Figure 14.2 gives an overview of the complete security architecture for LTE. The stratums identified, each addressing a sufficiently isolated category of security threats, are the application, home, serving and transport stratum.
As can be noted in the figure, there are five sets of security features the 3GPP define:
In what follows, we elaborate on some of these feature sets.
Network access security entails specific feature such as user identity confidentiality, entity authentication, general confidentiality of certain agreement and data exchanges, and data integrity. Identity confidentiality is normally achieved by assigning short-lived temporary identities to ensure confidentiality of both user identity and location, and user untraceability. Meanwhile, entity authentication applies to both user and network authentication. Realizing entity authentication is made possible through authentication at each connection set up between the network and the user. General confidentiality applies to cipher algorithm and key agreements, and user and signaling data. Finally, integrity algorithm and key agreements, in addition to data integrity and origin authentication of signaling data are all properties achieved various mechanisms.
Ciphering may be provided to RRC-signaling to prevent UE tracking on over-the-air RRC exchanges, for example, for measurements or handover. NAS signaling may also be confidentiality protected. Confidentiality of user plane exchanges should be made at the PDCP layer. This measure, however, is optional. Meanwhile, integrity shall be provided (i.e., is mandatory) for both NAS and RRC-signaling. These measures will be described below. Table 14.1 shows the termination points for the NAS signaling, U-plane, and the AS (RRC and MAC signaling)
Network domain security refers to general IP-relevant security measures that apply various IETF syndicated measures. These measures are detailed in further details in 33.210 and 33.10 (respectively describing security aspects for IP network layer and the network domain authentication framework).
User domain security involves user-to-USIM authentication, and authorization of the USIM-Terminal link. These are basic security measures to authenticate any user or terminal. Meanwhile, application security is enabled by the security features provided for the USIM Application Toolkit which enables authentication applications residing the USIM.
Note that a similar architecture is assumed when dealing with non-3GPP accesses, where the access and serving networks would be a non-3GPP access network.