Description
The EPS Integrity Algorithm (EIA) is a suite of cryptographic algorithms standardized by 3GPP to protect the integrity of signaling messages in the Evolved Packet System (EPS), which encompasses LTE and later 5G core networks interacting with E-UTRAN. Integrity protection is a fundamental security service that guarantees that received signaling data (e.g., RRC and NAS messages) is authentic and has not been altered in transit. The EIA algorithms compute a Message Authentication Code (MAC), often called an integrity token or MAC-I, for each protected message. This MAC is generated using a secret integrity key (IK), a time-dependent input (COUNT), a direction bit (uplink/downlink), the message itself, and a bearer identity.
The process works as follows: the sender (UE or eNodeB/MME) inputs the aforementioned parameters into the selected EIA algorithm. The algorithm outputs a MAC-I, which is appended to the message. The receiver independently computes the expected MAC-I using the same inputs and the shared secret key. If the computed MAC-I matches the received one, the message's integrity is verified. If not, the message is discarded, and a security failure procedure may be initiated. The specific algorithms defined include EIA0 (null integrity, used in some limited cases), EIA1 (based on SNOW 3G), EIA2 (based on AES), and EIA3 (based on ZUC).
The selection of which EIA algorithm to use for a session is part of the security mode negotiation during connection establishment, as defined in TS 33.401. The network indicates the allowed algorithms in its security capabilities, and the UE selects one. The integrity key (IK) is derived from the long-term secret key (K) stored in the USIM and the Authentication Centre (AuC) during the Authentication and Key Agreement (AKA) procedure. This layered key derivation ensures that the integrity key is fresh and unique for each session.
Purpose & Motivation
EIA was created to address the critical need for signaling message integrity in the new all-IP based LTE/EPS architecture. In previous 2G/3G networks, while ciphering was often used, integrity protection for signaling was not universally applied, leaving control channels vulnerable to certain types of attacks like message injection or manipulation. The move to an IP-based air interface increased the potential attack surface, making robust cryptographic protection essential.
The purpose of EIA is to prevent attacks such as replay attacks, man-in-the-middle attacks, and falsification of signaling commands (e.g., malicious handover or detach commands). By ensuring integrity, the network can trust that critical mobility management, session management, and connection control commands originate from an authenticated entity and have not been modified. This is a cornerstone of network access security, protecting both the network from malicious UEs and the UE from rogue network elements. The standardization of multiple algorithms (SNOW 3G, AES, ZUC) also provides cryptographic agility, allowing for algorithm updates in response to future cryptographic breakthroughs or regulatory requirements.
Key Features
- Provides cryptographic integrity protection for NAS and RRC signaling messages
- Generates a Message Authentication Code (MAC-I) for each protected message
- Uses a family of algorithms: EIA1 (SNOW 3G), EIA2 (AES), EIA3 (ZUC), and EIA0 (Null)
- Algorithm selection negotiated during Security Mode Command procedure
- Uses a derived integrity key (IK) and time-varying input (COUNT) for freshness
- Essential for preventing signaling message tampering and replay attacks
Evolution Across Releases
Introduced as part of the LTE/EPS security architecture defined in TS 33.401. Initially specified EIA1 (based on SNOW 3G) and EIA2 (based on AES-128) to provide integrity protection for NAS and RRC signaling, addressing the security requirements of the new all-IP based system.
Defining Specifications
| Specification | Title |
|---|---|
| TS 33.401 | 3GPP TR 33.401 |