpoint short
ELCC powerpoint   shortELCC powerpoint   short
ELCC powerpoint short
 
Kindergarten Entry Assessments and Early Learning Challenge Grants
Kindergarten Entry Assessments and Early Learning Challenge GrantsKindergarten Entry Assessments and Early Learning Challenge Grants
Kindergarten Entry Assessments and Early Learning Challenge Grants
 
The CTO's Espresso Guide to SON
The CTO's Espresso Guide to SONThe CTO's Espresso Guide to SON
The CTO's Espresso Guide to SON
 
Sls clm demo_new
Sls clm demo_newSls clm demo_new
Sls clm demo_new
 
ELCC powerpoint long
ELCC powerpoint    longELCC powerpoint    long
ELCC powerpoint long
 
Análise de Mercado e Estratégia Competitiva
Análise de Mercado e Estratégia CompetitivaAnálise de Mercado e Estratégia Competitiva
Análise de Mercado e Estratégia Competitiva
 
Small Cell Deployments: Poised for Rapid Growth
Small Cell Deployments: Poised for Rapid GrowthSmall Cell Deployments: Poised for Rapid Growth
Small Cell Deployments: Poised for Rapid Growth
 
Ayuda 1 plan matematicas oct 12
Ayuda 1 plan matematicas oct 12Ayuda 1 plan matematicas oct 12
Ayuda 1 plan matematicas oct 12
 
Ayuda 1 plan matematicas oct 12
Ayuda 1 plan matematicas oct 12Ayuda 1 plan matematicas oct 12
Ayuda 1 plan matematicas oct 12
 

Semelhante a White Paper: Secure and Trusted Femtocells

Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecurity Gen
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecurity Gen
 
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...SecurityGen1
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network SecurityDjadja Sardjana
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingVideoguy
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingVideoguy
 
Teaser Project Telco
Teaser    Project TelcoTeaser    Project Telco
Teaser Project Telcoosp_hyd
 
Nortel cs-1000-voip-phone-system-technical
Nortel cs-1000-voip-phone-system-technicalNortel cs-1000-voip-phone-system-technical
Nortel cs-1000-voip-phone-system-technicalSlayer King
 
Aplikacje NGN (Next Generation Network)
Aplikacje NGN (Next Generation Network) Aplikacje NGN (Next Generation Network)
Aplikacje NGN (Next Generation Network) Biznes to Rozmowy
 
The definitive guide for evaluating enterprise WLAN networks
The definitive guide for evaluating enterprise WLAN networksThe definitive guide for evaluating enterprise WLAN networks
The definitive guide for evaluating enterprise WLAN networksAerohive Networks
 
MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?XO Communications
 
Next Generation Service Platforms Review 2014
Next Generation Service Platforms Review 2014Next Generation Service Platforms Review 2014
Next Generation Service Platforms Review 2014Alan Quayle
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principlesardexateam
 
Wi max basic sl_v2_sergio_cruzes
Wi max basic sl_v2_sergio_cruzesWi max basic sl_v2_sergio_cruzes
Wi max basic sl_v2_sergio_cruzesSergio Cruzes
 
Harnessing the Power of the Mobile Cloud
Harnessing the Power of the Mobile CloudHarnessing the Power of the Mobile Cloud
Harnessing the Power of the Mobile CloudAntenna Software
 
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityShane Glenn
 
Cheng bearing point
Cheng bearing pointCheng bearing point
Cheng bearing pointsouthmos
 
Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Ericsson
 

Semelhante a White Paper: Secure and Trusted Femtocells (20)

Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdf
 
Securing Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdfSecuring Private 5G Networks (1).pdf
Securing Private 5G Networks (1).pdf
 
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
Empower Your Defense: SecurityGen's Comprehensive Approach to DDoS Attack Pre...
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network Security
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for Videoconferencing
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for Videoconferencing
 
Teaser Project Telco
Teaser    Project TelcoTeaser    Project Telco
Teaser Project Telco
 
Nortel cs-1000-voip-phone-system-technical
Nortel cs-1000-voip-phone-system-technicalNortel cs-1000-voip-phone-system-technical
Nortel cs-1000-voip-phone-system-technical
 
Aplikacje NGN (Next Generation Network)
Aplikacje NGN (Next Generation Network) Aplikacje NGN (Next Generation Network)
Aplikacje NGN (Next Generation Network)
 
The definitive guide for evaluating enterprise WLAN networks
The definitive guide for evaluating enterprise WLAN networksThe definitive guide for evaluating enterprise WLAN networks
The definitive guide for evaluating enterprise WLAN networks
 
MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?MPLS IP VPNs: Are You Ready to Migrate?
MPLS IP VPNs: Are You Ready to Migrate?
 
Next Generation Service Platforms Review 2014
Next Generation Service Platforms Review 2014Next Generation Service Platforms Review 2014
Next Generation Service Platforms Review 2014
 
IoT Design Principles
IoT Design PrinciplesIoT Design Principles
IoT Design Principles
 
Mobile mondayb2b belgacom
Mobile mondayb2b   belgacomMobile mondayb2b   belgacom
Mobile mondayb2b belgacom
 
Wi max basic sl_v2_sergio_cruzes
Wi max basic sl_v2_sergio_cruzesWi max basic sl_v2_sergio_cruzes
Wi max basic sl_v2_sergio_cruzes
 
State of Softswitch
State of SoftswitchState of Softswitch
State of Softswitch
 
Harnessing the Power of the Mobile Cloud
Harnessing the Power of the Mobile CloudHarnessing the Power of the Mobile Cloud
Harnessing the Power of the Mobile Cloud
 
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
 
Cheng bearing point
Cheng bearing pointCheng bearing point
Cheng bearing point
 
Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network”
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬  The future of MySQL is Postgres   🐘🐬  The future of MySQL is Postgres   🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

White Paper: Secure and Trusted Femtocells

  • 1. Secure and trusted Femtocells Secure and trusted Femtocells Technical White Paper V1.1 June 2011 2nd edition February 2012 Mindspeed Ltd Upper Borough Court Upper Borough Walls Bath BA1 1RG UK Mindspeed Technologies, Inc Page 1 of 16
  • 2. Secure and trusted Femtocells +44 1225 469744 www.mindspeed.com Contents 1 Introduction 4 1.1 Network Considerations 5 1.1 RF Considerations 7 1.2 Synchronization 7 1.3 Provisioning 7 2 Low-Cost Implementation 7 3 Security 9 3.1 TrustZone Technology 10 3.2 Secure boot 11 3.3 Untrusted CMs and ODMs 11 3.4 Prevention of unauthorised baseband software 12 3.5 Use of TrustZone to provide digital certificate authentication 12 3.6 Air-interface encryption 13 4 Conclusions 15 References 16 Glossary 16 Mindspeed Technologies, Inc Page 2 of 16
  • 3. Secure and trusted Femtocells Executive Summary Femtocells (or, more generally, small cells) have emerged as a key enabler of future communications network development. More than a useful add-on that delivers better service to the consumer and increased revenue to operators, they are also an essential part of future network architectures. The concept is simple: making a basestation cheap enough to be deployed in high volume for residential use, connected to the core network via broadband. This can deliver to a subscriber the same service and benefits as a fixed-mobile convergence (FMC) offering such as voice-over-WiFi, but using existing standard handsets. Moreover, the use of femtocell and small cell architectures can help to surmount many of the technical challenges that have become evident as operators deploy 3G networks: and that look set to worsen with the advent of 3G Long Term Evolution (LTE) and WiMAX. These are challenging times for mobile operators: many markets are approaching saturation; price competition is intensifying; new competitors are entering the market, often as mobile virtual network operators (MVNOs) with attractive cost structures and powerful brands. In some markets carriers have problems with coverage: this is a major cause of customer dissatisfaction and churn. In addition, operators face ‘the bandwidth tsunami’ as usage explodes, but revenues are squeezed Femtocells provide many of the answers delivering capacity and coverage exactly where needed, but challenges remain in their deployment: network integration, security, provisioning, radio interference and the like. However, these can be solved. One of the key issues has been the cost of the femtocell, especially in residential applications. Low-cost hardware is critical to make the business case viable. Once more, this is now realistically achievable. The benefits to the consumer include better coverage, clearer voice connections, better battery life, faster data rates, cheaper calls and the great convenience of using a single handset. The benefits to operators are measured in increased average revenue per user (ARPU), reduced churn and increased customer loyalty. However, femtocells potentially open up a number of very serious security concerns. There are risks that eavesdroppers could intercept cellular traffic, while carriers have worries that an attack could use femtocell as an entry to their core network. These concerns have all been addressed and femtocell security is strong: this paper explains the techniques used. Mindspeed small cell SoC exceed all the requirements from 3GPP and Small Cell Forum. The devices support a variety of security measures in hardware (secure boot, OTP, Trustzone®) that can be combined with good practice and security in he software domain to protect the carrier and users from any security worries. Mindspeed Technologies, Inc Page 3 of 16
  • 4. Secure and trusted Femtocells 1 Introduction Only a few years ago, the idea of a cellular basestation in the home would have seemed impossible, especially given the public perception of a basestation: never enough of them to make a call, but not something that should be seen. The reality today is very different, with the industry moving to extremely low-power home basestations, or femtocells, the same size as existing in-home wireless equipment. These small devices have a low price tag to match: they are affordable as consumer products in themselves, and present an economically viable case for operator subsidy. Over 40 femtocell deployments have now been rolled out globally, with many more operators expected to join them by the end of this year. Small cells are in fact still a relatively new technology. The first developments and prototypes were on show at conferences in 2007, but real products have only been available since 2009. Roughly speaking, the technology ‘arrived’ in 2007. The bulk of the technological issues were solved in 2008, these being mainly the development of the Iuh standard for connection; proof that interference was something that could be solved and proof that femtocells would not ultimately break the macro network). The first trial; (“friendly customer”) launches were in 2009, but there was still work to do on productizing, this being sorting out OSS/BS, provisioning, billing and other “boring but essential work”. Those issues are all now solved and as a result carriers have been shipping in high volumes. The technology behind femtocells is far from trivial. Operators have approached their deployments carefully, ensuring they “cover all bases” to give consumers confidence in the solution. But long before the deployment stage, companies in the femtocell ecosystem were working hard on overcoming the substantial technological hurdles involved. Femtocells actually include far more intelligence than traditional basestations. Because of this change in the way tasks are partitioned in the network, femtocell chips like the Transcede(r) family from Mindspeed need to provide enhanced security features for authentication, location detection, and encryption as well as the prevention of denial of service attacks. Conventionally, the "Node B" (3GPP jargon for "basestation") is the Radio Stage, while the Radio Network Controller (RNC) handles the intelligence and management. The RNC sets up and tears down calls, controls power levels and session parameters, allocates bandwidth to users, and supports handoff between sectors or cells. It is the bridge between the radio access network (RAN) of basestations and the core network. One RNC can control many basestations but when the number of basestations is to be measured in millions per network this architecture doesn’t scale well. In a femtocell, all of this intelligence is localized. Managing calls, controlling interference (which is crucial, so femtocells don’t degrade the network by transmitting inappropriately), and interfacing the radio with the broadband network securely all are RNC functions. So a femtocell isn’t just a basestation, it also integrates the smarts of the RNC—and a lot more too. The security issues were not only solved but also provided another reason why small cell rollouts on an enterprise or citywide scale are more effective than Wi-Fi. To begin with, everything in wireless is secured with strong encryption. There are theoretical attacks. But even GSM, which is an old technology, is still robust against all practical attacks, and 3G is stronger still. Then there are end-to-end techniques. For example, the core must authenticate the handset, but also vice versa, so it is very hard to intercept. Cellular was designed to be secure in a way that Wi-Fi never was. (There is a value to calls.) Finally, it is hard to eavesdrop or intercept calls if you do not know who to listen to. A perhaps surprising fact is that the phone number is not used. An IMSI number that only maps to the phone number in the core identifies the handset. This paper addresses the issues facing the successful deployment of femtocells and argues that the technology will play a vital part in future networks and service offerings. The arguments apply equally to 3G and to emerging wireless broadband technologies such as WiMAX and 3G LTE. Mindspeed Technologies, Inc Page 4 of 16
  • 5. Secure and trusted Femtocells 1.1 Network Considerations The Radio Access Networks in use today comprise hundreds of base stations connected to a single Radio Network or Base Station Controller (RNC/BSC). The interface is the Iub running the ATM protocol over dedicated leased line Accommodating hundreds of thousands of femtocells connected over the Internet raises a number of important questions: 1. Is it scalable? 2. Is it secure? 3. Is it standardized? A number of different 3G femtocell architectures have been proposed to accommodate the potential increase in home basestations, however one has been adopted by 3GPP as a reference architecture for the evolution to femtocell networks. As such it is the approach most likely to find adoption amongst the W-CDMA community. It defines two new network elements, the Home Node-B (the femtocell itself) and a concentrator type element, the HNB Gateway (HNB-GW). Communication between them is via a new standard interface, Iuh. This network architecture is given in Figure 1 This approach allows functions to be partitioned differently between the Node-B and RNC, enabling the HNB- GW to handle multiple Node-Bs. It fits seamlessly into a mobile network operator’s RAN by supplementing or replacing its current RNCs with the concentrator element to service thousands of femtocells. The Home Node-B (HNB) itself can handle the radio resource management functions formerly residing in the RNC. The HNB-GW aggregates traffic into the existing core network. Amongst other things, the Iuh interface provides important security functions, control signaling and a new application protocol (HNBAP) designed to ease HNB deployment. Mindspeed Technologies, Inc Page 5 of 16
  • 6. Secure and trusted Femtocells Figure 1: Concentrator/RNC (HNB-GW) using Iuh Mindspeed Technologies, Inc Page 6 of 16
  • 7. Secure and trusted Femtocells 1.1 RF Considerations In the early days observers had questioned whether the deployment of large numbers of femtocells would create insurmountable RF management problems. However with some intelligent design by equipment and semiconductor manufacturers – as well making use of some of the inherent benefits of the femtocell approach – it has proved possible to allay these fears. 1.2 Synchronization 3GPP specifies that basestation transmit frequencies must be very accurate and closely synchronized, requiring precise clock references. For larger basestations the accuracy is 0.05 parts per million (ppm), although this has been relaxed to 0.1ppm for picocells in Release 6 [] and 250ppb (0.25ppm) for femtocells in Release 8. There have been proposals that future versions of the standard, or even operator-specific waivers, would relax this constraint. For a low-cost femtocell implementation, implementing such synchronization starts to become a significant part of the bill-of-materials (BoM) making alternative solutions vital. In fact, the constant pressure to reduce basestation costs, whatever the equipment size, has meant that lower-cost synchronization solutions are considered. The most common is NTP (Network Timing Protocol) although there are alternatives. These include IEEE1588 and GPS as well as using innovative, low-cost/high-stability TCXOs. 1.3 Provisioning Just as consumers are able to buy and successfully install a WiFi access point in the home, installing the femtocell must ideally be the same: seamless and without the need for on-site assistance. But unlike WiFi, which in its simplest form is a standalone network, the home basestation must be detected and integrated into the overlaying mobile network – all without user intervention with a high level of security to prevent fraudulent use. Registration and authentication may be carried out using the same techniques as are used by many cable and ADSL network operators. Indeed, a standard already exists for the remote provisioning and management of DSL gateways (TR-069) which this has been extended (TR-196) to include specifics for femtocells. 2 Low-Cost Implementation In the past, equipment cost has been a major hurdle for in-home communications, but advances in technology and performance are now opening up new possibilities. In fact, the approach to the femtocell has more in common with handset design than a basestation. And, like handsets, having the ability to provide software upgrades is becoming increasingly important as standards evolve and enhancements are made. In fact, femtocells are very cost-effective. In many respects they can be made more cheaply than a handset. Although the baseband is more complex, there is no need for the expensive color screen or battery; power constraints are less stringent, and there is no need to use the most costly, miniaturized manufacturing techniques. Figure 3 shows the Mindspeed PC8208/PC8209 femtocell software reference design. At the heart of the design is one of the company’s latest multi-core DSP chips: the PC30xx series [2]. As well as the proven picoArray – multiple DSPs interconnected by a high-speed bus and programmable switches providing a fully deterministic processing core – new functionality has been integrated to meet the needs for improved performance at lower cost. As well as a number of dedicated hardware function accelerators (HFAs), the device includes an embedded ARM1176JZ-S core [3] that reduces external chip count. This means the PC30xx series lends itself well to low- cost solutions such as the home basestation. Mindspeed Technologies, Inc Page 7 of 16
  • 8. Secure and trusted Femtocells A unique feature of this architecture is that the bulk of the functionality is in software running on the PC30xx series. All of the 3GPP baseband processing is coded on the picoArray, while all of the control functions and higher-layer processing are on the ARM core. The two software environments are integrated onto the same device and booted from one Flash memory. Upgrades are therefore a straightforward software change, and can be performed remotely over the Internet connection. The Mindspeed WCDMA reference design is compliant with the 3GPP Release 8 specifications [4], and delivers 42Mbps high-speed downlink packet access (HSDPA) shared by up to 32 users. It implements all of the required baseband processing (including sample rate, chip rate and symbol rate operations), as well as MAC-hs scheduler, operations and management (OAM) functionality and protocol termination. An Application Programming Interface (API) supports the exchange of internal data and control messages between the picoArray and the ARM core. Figure 3 shows the protocol stack and breakdown of functions for a Iuh network architecture. For the microprocessor this includes the network interface software and Operations and Maintenance (OAM) functionality. DDR3 NAND SDRAM FLASH SIM VCTCXO Interface 10/100 10/100 PC323 RF PA Interface PHY Power Supply Figure 2: Standalone Femtocell with Ethernet interface Mindspeed Technologies, Inc Page 8 of 16
  • 9. Secure and trusted Femtocells Figure 3: Network Interface, NBAP and OAM support 3 Security Driving the acceptance of femtocells has been accelerated by the formation of an industry body - the Femto Forum. This organisation has been set up to enable and promote femtocells and femtocell technology worldwide. The Forum is chartered to encourage the growth of a partner ecosystem committed to innovation in standards-based network infrastructure and to achieve high levels of collaboration and product interoperability. Some of the work carried out by this forum has been accepted by 3GPP and this has been published as technical specifications. One such document is TS33.320, which specifies the security of "Home node B" and "Home evolved node B" ” (the 3GPP terminology for HSPA and LTE versions of femtocell aka H(e)NB). In this specification a number of threats have been identified which the providers of femtocells must address. The solutions need to be such that the BoM is still as low as possible. In other words, addressing the identified threats and indeed others need to considered as part of the main femtocell device. The specification identifies a number of security requirements and principals and also details a series of security features. In particular, the specification defines a Trusted Environment (TrE) needed to perform sensitive functions and store sensitive data. This data must be unknowable to unauthorised entities. • The TrE must be built from a hardware root of trust • The Integrity of the TrE must be verified during the boot process • The TrE must verify the integrity of the rest of the system software • The TrE must perform the required sensitive functions to validate the device and device integrity • The TrE must perform the required sensitive functions to authenticate the device with the operator network. This section provides an overview of the approaches Mindspeed has taken in order to address not only the identified threats in TS33.320, but also the threats in the manufacturing chain of the femtocells. Instead of Mindspeed employing specific silicon hardware for all the threats, and hence increase the cost of the femtocell solution, it has adopted the more flexible approach of utilising ARM's patented system wide security, TrustZone® technology, in addition to simple, generic hardware on silicon to provide the required Trusted environment. Using this in conjunction with a secure root of trust boot strapping mechanism, ensures a secure and trusted system. Mindspeed Technologies, Inc Page 9 of 16
  • 10. Secure and trusted Femtocells Figure 4: PC30xx series 30xx series Transcede SoC Figure 4 shows the major blocks within the PC30xx series. In particular it shows the internal boot ROM, Cipher engines, e-Fuse and SRAM. These are used in conjunction with the ARM TrustZone technology to create a secure and trusted system. In the following sections a number of security aspects are highlighted and solutions used by customers are given. 3.1 TrustZone Technology ARM TrustZone technology is an integral feature of the ARM1176JZ-S™ processor and was introduced through the ARM Architecture Security Extensions. These extensions provide a consistent programmer's model across vendors, platforms, and applications while providing a true hardware backed security environment. TrustZone is the set of architectural security extensions found in many of ARM's newer, such as the ARM1176JZ-S and Cortex™-A series processors which partition a system-on-a-chip's (SoC's) hardware and software resources into secure and normal worlds. The Secure world is used to provide the Trusted environment (TrE). The normal world is used for everything else. The hardware logic in the AMBA®3 AXI™ bus fabric ensures that resources marked as secure cannot be accessed from the normal (non-secure) world enabling a strong security perimeter to be built between the two. The security extensions provide a set of well defined mechanisms to transfer control between the two worlds in the CPU core allowing it to perform both secure and normal functions in a time-sliced fashion removing the need for a dedicated security core. The CPU core and the bus interconnect use a non-secure (NS) bit to indicate the origin of any request and only permits accesses from the secure world to secure resources to complete successfully. An access to a secure resource from the normal world will result in an abort and the secure world may access both secure and normal resources. Extensions in the virtual memory system allow memory regions to be marked as non-secure such that both worlds may share cache lines to maintain coherency and achieve high performance shared memory communication. Mindspeed Technologies, Inc Page 10 of 16
  • 11. Secure and trusted Femtocells A new operating mode "monitor mode" is introduced to the core to permit switching between secure and normal worlds. This mode always runs in secure mode and can be entered by the new Secure Monitor Call (SMC) instruction, and the IRQ, FIQ, external data abort and external prefetch abort exceptions. The SMC instruction always traps to the SMC vector and the behaviour of the other exceptions can be configured by software depending on the system software design. The monitor mode software will typically save the state of the current world into secure on-chip memory and load the state for the other world. This is typically an inexpensive operation and only consists of saving the general purpose registers for cores without additional coprocessors such as a VFP. A range of peripherals are available to secure a system including the TrustZone Protection Controller (TZPC) and the TrustZone Memory Adapter (TZMA). The TZPC is a configurable controller that marks peripherals on the AMBA3 AXI bus as being a secure or normal peripheral which in turn controls the protection signals on the bus to prevent the non-secure world from making accesses to secure peripherals. The TZMA allows on-chip memory to be partitioned in to secure and non-secure regions allowing secure software to run entirely on-chip without allowing accesses to the normal world but still reserving a portion of on-chip memory for the normal world. The TCM's (Tightly Coupled Memories) may also be marked as secure or normal and can be a valuable resource for implementing a secure software system. Mindspeed's PC30xx Transcede family of devices incorporate the TZMA and TZPC so that the chip can be partitioned into secure zones depending upon the operation being performed and where in the manufacturing or provisioning chain the femtocell is. All of the peripherals shown in Figure 4 can be configured to be in the secure or non-secure zones. This includes the internal SRAM, where regions can be in secure or non-secure as well as the picoArray itself. 3.2 Secure boot The Transcede devices from Mindspeed have a secure boot mechanism which ensures the device uses the on- chip bootrom and the security features within the device. In addition to the bootrom there is an e-fuse and also an OTP block. The efuse macro is used for informational and control operations. At reset the device enters the bootrom which determines whether the system is to be decrypted and authenticated before control is passed to the application code. It also determines where the next level of the bootstrap is obtained, e.g. flash or MII. The bootrom, creates the first link in the chain of trust, makes use of the e-fuse block to obtain the secret information to decrypt and authenticate the subsequent next level of bootstrap. The on-chip cipher engines are used to perform the authentication and the bootrom clears up any memory used by it prior to transferring control to the next level. This ensures no leakage of secret information takes place. The e-fuse also has the facility to control access to certain parts of the PC30xx series, for example, the fuse block can be programmed to disable intrusive and non-intrusive debugging of the ARM. This ensures a potential attacker cannot gain access to the secret information stored in the fuse block. Should the customer require a different authentication or bootstrap mechanism the PC30xx series can be configured to jump directly to OTP. In this case the customer specific code residing in the OTP would be responsible for authentication of subsequent bootstraps and establishing a root of trust. This process can be repeated over more iterations to bootstrap more complex software systems before switching into the normal world preventing malicious accesses to the secret data. 3.3 Untrusted CMs and ODMs In most consumer markets, devices are manufactured in high-volumes by third party companies. These may be Contract Manufacturers (CM), who only manufacture according the supplier’s design, or ODMs (Original Design Manufacture) who integrate both design and manufacture. Mindspeed Technologies, Inc Page 11 of 16
  • 12. Secure and trusted Femtocells These organisations will have access to information, including copies of code and potentially access to keys (if those are to be blown into OTP during manufacture) and as such are a potential security vulnerability. To protect against this, information is partitioned and controlled so that even if the CM / ODM does leak information it is not sufficient to compromise the security of the device as a whole. The device will boot securely from the internal ROM and load the second stage of the bootstrap into internal SRAM. The internal ROM will authenticate the loaded bootloader and if successful will start to execute it. The code loaded will provide a secure monitor which will relocate itself into the TCMs of the ARM1176JZ-S. The code will check whether a public key is already present in the e-fuses. If it is then subsequent code is authenticated using this key. Otherwise the monitor code will program the public key into the e-fuses. Once these operations are complete the device is ready to perform any of the OEM defined actions as all subsequent code will be authenticated using the OEM's public key and therefore deemed secure. 3.4 Prevention of unauthorised baseband software In certain regions of the world an OEM may wish to prevent a particular SDR from being loaded in the picoArray. There may be many reasons for this ranging from immature SDR to value proposition of higher specification baseband. By making the loading of the picoArray's SDR the responsibility of the secure monitor this cannot happen. All requests by the normal world software to load the SDR will go through the hypervisor which will authenticate the baseband image prior to downloading onto the picoArray. If this authentication fails the picoArray will not be loaded. 3.5 Use of TrustZone to provide digital certificate authentication As shown in Figure 5, the H(e)NB connects to the core network through the Security Gateway (SeGW) over an insecure connection and both parties must be authenticated and communications secured. To prevent unauthorised H(e)NBs from connecting to an operators core network, each device can be provisioned with a public/private key pair and the SeGW's certificate and public key along with the root certificate(s) of one or more certificate authorities to establish a chain of trust. This data is stored in the H(e)NB in secure storage such as OTP or eFuses that are only accessible to the TrustZone secure world and can be generated on the device at time of manufacture such that the private key never leaves the device. Operator’s AAA core network Server/HSS L-GW UE H(e)NB insecure link SeGW H(e)NB-GW H(e)MS H(e)MS Figure 5: System Architecture of H(e)NB The authentication of both the H(e)NB and the SeGW can be established by using certificate based authentication to construct an IPSEC tunnel using IKEv2 that will later provide the confidentiality and integrity of the communications between both parties. During the authentication phase the H(e)NB is required to sign the authentication data of the IKE_AUTH request using the H(e)NB's unique private key. In most H(e)NB's the IKEv2 daemon will be running in the nonsecure world of a TrustZone enabled system to leverage the full IP stack of a rich, unmodified, operating system such as Linux and as such cannot be trusted with the H(e)NB Mindspeed Technologies, Inc Page 12 of 16
  • 13. Secure and trusted Femtocells private key. To perform the signing operation, we can use TrustZone to pass the data to be signed over a well defined channel into the secure world where the data can be signed and returned to the nonsecure world without leaking the key. To implement the signing process the H(e)NB has a lightweight hypervisor running in monitor mode that is responsible for performing the switch between secure and nonsecure world and use the Secure Monitor Call (SMC) instruction to provide entry into the secure world from the rich OS. An ABI between the secure and nonsecure world is defined using general purpose registers to pass a call identifier and optional parameters which may utilise shared memory to transfer larger amounts of data. The SMC call traps to the monitor mode SMC vector and the monitor mode transfers control into the secure kernel which decodes the call identifier and runs the appropriate handler. To perform the signing, the secure kernel validates the address of the payload and copies it into secure onchip memory to prevent any possible race between the request and sampling of the data during the ciphering process. The secure kernel retrieves the private key from OTP memory and then may either perform the ciphering using hardware offload engines or a trusted software implementation. After the signing process has been completed the secure kernel copies the signature to a buffer supplied as an argument to the SMC call after verifying that this address is a valid nonsecure address and returns control to the nonsecure world through another SMC call. Optionally, the H(e)NB can use symmetric key cryptography to utilise the external non-volatile storage to provide a larger secure vault to hold certificates and private keys allowing the H(e)NB to handle revoked keys without running out of space in the OTP/eFuses. This approach satisfies the requirements in TR33.320, which the H(e)NB’s TrE shall be used to provide the following critical security functions supporting the IKEv2 and certificate processes: • The H(e)NB’s identity shall be stored in the TrE and shall not be modifiable. • The H(e)NB’s private key shall be stored in the TrE and shall not be exposed outside of the TrE. • The root certificate used to verify the signatures on the SeGW certificate shall be stored in the H(e)NB’s TrE and shall be writable by authorized access only. The verification process for signatures shall be performed by the H(e)NB’s TrE. • The H(e)NB’s TrE shall be used to compute the AUTH payload used during the IKE_AUTH request message exchanges. Through this process the H(e)NB can perform all security sensitive operations without the possible leakage of confidential data whilst utilising all of the services that a rich operating system offers. By using TrustZone we can provide mechanisms to update the cryptographic algorithms being used for the signing and revoke keys or certificates whilst reducing the risk of designing a fixed function system. 3.6 Air-interface encryption Although not directly related to the integrity of the femtocell as a unit, it is worth saying that the Mindspeed Transcede devices support the latest encryption and security mechanisms over the air-interface. The PC30xx series of devices support the new SNOW3G standards as well as the current Kasumi algorithm. Kasumi was derived from MISTY cipher, but 3GPP simplified MISTY to make it computationally less intensive. This weakens it (from 2^128 to 2^32 search complexity) and in January 2010 a practical attack of Kasumi was revealed. Mindspeed Technologies, Inc Page 13 of 16
  • 14. Secure and trusted Femtocells 3GPP had anticipated this possibility, and mandated SNOW3G for all Rel-7 UEs. It is probable that a switch to SNOW3G will be mandated once Kasumi is cracked. This is not a problem for small cells based on PC30xx as SNOW3G is fully supported. Other devices in the Transcede family (eg T22xx/T33xx) also support the ZUC algorithm. Mindspeed Technologies, Inc Page 14 of 16
  • 15. Secure and trusted Femtocells 4 Conclusions As can be seen from this paper, the femtocell is a complex system - a condensed version of most of the elements typically found in conventional macrocell base stations and radio network controllers of a cellular network. Normally the elements of an operator's network are not directly exposed to the general public in the manner of a residential CPE so it has been essential to ensure these are free from any potential vulnerabilities that might provide access into the mobile operators network as femtocells are directly connected to the operators core network over the customer's broadband connection. In addition, manufacturers of femtocells need to ensure their products cannot be cloned, or counterfeit versions produced, in order they protect their revenues and reputations. These requirements must be satisfied in a very cost sensitive market; rapid uptake of femtocells is dependent on aggressive commoditisation of a traditional infrastructure market to enabling various operator business models and tariff options. The most cost effective approach to providing a flexible and secure system is not to design in a large amount of fixed-function security but rather provide a mechanism by which, under a secure root of trust, the underlying software can make use of low-level and reusable hardware to configure a secure system for the target deployment. ARM's TrustZone technology enables just such a system and the only femtocell devices available in the market today with this capability are Mindspeed's PC302 and PC3x3 family of devices. Mindspeed Technologies, Inc Page 15 of 16
  • 16. Secure and trusted Femtocells References 1. IEEE 1588 Homepage – http://ieee1588.nist.gov/ 2. Mindspeed Wireless Communications Processors, “PC30xx series Integrated Baseband Processor”, Product Brief. 3. ARM Ltd, “ARM1176JZ-S System-on-Chip Java™ and DSP enhanced processor”, 4. 3GPP Technical Specification TS 23.234, “3GPP system to Wireless Local Area Network (WLAN) interworking; System description”. 5. Mindspeed Software Reference Design, “PC8229 3GPP HSDPA/Release 8 Femtocell Basestation PHY”, Product Brief. Glossary 3GPP Third-Generation Partnership Project MSC Mobile Switching Centre AAA Authentication, Authorization, Accounting MVNO Mobile Virtual Network Operator ABI Application Binary Interface NBAP Node B Application Part ADSL Asymmetric Digital Subscriber Line NTP Network timing protocol AMR Adaptive Multi-Rate OAM Operations & Maintenance API Application Programming Interface PHY Physical layer ARPU Average Revenue Per User PSTN Public Switched Telephone Network BSC Basestation Controller QoS Quality of Service DDR Dual Data Rate RAN Radio Access Network DECT Digital Enhanced Cordless Telephone RFIC RF Integrated Circuit DHCP Dynamic Host Configuration Protocol RLC Radio Link Control (3G protocol) DSP Digital Signal Processor RNC Radio Network Controller EV-DO Evolution-Data Optimized RRC Radio Resource Control (3G protocol) FMC Fixed-Mobile Convergence SCTP Stream Control Transmission Protocol FTP File Transfer Protocol SeGW Secure Gateway GPS Global Positioning System SIM Subscriber Identity Module GSM Global System for Mobile communications SIP Session Initiated Protocol H(e)MS Home eNodeB Management System SMC Secure Monitor Call HFA Hardware Functional Accelerator SNMP Simple Network Management Protocol HNB Home Node B TCP Transmission Control Protocol H(e)NB Home evolved Node B TCXO Temperature controlled crystal oscillator HSDPA High-Speed Downlink Packet Access UDP User Datagram Protocol HSS Home Subscriber Server UE User Equipment HSUPA High-Speed Uplink Packet Access UMA Unlicensed Mobile Access IMS IP Multimedia Subsystem UMAN UMA access Network IP Internet Protocol UNC UMA Network Controller IPsec IP security (protocol) VCTCXO Voltage Controlled, Temperature Compensated Crystal Oscillator LGW Local Gateway VoIP Voice over Internet Protocol ISP Internet Service Provider W-CDMA Wideband Code Division Multiple Access LTE Long term evolution WiFi IEEE 802.11 wireless technology Iub Interface between 3G basestation & RNC WiMAX IEEE 802.16 wireless technology MAC Media Access Control (protocol layer) Microsoft Page 16 of 16