ETSI TR 103 502 V1.1.1 (2017-09)

ETSI TR 103 502 V1.1.1 (2017-09)






TECHNICAL REPORT
Reconfigurable Radio Systems (RRS);
Applicability of RRS with existing
Radio Access Technologies and core networks;
Security aspects

---------------------- Page: 1 ----------------------
2 ETSI TR 103 502 V1.1.1 (2017-09)



Reference
DTR/RRS-0314
Keywords
radio, safety, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2017.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M logo is protected for the benefit of its Members.
GSM® and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 502 V1.1.1 (2017-09)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Executive summary . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 9
4 OSI stack mapping to RRS . 9
4.1 OSI protocol stack overview . 9
4.2 OSI layers and security mechanisms . 10
4.2.1 Threats and countermeasures . 10
4.2.2 Radio link specificity of countermeasures . 10
4.3 Core elements of the RRS model . 11
4.4 Applicability of RVM to radio terminal computing . 11
4.5 Notification of Radio App availability . 12
5 Security provisions in 3GPP SAE and LTE . 12
5.1 Security architecture for 3GPP . 12
5.2 Radio channels in 3G SAE/LTE . 13
5.3 Security functions mapping to radio in 3G SAE/LTE . 13
5.3.1 General overview . 13
5.3.2 u-SIM and identity management . 13
5.3.2.1 Overview . 13
5.3.2.2 Provision of subscriber identity. 13
5.3.2.3 Provision of device identity . 14
6 Security provisions in IEEE 802.11™ systems . 15
6.1 System overview . 15
6.2 IEEE 802.11™ key management systems . 16
6.3 IEEE 802.1X key management systems . 16
7 Physical layer security provisions in RRS. 17
Annex A: Language-theoretic security in RRS . 18
A.1 Overview . 18
A.1.1 Introduction . 18
A.1.2 Weird machine . 18
A.1.3 Grammar type, computational complexity and decidability . 19
A.1.4 Semantic security and computational equivalence of protocol endpoints . 20
A.1.5 Trustworthiness of a system as a composition of sub-systems . 20
A.1.6 Core principles . 21
A.1.6.1 Simplicity and decidability . 21
A.1.6.2 Strength of the recognizer . 21
A.1.6.3 Principle of minimal computation power. 21
A.1.6.4 Secure composition with parser computational equivalence . 21
A.1.7 Language-theoretic approach as a tool for security auditors and adversaries . 22
A.2 Applicability to Reconfigurable Radio Systems . 22
Annex B: Review of push mechanisms . 23
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 502 V1.1.1 (2017-09)
B.1 Overview . 23
B.2 Generic IP-based push mechanism . 23
B.2.1 Introduction . 23
B.2.2 Services operated by third-parties . 23
B.2.3 Security considerations . 24
B.2 Push mechanism adapted to cellular networks . 24
B.2.1 Introduction . 24
B.2.2 General principles. 25
B.2.3 Adaption to network bearers . 25
B.2.3.1 Overview of adaption process . 25
B.2.3.2 Point-to-point delivery . 25
B.2.3.3 Point-to-multipoint delivery. 26
B.2.4 Security considerations . 26
B.3 Security properties of data and notification services in 3GPP networks . 26
B.3.1 Introduction . 26
B.3.2 Data service . 27
B.3.3 Cell Broadcast Service . 27
B.3.4 Short Message Service . 27
B.3.5 Security considerations . 27
Annex C: Bibliography . 29
History . 30


ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 502 V1.1.1 (2017-09)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Reconfigurable Radio Systems (RRS).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The introduction of RRS capability is shown not to inhibit the provision of the security mechanisms of existing radio
access technologies. The reason, shown in the present document, is that the security capabilities for common radio
technologies (e.g. LTE/SAE, IEEE 802.11™) are present at layers 2 and higher in the OSI protocol stack, whereas the
novel features of RRS apply to the means to provision layer 1. It is highlighted however that a Radio Application
addresses a complete protocol stack and provision of all layers of the protocol stack in a single software package may
require special provisions in the Reconfigurable Equipment to enable full network communication.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 502 V1.1.1 (2017-09)
1 Scope
The present document shows a mapping of existing Radio Access Technologies (RATs) to the Reconfigurable Radio
System (RRS) model in order to identify missing security requirements, in particular identify the boundary of an RRS
Radio Application with regard to the security functions present in existing RAT. Recognizing that a RAT is not bound
to a single link but may be supported by functions in the network the present document also considers the role of core
networks in supporting any triggering of the Reconfigurable Equipment to reconfigure itself using a push mechanism.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TS 133 401: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; 3GPP System Architecture Evolution (SAE);
Security architecture (3GPP TS 33.401)".
[i.2] ISO/IEC 7498-1:1994 "Information technology -- Open Systems Interconnection -- Basic
Reference Model: The Basic Model".
[i.3] ETSI TR 102 945: "Reconfigurable Radio Systems (RRS); Definitions and abbreviations".
[i.4] ETSI EN 303 095: "Reconfigurable Radio Systems (RRS); Radio Reconfiguration related
Architecture for Mobile Devices".
[i.5] Len Sassaman, Meredith L. Patterson, Sergey Bratus, Michael E. Locasto, Anna Shubina:
"Security Applications of Formal Language Theory".
[i.6] Noam Chomsky: "On certain formal properties of grammars", Information and
Computation/information and Control, vol. 2, pp. 137-167, 1959.
[i.7] Michael Sipser: "Introduction to the Theory of Computation", Second Edition, International
Edition, Thompson Course Technology, 2006.
[i.8] Seymour Ginsburg and Sheila Greibach: "Deterministic context free languages", in Proc. 6th
Symp. Switching Circuit Theory and Logical Design, 1965, pp. 203-220.
[i.9] Dan Kaminsky, Meredith L. Patterson and Len Sassaman: "PKI Layer Cake: New Collision
Attacks Against the Global X.509 Infrastructure".
[i.10] Travis Goodspeed, Sergey Bratus, Ricky Melgares, Rebecca Shapiro and Ryan Speers: "Packets in
Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios", 5th USENIX Workshop
on Offensive Technologies, August 2011.
[i.11] Open Mobile Alliance™. OMA-AD-Push-V2-3: "Push Architecture".
NOTE: Available at http://www.openmobilealliance.org/.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 502 V1.1.1 (2017-09)
[i.12] WAP Forum™ WAP-230-WSP: "Wireless Session Protocol".
NOTE: Available at http://www.openmobilealliance.org/.
[i.13] WAP Forum™: "Wireless Application Protocol".
NOTE: Available at http://www.openmobilealliance.org/.
[i.14] IETF RFC 2616: "Hypertext Transfer Protocol -- HTTP/1.1".
[i.15] IETF RFC 793: "Transmission Control Protocol".
[i.16] IETF RFC 3261: "Session Initiation Protocol".
[i.17] ETSI TS 123 228: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; IP Multimedia Subsystem (IMS); Stage 2
(3GPP TS 23.228)".
[i.18] ETSI TS 122 146: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; Multimedia Broadcast/Multicast Service (MBMS);
Stage 1 (3GPP TS 22.146)".
[i.19] Open Mobile Alliance™: "OMA Mobile Broadcast Services".
NOTE: Available at http://www.openmobilealliance.org/.
[i.20] 3GPP2 C.S0070-0: "Broadcast Multicast Services (BCMCS) Codecs and Transport Protocols".
[i.21] ETSI EN 302 304: "Digital Video Broadcasting (DVB); Transmission System for Handheld
Terminals (DVB-H)".
[i.22] ETSI TS 123 041: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); Technical realization of Cell Broadcast Service
(CBS) (3GPP TS 23.041)".
[i.23] ETSI TS 142 009: "Digital cellular telecommunications system (Phase 2+); Security aspects
(3GPP TS 42.009)".
[i.24] ETSI TS 125 302: "Universal Mobile Telecommunications System (UMTS); Services provided by
the physical layer (3GPP TS 25.302)".
[i.25] ETSI TS 123 040: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); Technical realization of the Short Message Service
(SMS) (3GPP TS 23.040)".
[i.26] ETSI TS 123 204: "Universal Mobile Telecommunications System (UMTS); LTE; Support of
Short Message Service (SMS) over generic 3GPP Internet Protocol (IP) access; Stage 2
(3GPP TS 23.204)".
[i.27] ETSI TS 124 011: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; Point-to-Point (PP) Short Message Service
(SMS) support on mobile radio interface (3GPP TS 24.011)".
[i.28] ETSI TS 144 003: "Digital cellular telecommunications system (Phase 2+) (GSM); Mobile Station
- Base Station System (MS - BSS) Interface Channel Structures and Access Capabilities
(3GPP TS 44.003)".
[i.29] ETSI TS 143 020: "Digital cellular telecommunications system (Phase 2+) (GSM); Security
related network functions (3GPP TS 43.020)".
[i.30] ETSI TS 144 064: "Digital cellular telecommunications system (Phase 2+) (GSM); Mobile Station
- Serving GPRS Support Node (MS-SGSN); Logical Link Control (LLC) Layer Specification
(3GPP TS 44.064)".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 502 V1.1.1 (2017-09)
[i.31] ETSI TS 124 008: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; Mobile radio interface Layer 3 specification;
Core network protocols; Stage 3 (3GPP TS 24.008)".
[i.32] ETSI TS 144 018: "Digital cellular telecommunications system (Phase 2+) (GSM); Mobile radio
interface layer 3 specification; GSM/EDGE Radio Resource Control (RRC) protocol (3GPP
TS 44.018)".
[i.33] ETSI TS 124 341: "Digital cellular telecommunications system (Phase 2+) (GSM); Universal
Mobile Telecommunications System (UMTS); LTE; Support of SMS over IP networks; Stage 3
(3GPP TS 24.341)".
[i.34] GSM Association IR.92: "IMS Profile for Voice and SMS".
[i.35] ETSI TS 131 102: "Universal Mobile Telecommunications System (UMTS); LTE; Characteristics
of the Universal Subscriber Identity Module (USIM) application (3GPP TS 31.102)".
[i.36] ETSI TS 131 101: "Universal Mobile Telecommunications System (UMTS); LTE; UICC-terminal
interface; Physical and logical characteristics (3GPP TS 31.101)".
TM
[i.37] IEEE 802.11 : "IEEE Standard for Information technology -- Telecommunications and
information exchange between systems Local and metropolitan area networks -- Specific
requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
Specifications".
[i.38] ETSI TS 122 016: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; International Mobile station Equipment Identities
(IMEI) (3GPP TS 22.016)".
[i.39] ETSI TS 123 003: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); Numbering, addressing and identification (3GPP
TS 23.003)".
[i.40] ETSI TR 103 087: "Reconfigurable Radio Systems (RRS); Security related use cases and threats in
Reconfigurable Radio Systems".
TM
[i.41] IEEE 802.11p : "IEEE Standard for Information technology -- Local and metropolitan area
networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications Amendment 6: Wireless Access in Vehicular Environments".
[i.42] ETSI TS 133 102: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); 3G security; Security architecture (3GPP TS 33.102)".
[i.43] GSM Association TS.06 (DG06): "IMEI Allocation and Approval Guidelines, Version 6.0".
NOTE: Available at
http://www.gsma.com/newsroom/wp-content/uploads/2012/06/ts0660tacallocationprocessapproved.pdf.
[i.44] IEEE 801.1X™: "IEEE Standard for Local and metropolitan area networks - Port-Based Network
Access Control".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in ETSI TR 102 945 [i.3] apply.
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 502 V1.1.1 (2017-09)
3.2 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI TR 102 945 [i.3] and the following apply:
2G Second Generation
3G Third Generation
ASN Abstract Syntax Notation
BCMCS Broadcast and Multicast Service
CBCH Cell Broadcast CHannel
CBS Cell Broadcast Service
CTCH Common Traffic Channel
DCCH Dedicated Control Channel
IMS IP Multimedia Subsystem
LLC Logical Link Control
MM Mobility Management
OMA Open Mobile Alliance™
P-CSCF Proxy-Call Service Control Function
P-GW PDN GateWay
PDN Packet Data Network
RR Radio Resource
SACCH Slow Access Control Channel
SDCCH Standalone Dedicated Control Channel
SIP Session Initiation Protocol
SGSN Service GPRS Support Node
SMS-SC SMS Service Centre
SQL Structured Query Language
WAP Wireless Application Protocol
XMPP eXtensible Messaging and Presence Protocol
4 OSI stack mapping to RRS
4.1 OSI protocol stack overview
The conventional 7-layer model for Open Systems Interconnection defined in ISO/IEC 7498-1 [i.2] allocates particular
functionality to each of the abstract layers. A strict interpretation of the OSI model is that radio technologies apply to
layer 1 only, as the nature of the physical media is only apparent at that layer. However, whilst a radio signal is physical
the Radio Access Technology is more complex. The physical layer is where the modulation and RF stuff is done, the
link layer, layer-2 in the OSI model, is where the logical connectivity is built up and this is carried through to the
network layer, layer-3 in the OSI model, where the radio device becomes connected to the wider network. Thus for
conventional telecommunications modelling the broadly accepted model has been slimmed down to only 3 layers:
• Layer 1 - physical media, the radio path.
• Layer 2 - the link layer that offers a reliable connection across the radio path between 2 points.
• Layer 3 - the network layer that builds the terminal into a wider network of devices.
The nature of the transmission environment dictates to a very large extent the means by which data can be transmitted
and for radio the environment is hostile. The hostility itself takes a number of forms but the corollary of wavelength and
transmission range, the impact of noise, the impact of fading, and so on all are addressed across the layers of the
protocol stack. In addition the radio resource is highly regulated with regulation defining most of the physical
characteristics, e.g. radiated output power, bandwidth, adjacent channel interference restrictions (i.e. how much power
can be broadcast in adjacent channels), and for fixed sites also addresses such things as antenna height and antenna
gain. Any implementation of RRS has to give assurance the regulation is not abused and the means of enforcing any
claims for equipment to the Declaration of Conformity (DoC) has to be added to the security model of the radio device
when that device is an RRS capable of being modified on the fly to support one or more Radio Access Technologies
(RATs).
In terms of commonly applied security functions the assignments in table 1 are generally applied.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TR 103 502 V1.1.1 (2017-09)
Table 1: OSI mapping of security and transmission functions
n Name Basic function for transmission Commonly applied security functions
4++ Application domain Everything else Application security (CIA paradigm)
3 Network layer Routing, multi-node networking Authentication, Key management (as part of
mobility management in cellular networks)
2 Link Layer Logical channels creating a reliable link Encryption,
(LLC) Transmission packet integrity,
Transmission FEC
1 Physical layer The radio bits PHYLAWS, QKD, QE and similar physical
layer security

4.2 OSI layers and security mechanisms
4.2.1 Threats and countermeasures
The technical domain of security is often described in terms of the CIA paradigm (Confidentiality Integrity
Availability) wherein security capabilities are selected from the CIA paradigm to counter risk to the system from a
number of forms of cyber attack. The common model is to consider security in broad terms as determination of the
triplet {threat, security-dimension, countermeasure} such that a triple such as {interception, confidentiality, encryption}
is formed. The threat in this example being interception which risks the confidentiality of communication, and to which
the recommended countermeasure (protection measure) is encryption.
The very broad view is thus, for communications systems, that security functions are there to protect user content from
eavesdropping (using encryption) and networks from fraud (authentication and key management services to prevent
masq
...