Securing Cellular Access Networks against Fraud

Transcription

1 ISSN T e c h n i c a l R e p o r t N O 2009/ 02 Securing Cellular Access Networks against Fraud C Lukeman 26 October, 2009 Department of Computing Faculty of Mathematics, Computing and Technology The Open University Walton Hall, Milton Keynes, MK7 6AA United Kingdom

2 Securing Cellular Access Networks against Fraud A dissertation submitted in partial fulfilment of the requirements for the Open University s Master of Science Degree in Computing for Commerce and Industry Chris Lukeman (U ) 1 March 2010 Word Count: 14,534

3 Preface I would like to thank my supervisor Dr Samir Al-Khayatt not only for suggesting this project but also for his helpful advice and guidance throughout the course of this dissertation. Through this I was able to remain focussed and the dissertation to remain on course. I would also like to thank all those that took the time to participate in my online questionnaire into attitudes to mobile security Finally I would like to say a special thank you to Rachel Morton for piloting the questionnaire and offering advice on the suitability of questions and most importantly for proof reading this dissertation.

4 Table of Contents Preface... i List of Figures... vi List of Tables... vi Abstract x Chapter 1 Introduction Background to the research Aims and Objectives Research Question Contribution to Knowledge Dissertation Overview..7 Chapter 2 Literature Review AKA in Cellular Networks GSM AKA UMTS AKA LTE/SAE AKA Secure Handovers between GSM and UMTS Networks SIM Card Security Weaknesses in UMTS AKA..24 ii

5 2.4.1 Anonymity Man in the Middle Attack Redirection Attack Denial of Service DoS Related Research Identity Concealment Mutual Authentication Summary...31 Chapter 3 Research Methods Case Study Development of a Prototype Design Phase Implementation Phase Testing Phase Questionnaire Chapter 4 Data Acquisition Questionnaire Results Prototype Design...40 iii

6 4.2.1 Two Factor Authentication Full Network Authentication Local Network Authentication Anonymity Prototype Implementation 49 Chapter 5 Data Analysis and Results Prototype Testing and Results Performance Results Data Analysis Security Analysis Performance Analysis Implementation Considerations Comparison with Other Research.72 Chapter 6 Conclusions Summary of Findings Future Research Project Review...77 References.79 iv

7 Bibliography.85 Index.88 Abbreviations 90 Appendix A : Extended Abstract. Appendix B : Questionnaire 97 Appendix C : Questionnaire Results 103 Appendix D : Test Results Appendix E : Source Code 136 v

8 List of Figures Figure 2.1 Simplified GSM Architecture 10 Figure 2.2 GSM Algorithms inside the Mobile Phone 10 Figure 2.3 Authentication Process in GSM...12 Figure 2.4 Simplified UMTS Architecture 14 Figure 2.5 Authentication Vectors in AuC...14 Figure 2.6 Authentication Process in UMTS 15 Figure 2.7 Cipher Algorithm in UMTS 16 Figure 2.8 Integrity Algorithm in UMTS..17 Figure 2.9 Network Architecture of LTE.18 Figure 2.10 Key Hierarchy in LTE Networks..19 Figure 2.11 Authentication Method in LTE network..21 Figure 2.12 Handover between GSM/UMTS..22 Figure 2.13 IMSI Structure..25 Figure 4.1: Use case diagram for the generation of MACsn in the USIM 42 Figure 4.2: Prototype Authentication Vectors..45 Figure 4.3: Full Network Authentication Sequence Diagram..46 Figure 4.4: IMSI Updates between Core Network Elements..49 vi

9 Figure 4.5: Prototype GUI Interface.50 Figure 4.6: Flow Chart for Java Implementation of Prototype 51 Figure 4.7: Prototype Class Diagram..52 Figure 4.8: Class Diagram for Supplementary Classes 53 vii

10 List of Tables Table 2.1 Authentication and Encryption Algorithms used in UMTS 17 Table 4.1: Protocol for Java Implementation of Prototype Table 5.1: Results of a Normal Authentication.. 56 Table 5.2: Results of the Re-direction Attack.57 Table 5.3: Results of the Replay Attack.. 58 Table 5.4: Results of Mutual Authentication Test...58 Table 5.5: Anonymity Test..59 Table 5.6: Change of Serving Network...60 Table 5.7: User Authentication Check...61 Table 5.8: Timestamp Check..61 Table 5.9: Wrong IMSI Check Table 5.10: Authentication Parameters in (a) UMTS AKA and (b) M801 AKA 64 Table 5.11: Number of bits per Message for the M801 Protocol..65 Table 5.12: Comparison of the number of bits transmitted between M801 Protocol and UMTS per authentication run 67 Table 5.13: Comparison of M801 protocol with UMTS AKA..68 viii

11 Table 5.14: Comparison of UMTS protocols..72 ix

12 Abstract Despite improvements made in cellular security since first generation analogue networks, there still remain a number of weaknesses in UMTS networks. This is made more critical because the UMTS AKA is to be used in fourth generation LTE networks. At the current time there are no known attacks against UMTS networks, but new techniques are being developed all the time by hackers and computer processors are becoming more powerful, which means this may not always remain. As mobile applications move in to high value areas such mobile commerce and mobile banking these networks will become more attractive to criminals. Through research a number of weaknesses have been highlighted in UMTS authentication. A number of research projects have been initiated, but to date, these have not been satisfactory for use in a live network. This has been mainly due to lack of compatibility with GSM. The protocol developed introduced two new ideas to cellular authentication. The first is the use of two-factor authentication using a chip and PIN solution. The second involves a novel way of achieving mutual authentication by using a secret authentication code A simulation of the protocol was produced using the client / server architecture of Java. A series of controlled experiments were then run testing all known threats against cellular networks including the highlighted weaknesses. The protocol successfully dealt with all threats and in not altering the area of UMTS AKA associated with interworking, ensured compatibility with GSM. Although successful in the tests conducted, the experiments would need re-running using a dedicated network software tool such as OPNET and an external security assessment by an external party to verify the claims x

13 Chapter 1 Introduction 1.1 Background to the research January 1 st 2010 marked the 25 th anniversary of the launch of the UK s first mobile phone network (Collins, 2009). This first network in the UK was an analogue based network called TACS (Total Access Communication System). These networks from a security perspective were variously described as weak (Howard, 2005) or non existent (Bais et al, 2006). No encryption of data was provided and the signals were transmitted using Frequency Modulation (FM). This meant all calls could be quite easily tuned into by amateur radio enthusiasts (Niemi and Nyberg, 2003). In addition it was easy to reprogram a phone (cloning) with the user s identity from information gathered from over the unencrypted air interface (Arreymbi, 2006). This could all be carried out passively without requiring any expensive equipment. This highlighted the need for improved security in second generation networks. The most widely used of these is GSM (Global System for Mobile Communication). GSM is a digital network and as such is well suited to take advantage of the available digital cryptography techniques. The primary security objective for GSM was to provide at least the same level of security as fixed line phones. This resulted in the mobile phone becoming the first mass communication device to employ cryptography (Howard, 2005). Cloning is prevented by the introduction of a tamper resistant smart card called a SIM (Subscriber Identity Module). The SIM contains the IMSI, which identifies the user to the network and a secret key (Ki), which is never transmitted. Encryption is applied between the mobile and the base station (BTS) to prevent unauthorised listening. 1

14 Despite the improvements new threats were identified (Bocan and Cretu, 2006) and (Siddique & Amir, 2006). One problem identified was that the mobile could not authenticate the network. This left open the possibility of an active attack known as a false base station or man in the middle attack. The algorithms used in GSM were not made public. This process is quite often referred to as security by obscurity. The argument against this is that the secret will come out eventually and if released from the start it gives the cryptography community time to check the algorithms for weaknesses. This proved to be the case in 1997 (He, 2007) when details of the GSM algorithms were leaked. Subsequent analysis found that a weak algorithm called COMP-128 was being used. Within a year of the details being leaked the algorithm was reverse engineered by researchers at UC Berkeley (Brumley, 2004). The cracking of the algorithm resulted in the return of cloning (Brookson, 2005). The cloning of SIM cards only appears to affect those using COMP-128 version 1 and does not appear to affect the improved version 2 algorithm. The encryption algorithms used in GSM also came under attack (Barkan et al, 2006). With these compromised it becomes possible to eavesdrop on subscriber calls. Although it is not possible to listen to live calls, the times are coming down rapidly (Gendrullis et al, 2008). In 2009 an article in Mobile Industry Review (Mobile Industry Review, 2009) had the cost down to $500 with a prediction that GSM eavesdropping would be common place by At the end of 2009 Karsten Nohl published details of an attack on the GSM A5/1 algorithm (Cohen, 2009). 2

15 Many of the lessons learnt in GSM were corrected in third generation networks referred to as UMTS (Universal Mobile Telecommunication System) in Europe. The scope of UMTS security (3GPP TS , 2009) is to keep the features that worked well in GSM such as the use of a SIM card and improve on weaknesses real or perceived. This resulted in a new set of encryption and authentication algorithms and these were published from the start this time and found to be trusted and secure algorithms (Balderas Contreras and Cumplido Parra, 2004). The encryption key size was also increased from 64 bits to 128. The security of an algorithm is related to the key size (Chandra, 2005). There have been documented cases (Biham et al, 2005) of attacks against A5/3 used in GSM, which is based on Kasumi. These attacks are not considered practical and were based on 64 bit key not 128, but it is an initial sign that the main encryption algorithm in UMTS may be vulnerable. Mutual authentication is also introduced into UMTS. A Message Authentication Code (MAC) is generated by the mobile s HLR to prove it has been generated by the legitimate network. Part of the input to the MAC is a Sequence Number (SQN) introduced to guarantee freshness and thereby prevent replay attacks. Introduced into UMTS networks is integrity protection to prevent the modification of messages during transit (Niemi and Nyberg, 2003). In spite of the improvements new threats became apparent (Bais et al, 2006). Some of these weaknesses have carried over from GSM such as lack of anonymity. IMSI is still sent in clear text, which could be used by IMSI catchers (Strobel, 2007) to track the user. Although integrity protection is in place in UMTS it does not get applied until after the initial key agreement phase. Up to this point it is possible to alter messages or inject messages. This could be used in a Denial of Service (DoS) attack 3

16 (Khan et al, 2008) such as IMSI detach. An attack was published in 2004 (Meyer & Wetzel, 2004) where a man in the middle attack is launched on a UMTS network. This exposed a number of weaknesses in the architecture. These include how the weaknesses in GSM can undermine UMTS security, through the requirement to be able to perform a seamless secure handover. Also exposed in this attack is the weakness of using sequence numbers. Research is now moving to fourth generation networks such as Long Term Evolution (LTE). One of the main differences with LTE networks that differ to previous generations, is that it is totally packet based and no support will be provided for circuit switched data. This contrasts with the first GSM networks (pre GPRS), which provided only circuit switched. The main feature of the LTE architecture as far as this dissertation is concerned is that it is based on UMTS AKA. This means that these networks will also adopt a lot of the problems already highlighted for UMTS. Unlike UMTS, LTE networks do not appear to be concentrating on finding solutions to perceived weaknesses as well as actual. What this overview has illustrated with the exception of the cracking of COMP-128 is that when a weakness is identified, the solution is implemented in the next generation. This would illustrate a lack of flexibility in the architecture. What has also come across is that security features are implemented frequently as a result of weaknesses being exposed in the network. This would perhaps imply that security is more reactive than proactive. A comment by Bruce Schneier (Schneier, 2008) in relation to A5/1 could be applied to security in general when he commented attacks always get better; they never get worse. Operators are now looking to move in to high value applications such as mobile banking and commerce. This will inevitably attract 4

17 criminal elements. Once a weakness has been exposed it is only a matter of time before it gets exploited through better technology. This is why research in this area is so important and is the motivation behind this dissertation. 1.2 Aims and Objectives Despite the increased level of security introduced into third generation networks, the overview highlighted a number of weaknesses. Further research has shown that some features have either not been implemented or not implemented in the manner specified by 3GPP (Mochizuki, 2006). Many of these weaknesses are related to the authentication process. Authentication ensures that only authorised users can access the network. A successful authentication is also used as the launch pad to generate other threats against the network. The aim of this dissertation will be to analyse the weaknesses in UMTS protocols with regard to the authentication processes. This will mainly focus on weaknesses in anonymity and mutual authentication. The dissertation will then analyse possible solutions to the weaknesses and as a result develop a more secure framework, which addresses the weaknesses whilst maintaining compatibility with GSM and LTE networks. The new protocol will be demonstrated using a simulation package built using Java s client-server architecture. This will demonstrate the protocols ability to defend against a number of attacks 5

18 1.3 Research Question The primary research question this dissertation will attempt to answer will be Can a more secure cellular access network be developed without altering the existing network architecture and maintaining compatibility with GSM networks? To answer the primary research question a series of secondary questions need to be posed. (a) Can two factor authentication improve security in UMTS networks? Should it be implemented? (b) Can a more suitable solution to using sequence numbers be found where a mobile controls its own challenge and avoids the need for re-synchronisation? (c) IMSI is the way a mobile identifies itself to the network, thereby making it possible to track the user. This compromises a user s anonymity. Is it possible to provide a solution where the user s anonymity is preserved? 1.3 Contribution to Knowledge 3GPP (33.801, 2005) believe that weaknesses of UMTS networks highlighted in section 2.4 are not feasible in practice and have included the UMTS authentication framework in LTE networks. This is why it is important to find a solution to these weaknesses. This research is likely to be of particular interest to other researchers in this field where it may compliment work they are already undertaking. The dissertation will be of value to others that have an interest in mobile communications in general and 6

19 security architecture in particular. This would be expected to include personnel working for mobile phone operators in a technical capacity and organisations whose corporate networks are carried by mobile operators. This dissertation will be of interest to Network Engineers that have knowledge of IP security but very little knowledge of mobile security architectures. 1.4 Dissertation Overview The remainder of this dissertation is structured as follows. Chapter 2 evaluates the current body of knowledge in cellular authentication. Investigated are the authentication architectures of three generation of cellular networks and the interworking between them. This is followed by an assessment of the main weaknesses affecting UMTS networks and finally concluding with a critical review of existing research in this area. Chapter 3 describes the research methods employed. This will cover what methods were chosen and the rationale behind them. Chapter 4 covers data acquisition. The chapter starts by an analysis of the results of the online questionnaire detailed in chapter 3. This is followed by the development of a prototype to address the issues highlighted in chapter 2. The chapter concludes by describing the implementation of the prototype design in java. Chapter 5 covers data analysis and results. This chapter follows on directly from chapter 4. The prototype developed will undergo a series of tests based on the weaknesses highlighted in chapter 2. The chapter will close with an analysis of the results generated. 7

20 Chapter 6 discusses the conclusions reached and whether the research question(s) have been successfully answered. This will be followed by recommendations for future research. The dissertation closes with a project review. 8

21 Chapter 2 Literature Review This chapter will review the current body of knowledge in cellular authentication. This will begin by reviewing the current architectures as specified by the standards bodies such as the GSM association and 3GPP. The focus will then move on to the weaknesses that have resulted in the need for this research. Finally there will be a review of other research in this area and why the problem still needs to be addressed 2.1 AKA in Cellular Networks GSM AKA Although this dissertation intends to focus on UMTS security, a review of GSM is necessary because this is known to compromise UMTS security (Meyer, 2006). A further reason is that interworking is a requirement of UMTS and also part of the primary research question. The architecture of a typical GSM is shown in figure 2.1 (Aura, 2009). Although the access network in the diagram is shown as the BSC and BTS. In reality it extends from the border of the MSC through to the Mobile Station (MS). In the diagram the encryption is only applied between the MS and BTS. 9

22 MS BTS BSC MSC/VLR GMSC Radio Access Network Core Network Circuit Switched HLR/AuC SGSN GGSN Core Network Packet Switched Figure 2.1: Simplified GSM Architecture adapted from (Aura, 2009) SIM Card SRES Ki A3 A8 RAND. Kc Frame No A5 X Ciphered Text Plain Text Figure 2.2: GSM Algorithms inside the Mobile Phone (Arreymbi, 2006) 10

23 The diagram in figure 2.2 (Arreymbi, 2006) shows the algorithm locations inside a typical mobile phone and how they link together. On the network side A3/A8 reside with Ki in the Authentication Centre (AuC). The A5 algorithm is located in the BTS. What this does show is the effect of having these algorithms compromised. If the A3/A8 algorithms are compromised, the SIM would need replacing. If A5 algorithm is compromised this would result in the replacement of the mobile itself. The A5 algorithm has a number of versions. These are described in a number of texts (Bocan and Cretu, 2006). A5/1 is the main encryption algorithm and has been subjected to many attacks over the years (Barkan et al, 2006) and (Schneier, 2008). The key size in GSM is a weakness as it is only 64 bits and 10 of those are 0 leaving an effective size of 54. This is one of the reasons why access to LTE networks will not be allowed for a GSM SIM (3GPP TS , 2009). NSA (NSA, 2009) specifies a minimum key size of 128 bits for secret and 256 bits for top secret. The GSM authentication protocol is illustrated in figure 2.3. The VLR uses the IMSI or TMSI to request a number of triplets (Quirke, 2004) from the user s HLR/AuC. More than one set of vectors (triplets) are ordered for two reasons. The first is to prevent repeat signalling between the VLR and AuC. The second is to allow for the link between the two to go down. In the event that the system is still not operational when the vectors have all been used, the system will allow an existing vector to be used. This is a serious security threat as it allows a compromised vector to be used. 11

24 MS BTS BSC MSC/VLR HLR/AuC Request for a Channel Channel allocation TMSI Identity Request IMSI IMSI RAND (RAND, SRES, Kc) Triplets SRES =? No Access Cipher Mode Kc (Sent to BTS) Yes Allocation of TMSI Figure 2.3: Authentication process in GSM adapted from (Quirke, 2004) 12

25 If the SRES calculated by mobile matches the value calculated by the AuC, the user is allowed access to the network. At this point Kc is sent to the BTS and the BTS instructs the mobile to turn on ciphering. Once ciphering has been set a TMSI is allocated, which protects the user confidentiality. The collection of RAND/SRES pairs (Siddique and Amir, 2006) can be used to compromise security. The BTS controls the encryption, so a false base station could turn encryption off or use a weaker version. Other weaknesses are described in various texts (Bocan and Cretu, 2006) and (Aura, 2009) UMTS AKA When 3GPP started to work on the security requirements of UMTS networks, the main criteria was to keep the features that worked in GSM (SIM) and find solutions to weaknesses either real or perceived (Bais et al, 2006). The architecture of a UMTS network (figure 2.4) is similar that in figure 2.1. This is another requirement of UMTS is that it needs to be interoperable with GSM to aid migration (Howard, 2005) and (3GPP TS , 2009). The main difference is in the Radio Access Network (RAN). The GSM RAN is now referred to as GERAN and the UMTS is referred to as UTRAN. This diagram is the R99 release (Niemi and Nyberg, 2003), which is the first UMTS release. Subsequent releases introduce media gateways in release 4 (Kaaranen et al, 2005) and IP Multimedia System (IMS) in release 5 (Camarillo and García-Martín, 2008). The access network architecture remains unchanged and this is the focus of this dissertation. 13

26 MS BTS BSC 3G MSC 3G GMSC GERAN Network Core Network Circuit Switched HLR/AuC Node B RNC SGSN GGSN UE UTRAN Network Core Network Packet Switched Figure 2.4: Simplified R99 UMTS Architecture (Kaaranen et al, 2005) AMF RAND SQN K F1 F2 F3 F4 F5 MAC-A XRES CK IK AK Figure 2.5: Authentication Vectors in AuC (Niemi and Nyberg, 2003) 14

27 UE 3G MSC /VLR HLR/AuC Node B RNC Radio Resource Connection (RRC) Channel allocation TMSI Identity Request IMSI IMSI RAND, AUTN 5 AVs Check MAC / SQN XRES RES =? Yes No Access Cipher Mode CK, IK TMSI Allocation Figure 2.6: Authentication process in UMTS (3GPP TS , 2009) 15

28 The authentication algorithms (figure 2.5) are based on milenage (Niemi and Nyberg, 2003) a respected cryptography algorithm and details were published unlike GSM. MAC-A is used identify the Home Network (HN) as legitimate by the mobile. If MAC-A fails in the UE, the authentication is halted. AMF is usually set to 0000 in live networks (Mochizuki, 2006) so this does not influence result as intended. AK is provided and combined with SQN in an XOR operation so that users SQN can not be tracked. If SQN fails the freshness test a re-synchronisation is initiated by the UE. This process is described in 3GPP (3GPP TS , 2009). The process of encryption has also changed in UMTS (figure 2.7). F8 (based on kasumi) effectively replaces A5. Count-C Direction Bearer Length CK F8 Keystream Block Mask Plain Text X Ciphered Text Figure 2.7: Cipher Algorithm in UMTS (Kaarenen et al, 2006) 16

29 Integrity protection is provided in UMTS to protect vital signalling messages. The F9 algorithm is similar in structure to figure 2.7 (figure 2.8). XMAC-I and Fresh perform a similar function to MAC and SQN in AUTN. If the MAC values are not equal the command is unsuccessful. Table 2.1 shows a full list of algorithms used in UMTS, showing which algorithm each function uses RNC USIM Count-I Direction Count-I Direction Message Fresh Message Fresh IK IK IK F9 F9 IK XMAC-I MAC-I Figure 2.8: Integrity Algorithm in UMTS (Kreher and Rüderbusch 2006) Function Purpose/Usage O: Operator Specific S: Fully Stardardised f0 Random challenge generating function O f1 Network authentication function O-Milenage f1 * Resynchronisation message authentication function O-Milenage f2 User challenge-response authentication function O-Milenage f3 Cipher key derivation function O-Milenage f4 Integrity key derivation function O-Milenage f5 Anonymity key derivation function for normal operation O-Milenage f5 * Anonymity key derivation function for resynchronisation O-Milenage f8 UMTS encryption algorithm S-Kasumi f9 UMTS integrity algorithm S-Kasumi Table 2.1: Authentication and Encryption Algorithms used in UMTS (Koien, 2004) 17

30 2.1.3 LTE/SAE AKA Although LTE are currently in the planning stages, there are a number of reasons why research in this dissertation will be relevant. The main reason is that the UMTS AKA is to be used in these networks (3GPP TS , 2009). A second reason is the need for intersystem handover between LTE and UMTS. GERAN UTRAN GPRS Core SGSN PCRF Evolved Packet Core HSS IP SERVER Evolved RAN MME 3GPP SAE Non 3GPP WLAN 3GPP Figure 2.9: Network Architecture of LTE (3GPP TS , 2009) The architecture as illustrated in Figure 2.9 is proposed for LTE networks. The red in the diagram illustrates new elements or interfaces introduced by LTE. Key changes in the RAN are the removal of the RNCs. This functionality is now incorporated into the enode Bs and it is at this point that encryption occurs. Another major change from GSM/UMTS is the removal of the MSCs. These are circuit switched elements and LTE is an all packet switch network. 18

31 A GSM SIM or SIM application on UICC will not be allowed access to the eutran. The reason behind this is described in 3GPP (3GPP TS , 2009): LTE supports two key sizes, 128 and 256. This means R99 USIM cards will be able to gain access to the network. There are concerns (3GPP TS , 2009) that a key size of 128 may in future become vulnerable to developments in quantum computers. Unlike UMTS, LTE implements a key hierarchy as illustrated in figure Description of the keys can be found in 3GPP TS (3GPP TS , 2009) and (Agilent, 2009) 128 bit Ki AuC / USIM HSS / UE CK, IK SNID MME / UE K SN 256 bit 256 bit 256 or 128 bit enodeb K enb K NASenc K NASint K UPenc K RRCenc K RRCint 256 or 126 bit Figure 2.10: Key Hierarchy in LTE Networks (Meyer, 2009) 19

32 The authentication process in LTE is very similar to UMTS. There are a number of key differences. The first bit of AMF is set to 1, whereas in UMTS networks AMF is In LTE if this is not set to 1 authentication is rejected. This is why in the authentication process, the network type must be sent. This bit will also let the MS know what type of authentication is being carried out. In the authentication process only one AV is fetched from HSS. The authentication process in figure 2.11 has a number of new values GUTI (Globally Unique Temporary Id) replaces TMSI, which was only unique within the VLR. SNID and KSIame are used to enable a more efficient AKA when a Mobile is in its home environment. The rest of the process is the same as UMTS and as such will have some of same problems, as previously highlighted. LTE networks allow an unused AV to be sent from the SGSN to the MME. The network will not however allow this to be forwarded to another MME. 20

33 UE enode B MME HSS Radio Resource Connection (RRC) Channel allocation GUTI Identity Request IMSI IMSI, SNID, Network Type RAND, AUTN, KSIame 1 AV Check MAC / SQN RES =? XRES No Access yes Figure 2.11: Authentication method in a LTE network (3GPP TS , 2009). 21

34 2.2 Secure Handovers between GSM and UMTS As the background research highlighted, UMTS networks have stronger security features when compared to GSM. This can cause problems when handing over calls between them (Meyer and Wetzel, 2006). Interworking between GSM and UMTS is defined in 3GPP TS (3GPP TS , 2009) and the security aspects of secure handover in 3GPP TS (3GPP TS , 2009). As a result of the stronger security measures UMTS security should be provided where possible. A GSM VLR can only perform GSM authentication (see figure 2.12). 3G VLR 2G VLR 3G RAN 2G RAN 2G RAN Figure 2.12: Handover between GSM/UMTS (3GPP TS , 2009) It does not have the capability for UMTS authentication i.e. no mutual authentication. If a UMTS mobile is controlled by a GSM VLR, the HLR must apply a compression function on the data. SRES= C1(XRES) Kc = C2(CK) This is because UMTS are longer in length. If a GSM SIM in a dual mode handset roams into a UMTS site. Mutual authentication cannot be performed because a GSM 22

35 SIM does not possess that capability. It must however use cipher and integrity keys suitable for a UMTS network. These are generated from Kc CK= C3(Kc) IK= C4(Kc) 2.3 SIM Card Security SIM cards are introduced into mobile phones in GSM with the aim of reducing cloning. Initially this was very successful, however once the algorithm used in GSM (COMP-128) was reverse engineered (He, 2007), cloning a SIM was possible. Through doing this it was possible to determine Ki. Together with the IMSI this is all that is necessary to clone a SIM card. Initial methods of finding Ki were known as plain text attacks. This comprised of sending a number of RANDs. A figure of 2 17 RANDS would be enough to determine the Ki (Quirke, 2004). This test used repeated 2R attacks. Dejan Kaljevic used 2R, 3R, 4R, 5R attacks to reduce the amount to between 2 13 and 2 15 RANDs. This method depending upon the speed of the SIM could retrieve Ki within 1 hour (Quirke, 2004). There have been methods proposed to counter this (Elatec, 2007). To run COMP-128 RUN_GSM_ALGO is sent to the SIM. This generates a 12 byte output (SRES (4), Kc(8)). One prevention method is to limit the amount of times this command can be run, but this would limit the SIM life. Another is pattern recognition. When the command is run several times in a short space of time, send a wrong SRES back. An alternative method called a partitioning attack was developed by IBM (Brumley, 2004). This was based side channel attacks, which relies on leakage from the electronics on the SIM (Mayes, 2006). This takes the form of variations in leakage 23

36 current or electromagnetic radiation. This enabled carefully chosen RANDs to be used. This reduces the number of queries to as little as 8 (Brumley, 2004) SIMs now use either COMP-128v2 or v3. This at the moment appears to be safe from cloning (Brookson, 2005). The details are still not published so may yield future problems. If authentication is to be considered strong (Borghino, 2006), it must employ at least two-factor authentication. SIM alone is classed as one factor authentication. If SIM cloning is to be prevented in the future it may be necessary to move to two factor authentication. 2.4 Weaknesses in UMTS AKA Anonymity There are occasions when a user must send their identity (IMSI) to the network. This is sent in clear text and there are a number of devices on the market (Strobel, 2007), which can cache IMSIs. There are also certain locations where an IMSI is more likely to be transmitted, such as airports and tunnel exits. Sending IMSI in clear text compromises confidentiality and privacy as specified by 3GPP (3GPP TS , 2005) and this is an essential requirement of a range of applications including mobile voting (Barbeau and Robert, 2005). The reason the problem is present in the three generation of networks described can be explained by considering the conundrum posed by Thomas Aura (Aura, 2009). You have just got off an aircraft, how does the network know who you are? Any concealment would prevent the network identifying the user. 24

37 MCC MNC MSIN 3 bits 2-3 bits 9 10 bits MCC = Mobile Country Code (234 UK) MNC = Mobile Network Code (33 Orange) MSIN = Mobile Subscriber Identity Number Figure 2.13: IMSI Structure (3GPP TS , 2009) Figure 2.13 shows the structure of IMSI. It is this structure that makes the IMSI easy to identify through traffic analysis (Strobel, 2007). The MCC and MNC let the serving network know where the user s home network is. It is MSIN, which identifies a user and is only known by the home network. It is in MSIN where any identity concealment needs to be applied. There is research in this area and this is discussed in section Man-in-the-Middle Attack (MITM) Researchers Ulrike Meyer and Susanne Wetzel (Meyer and Wetzel, 2004) demonstrated how it was possible to perform a man in the middle attack on a UMTS network despite all the security features. This attack is performed in two phases. 25

38 Phase one involves obtaining the mobile s IMSI and TMSI. This is easily done in a GSM network as encryption can be turned off. The false mobile then tries to register with the genuine UMTS network using either the TMSI or IMSI just obtained. In response, the network then sends RAND and AUTN. The mobile disconnects when this is received. Phase two involves getting the genuine mobile to register with the false base station by sending the original the RAND and AUTN and getting it to calculate RES. The false station re-initiates an authentication request to the network. This time the false station has the correct RES. The AV will still be valid because it had no acknowledgement. This method has taken advantage of lack of encryption in authentication and backhaul with GSM Re-direction Attack There are three actors in the authentication process (3GPP TS , 2005). These are the user (mobile), the serving network (MSC) and the home network (HLR). In UMTS two of them are authenticated the user by XRES and the home network by XMAC-A. Only the serving network is not authenticated meaning an authentication vector can be used on any serving network leading to a redirection attack. This all changes in LTE networks, where the serving network id (SNID) is used in the authentication process. All the research projects below use a nonce or random number generated by the serving network in the encrypted data to prevent this kind of attack. 26

39 2.4.4 Denial of Service (DoS) Some DoS attacks are very difficult to stop such as those employing frequency jamming. These are not consider a major concern by 3GPP (3GPP TS , 2005) as they are very localised and considered not to be worth the effort by criminals. There is a need to prevent denial of service attacks when caused by architecture or protocols. The data in the authentication process is sent in clear and unprotected so vulnerable to denial of service attack. The SQN re-synchronisation process involves the both the serving network and home network in the process. A rogue station could continually send the user a used vector forcing it to resynchronise (Zhang and Fang, 2005). This would cause critical links to become overloaded. 2.5 Related Research Identity Concealment Identity concealment covers anonymity, privacy and confidentiality. It avoids a user being tracked by their IMSI. There are a number of research projects, which address solely this area rather than the authentication process as a whole. Perfect identity concealment (Barbeau and Robert, 2005) describes three possible solutions. Their one of choice uses an IMAN (International Mobile Anonymous Number). The IMAN is generated by hashing SQN, RAND and AK using MD5. A new IMAN is generated every authentication request. The disadvantage of this method is that there runs the risk of a collision with two identical IMANs. This results in another IMAN being generated, which ultimately affects performance. 27

40 There are also concerns about the security of hash functions based on MD5 (United States-Computer Emergency and Readiness Team, 2008). A solution along similar lines is Improved User Identity Confidentiality (IUIC) (Sattarzadeh et al, 2007). In this solution anonymous tickets are used to avoid sending the IMSI. The tickets are generated by an Anonymous Ticket Manager Module (ATMM). The ATMM is integrated into the AuC in the HLR. What is not indicated is whether the ATMM is a software or hardware implementation. The MS stores two tickets one for current use and one for future use. This method does have a number of disadvantages. As the ticket is used in generating the vector only one vector at a time is generated. This would result in increased network traffic if a user needs to authenticate regularly. This would not be a problem in a LTE network, which only generates one vector because of the key hierarchy. The method is quite wasteful of tickets. There is only need for one ticket, which could be replaced at the end of the authentication process. This results in three tickets being assigned to the mobile during authentication. There are several HLR/AuCs in a network, does each have an ATMM? How are they co-ordinated? Will they operate in a roaming environment? If the IMSIs are identified with a particular AuC, this could lead to a targeted DoS attack Mutual Authentication Sequence Numbers (SQN) were introduced into UMTS networks primarily to prevent replay attacks and in turn false base station attacks (3GPP TR , 2009). Sequence numbers have however introduced problems of their own. To 28

41 achieve synchronisation and re-synchronisation requires a lot of work (Lei et al, 2007). A case study of the Docomo network in Japan (Mochizuki, 2006) found due to the complexity, time and cost considerations an insufficient implementation was implemented. In this case a fixed value based on IMSI is used. This solution does not provide freshness, which is the key to defeating replay attacks. When SQN is implemented as 3GPP intended, weaknesses came to light (Meyer and Wetzel, 2004). As SQN in the MS has a lower value (previous SQN) and an upper limit (pre-determined), there is a limit to the value of SQN. This means if there is no acknowledgement from the MS, the same Authentication Vector (AV) is used again. This attack is described in more detail in the section There are researchers (Lei et al, 2007) who believe that the use of sequence numbers is a bad idea. There are a number of research projects aimed at improving mutual authentication and all avoid the use of sequence numbers. Involving the serving network (SN) in the authentication process is the key to preventing a redirection attack. AP-AKA (Zhang and Fang, 2005) includes the serving network identity and a random number generated by the serving network in the authentication process. The random number is also used to prevent a replay attack. This protocol distinguishes itself in the way it distinguishes between a home network authentication or a foreign authentication. Disadvantages are it uses vectors so causes bandwidth load and storage costs. VC-AKA (Lei et al, 2007) has a number of similarities with AP-AKA in how vectors are formed. The main difference is the use of vector combination. At the start of the process a number of vectors are loaded from the home network. When 29

42 these are used up it avoids fetching more by using combinations of the previous ones. This increases the storage costs in the serving networks and mobile, as is the case with AP-AKA. In addition the method of calculating XRES would make it incompatible with GSM. HH-AKA (Harn and Hsin, 2003) is the first method covered not to use vectors. In place of vectors HH-AKA uses hash chaining and hash MAC (HMAC). The disadvantage with using this method is twofold. Firstly the hash is a one time function, which means there will come a point where the chain will end. The second problem is that the hashes are based on MD5. This has been compromised and there are recommendations against its continued use (United States-Computer Emergency and Readiness Team, 2008). This method would also lack compatibility with GSM. In X-AKA (Huang and Li, 2005), the initial authentication does not prevent a redirection attack, because it is based on an encrypted timestamp. The timestamp itself is generated by the mobile. This may pose a number of problems (Lei et al, 2007) because of the accuracy of the time. This raises the question as to whether the user would ever get authenticated. X-AKA s main contribution is in reducing bandwidth consumption between the home network and serving network. It does this by delegating the authentication process to the serving network. This is achieved through the use of a Temporary Key (TK) to replace Ki. The values of XRES (XSES in this case), CK and IK are all generated off TK. Once again this is lacking in compatibility with GSM. 30

43 The final protocol to look at is called Perfect Forward Secrecy (Kim et al, 2007). This has much in common with X-AKA in bandwidth reduction processes and the means of generating a timestamp. Unlike other methods this protocol provides anonymity protection. This is achieved through continually encrypting the current IMSI. This is also the only method to use public key cryptography. The authors cite Kambourakis et al (Kambourkis et al, 2004) in saying that mobiles now have the processing power to use public key. The same document also states the reason public key was not adopted by 3GPP was also down to performance and lack of compatibility with GSM. 2.6 Summary The chapter started with a review of current cellular security and discussed the weaknesses still present. The chapter concluded with a review of other research in this area. Of the protocols reviewed, only AP-AKA can satisfy compatibility with GSM, which is part of the primary research question. AP-AKA would not satisfy any of the secondary research questions. PFS is the only protocol to provide user anonymity. The one area that stands out above others is the lack of compatibility with GSM. This is a fundamental requirement, which could suggest the protocols are developed in isolation from the real systems in which they would be expected to work. 31

44 Chapter 3 Research Methods The literature review carried out in chapter two will provide the most valuable source of information for addressing the research questions. This however is not sufficient to generate all the information required. Data will need to be collected through primary research methods. The aim of this chapter is to discuss the research methods employed in the dissertation and the reason for employing them. 3.1 Case Study Critics of case studies complain of too narrow a focus (Bell, 2008), which may not be transferable to other areas. Using a case study would be appropriate because the weaknesses identified in one network would be applicable to another. This is because the 3GPP specifies architecture and protocols for UMTS networks. Although operators have freedom in implementation it is unlikely these will differ significantly and any research findings could be equally valid in another network. The use of a case study has previously been used in cellular security. Yujiro Mochizuki (Mochizuki, 2006) used a case study as his main research method. This focused on the differences between the UMTS network of Docomo in Japan and that specified by the 3GPP. The part of the research question that the dissertation answers is related to network architecture. The primary research question, questions whether the authentication can be made more secure without altering the existing architecture. This is influenced by what architecture is in place already. The research projects covered in the literature review do not consider this and appear to be developed in isolation. 32

45 There are two uses of case study described (Bell, 2008). The first is as the main research method and thus the basis of the dissertation. The second is to put flesh on the bones of the research. The case study used in this dissertation is of the latter type. Its main purpose is to ensure that the protocol could be implemented in a live network. The network used as the basis for the case study is the Orange network. It is an assumption as discussed above that other networks will be of the same architecture. The changes in the equipment would be more related to the manufacturer rather than operator. 3.2 Development of a Prototype Prototypes are a means for demonstrating that something can be made to work (The Open University, 2007). This method is chosen in a number of projects in mobile security (Lunde and Wangensteen, 2006). This method is entirely appropriate for this type of dissertation as the as the aim is to develop a more secure framework for cellular access networks. There is a need to perform testing to show that new protocols do stop a particular threat and also achieve coherence. How will this be achieved? This method will be completed in three distinct stages. These stages are (a) Design (b) Implementation (c) Testing Design Phase The other research methods described in this chapter will all feed in to the design of the protocol and will need to interact with each other. The aim of this stage is 33

46 to address both the primary question and the secondary questions. The framework will be developed using techniques from UML (Fowler, 2003) and UMLsec (Jürjens, 2005), such as sequence and class diagrams. UML is a respected modelling language for security design used in a number of security dissertations (Lloyd, 2008) and (Lunde and Wangensteen, 2006) Implementation Phase With the design phase complete, there is a need to convert the design into an implementation in software for testing. There are a number of network simulation products on the market that are used in the research departments of many universities. These include OPNET IT Guru, NS2, Matlab and packet tracer. Packet Tracer is the only one of the packages that I have used before. This is developed by Cisco to build and test router networks and as such not suitable for use in this dissertation. Of the other packages all would have required additional training on how to use them without any guarantee that they would be suitable for task in hand. Some of these also cost a deal of money to purchase. The decision is therefore taken to build the design using Java. Java s client-server architecture can be used to simulate the exchange of protocols between the MS and SN. Java also has a number of cryptography packages (Hook, 2005). Building a simulation package using Java has been implemented before by Lars Lunde and Audun Wangensteen (Lunde and Wangensteen, 2006) with Generic SIM Authentication System (GAS). The advantage of using Java is that it avoids having to force the simulation package to fit the design or compromise the design to fit the package. 34

47 3.2.3 Testing Phase The testing phase, which will ultimately answer the research question, is split into three distinct parts. The first part will assess the prototype in dealing with the weaknesses highlighted in the literature review. The testing will be of the controlled experiment type (Rugg and Petre, 2007). This is where selected data is changed to simulate a threat. The tests carried out are to verify that the protocol can eliminate a particular threat. The tests are discussed in more detail in chapter five. The second part will assess compatibility of the new prototype. This will include interworking with GSM, suitability for LTE networks and suitability for roaming environments The third part will assess the prototype in comparison with other prototypes covered in the literature review. 3.3 Questionnaire One of the secondary research questions (section 1.4), considered the use of twofactor authentication. There are generally three factors in authentication (Kemshall and Underwood, 2007). (a) Something you have (token) (b) Something you are (biometrics) (c) Something you know (password) Something you have is a SIM card. This means any second factor would have to 35

48 involve the user. A survey was carried out to find out what second factor users would want on their mobile. Questionnaires have been used before in cellular security (Clarke, 2006) and more specifically for authentication. In the survey undertaken by Clarke, participants said that they did not use a PIN because their phone was never off. This is how the PIN works, it only asks for the number when it is powered up. Desktops have an auto locking feature, which locks the computer after a period of inactivity. This would improve the security of mobiles, but would users want it? 3GPP (3GPP TS , 2009) specify a delay of 15 seconds maximum, but would users accept a longer delay if it improved security? These represent three questions that a questionnaire would be a suitable vehicle to answer. As well as answering the questions that are linked to the research questions, a questionnaire gives the opportunity to find a users experience of cellular security. Most of the weaknesses highlighted in the problem overview are as a result of research in universities. There is no evidence that weaknesses have been exploited on a live network. This lead (Howard, 2005) to the conclusion that many of the weaknesses have been overplayed. According to recent reports (Publictechnology, 2009) there are now over 76 million mobile phone connections in a population of approximately 60 million. If there was a serious problem it would have come to light, but what are individual experiences of security? Seven methods of sampling are described (Biggam, 2008). The questionnaire is based on convenience sampling. This is because the sample has been drawn from family, friends, work colleagues and social groups. As such the sample can not be classed as 36

49 random and therefore representative of the population as a whole. There are an estimated four billion (Design Council, 2009) subscribers in the world. One percent of this would be 40 million. This is clearly out of the scope of this dissertation. The questionnaire above (Clarke, 2006) attracted 189 participants. This questionnaire attracted 64 participants, which is roughly a third of the Clarke survey. The questionnaire (Appendix B) explained the purpose of the research and assured the participant of confidentiality along with ethic guidelines (Bell, 2008). No question asked was unethical in nature and worded where possible in a non technical way. To ensure this, the questionnaire was piloted before general release using non technical participants. The questions themselves will be one of four types (Rugg and Petre, 2007) (a) Open (simple) (b) Closed (simple) (c) Using a Likert scale (d) Multiple choice Closed questions in each case were followed by open questions depending upon the answer given. This was to gain further details on any experiences. The questionnaire asked for the persons name so that questions can be followed up but this was not made compulsory if the person wished to withhold their name. The questionnaire was carried out online using the services of 37

50 Chapter 4 Data Acquisition 4.1 Questionnaire Results The survey (appendix B) was conducted to find user attitudes to mobile security. The questions were split into distinct parts. Questions one to five were designed to generate a profile of the user. This was to assess if attitudes varied according to gender, age or whether they were from a technical background. It was hoped that there would be an even split between the genders and technical ability. The full results are presented in appendix C. The technical / non-technical produced a 50:50 split and the male/female produced a 45:55 split. In having an equal split helps reduce bias by focusing on one particular group, whose views could be skewed. Questions six to fourteen focus on user attitudes and experiences of mobile security. The concerns related to mobile security again followed a bell curve shape with a slight shift to not being concerned about it. Only two participants have experienced problems with fraud. One had a phone ordered in a partners name but sent to a different address. This is generally referred as a subscription fraud. The other was billed for calls to a European location. This is similar to the Japanese girl described by Yujiro Mochizuki (Mochizuki, 2006) who suffered from a billing fraud with Docomo. Seven participants reported a lost or stolen phone. The time it was taken to spot the loss ranged from a couple of minutes to 24 hours. None of them experienced any misuse of their phones whilst lost but 24 hours left a lot of time. The majority of participants (87%) had used their phones abroad. This would illustrate the need to ensure security in roaming environments. The use of Bluetooth produced a near 3:1 split in the male participants and a near 50:50 split in female participants. Of those 38

51 that use Bluetooth only a third leaves it on all the time. Leaving Bluetooth on all the time increases the risk of a number of attacks (Sapronov, 2006).There is exactly a 2:1 between those that do not use a PIN and those that do. This directly contrasts with research at Plymouth University (Clarke, 2006), which found two thirds used a PIN. The remaining questions focused on features they would like in future mobiles in relation to security. The 3GPP (3GPP TS , 2009) specify a maximum delay of 15 seconds. The majority of the sample (67%) did not want an authentication delay longer than 15 seconds. This would push against using public key encryption in the authentication. One participant responded with the reply depends what the benefits are? Another commented that is smart phone took well over a minute to load before he could use it in any case. This question was designed to find if users would back a longer limit than 3GPP. The result is that they agree with the limit. As previously discussed it is necessary to have at least two factor authentication, for a system to be secure. The second factor would be something you know (password, PIN) or something you are (biometrics). More than 50% wanted chip and PIN possibly because of the success of this in banking. Of the remainder the split was nearly 50:50 between biometrics and passwords. Comment made by one of the participants stressed the cost and the problem in selling the phone on, when asked about biometrics. One other who selected chip and PIN did comment that biometrics looked more secure but did not want it. Interestingly 67% of participants that selected chip and PIN do not use the PIN they already have. 72% of participants would like to see an auto lock feature, which locks the phone after a period of inactivity. As well as the security improvement it also helps reduce false calls. As this dissertation has indicated there are many weaknesses in the network. Mochizuki (Mochizuki, 2006) illustrated a 39

52 number of weaknesses due to insufficient implementation. The survey tried to determine that if one of these weaknesses was exploited but quickly fixed, would this affect the usage of their phone. The good news for operators is that 50% would carry on as normal. The bad news is 50% would alter their calling habits to some extent thereby reducing revenue. The final question in the survey assessed whether users were prepared to use security critical applications. The results contrast sharply with question six. The results show that females are far more negative towards the applications than males with the exception of polling where both are equally negative. Females are especially negative towards financial applications. 4.2 Prototype Design The protocol design described here is developed to enable the radio access networks of cellular operators to be more secure. The following assumptions therefore need to be made. All core home network elements are assumed to be secure. This includes MSC, HLR and SLR The serving network core elements are secure. This would just be the MSC in a serving network. The links between core network elements are secure and the links between serving and home networks are also secure. The cryptographic algorithms Kasumi and Milenage are secure 40

53 4.2.1 Two Factor Authentication One of the secondary questions posed was can two factor authentication improve security in UMTS networks?. Bruce Schneier (Schneier, 2005) argued that two factor authentication would not make any difference because the nature of attacks such as man-in-the-middle attacks could compromise two factor authentication as well as one factor. The literature review however described how user s details could be cloned through SIM cloning kits or by a partitioning attack. Both methods required access to the subscriber SIM. A further fraud which requires no additional equipment is SIM swapping. As the questionnaire illustrated many people do not protect their phone with a PIN. This means if the phone is left unattended the SIM cards can be swapped enabling calls to be made at the victims expense. This is less likely to be spotted than other forms of mobile theft. This illustrates that two factor authentication would improve security. The questionnaire found chip and PIN to be the most popular method of second factor authentication. To achieve this, the secret key Ki is to split into two parts the main part as now will be kept on the SIM card. The second part is the user PIN number. The PIN will be a 4 digit decimal number as used by banks. The main part will be adjusted so the total length will remain at 128 bits. When the phone is powered up the user will be required to enter their PIN. The use case for this is shown in figure

54 <<include>> Generate MACsn <<include>> Get data from Serving Network Get Secure Key <<extend>> <<extend>> User PIN Memory PIN Figure 4.1: Use case diagram for the generation of MACsn in the USIM MACsn is used in the authentication phase, which will be described in the next section. When the phone is first powered up the user will be requested to enter their PIN. If the authentication is successful the PIN is stored in volatile memory. Volatile memory is where all data is lost when power is removed. As most phone designs have the SIM behind the battery, the battery will need removing to remove the SIM. As volatile memory is used the PIN will need re-entering if the SIM is taken out for whatever reason. The <<extend>> notation in the diagram is a UML (Fowler, 2003) stereotype to signify that the PIN will be obtained from the user or memory. The reason for storing the PIN in memory is twofold. Firstly to enable continuity of service, this would be affected by a car driver going through a no coverage zone or tunnel. If the PIN is in memory it will be obtained from there first. The second reason is so that the PIN can be used as it is now, a means of locking the phone. The PIN inputted can be checked with the value stored memory. 42

55 In the questionnaire 72% of participants wanted automatic locking of the mobile as in desktop computers. The PIN would be used to unlock it again. The phone would still be able to receive incoming calls whilst locked Full Network Authentication The main protocol builds upon the research undertaken in Providing Perfect Forward Secrecy AKA (PFS-AKA) (Kim et al, 2007) and X-AKA (Huang and Li, 2005). MACsn (Figure 4.1) is generated in a manner similar to PFS-AKA. The main criticism of using timestamps (Lei et al, 2007) is that the time could vary widely between different users for a variety of reasons. This would result in either having a range of acceptable timestamps so wide it would be ineffective or the possibility that the mobile is unable to access the network. A more effective solution would be to use the serving network to generate the timestamp. The advantages of this are that the MSC contains charging units for generating billing files. This means the time must be extremely accurate to ensure against over billing and this is regulated by ofcom in the UK. The time is generated off an atomic clock and is automatically adjusted for drift. This contrasts with the time in the phone, which is set by the user. The RANDs is also generated by the serving network as opposed to the phone in other methods. The advantage of doing this is to remove some of the processing from the phone, which is limited in processing capabilities compared to the serving network. A second advantage is that as the RANDs, timestamp and Serving Network ID (SNID) are appended to the phone data, it removes the possibility of tampering with these parameters. In PFS it is stated that a replay attack can be 43

56 prevented by the timestamp or nonce in the MAC. As mentioned above if the timestamp check has a wide range of acceptable values a replay attack could be launched, which would not be detected by MAC or timestamp. In this prototype the timestamp would prevent a replay attack because it is sent from the serving network and not open to manipulation on the air interface. In a roaming network the timestamp could be adjusted for time zone differences by using the country code in SNID. The MACsn would also reject the request for the same reason. In UMTS AKA both freshness and mutual authentication are achieved by using sequence numbers (SQN). As discussed in the literature review sequence numbers have a number of weaknesses. Most solutions to weaknesses in the UMTS authentication process avoid sequence numbers and subsequent re-synchronisation procedures. This protocol uses the timestamp as already discussed to achieve freshness. To achieve mutual authentication an authorisation code is used. This is a technique used by UK banks for authorising online customers. In the prototype, the authorisation key (128 bit) will be stored in the USIM and AuC. The phone will generate four random numbers between 1 and 32. The numbers can appear in any order but no number will appear more than once. These random numbers form the authorisation code. This code is included in the message sent to the serving network (figure 4.1). Only the positions are sent the data itself is never sent. In this way the phone controls its own mutual authentication without the need for resynchronisation. This is one of the secondary research questions posed. The data from these positions together with the timestamp replace SQN and AMF. AMF in live networks (Mujizoko, 2006) is set to The only use of the data is the least significant bit is set to 1 in LTE networks. As this data does not contribute to the 44

57 authentication process it has been replaced. The remainder of the authentication process remains as in UMTS authentication protocol. In particular keeping IK and CK as in UMTS AKA aids inter working with GSM as described in section 2.5. In addition no weaknesses have been highlighted using these parameters. The new authentication vectors are illustrated in figure 4.2. The sequence diagram is illustrated in figure 4.3 RANDh AuData NV Ki F1 F2 F3 F4 F5 XMACh XRES CK IK XMACsn Key NV = Network Verification = Authorisation Code Timestamp AuData = Authorisation Data = Timestamp SNID RANDs IMSI Figure 4.2: Prototype Authentication Vectors 45

58 MS MSC SLR HLR RRC Request (M1) (Ts :: Snid :: RANDs) (M2) (MACsn :: IMSI :: AuthCode :: AuthType) (M3) IMSI (M4) (HLRID:: IMSI :: nimsi) (M5) (MACsn :: IMSI :: AuthCode :: RANDs :: Ts :: Snid) (M6) Check Validity of Timestamp Authentication Rejected No MACsn Equal? Yes Generate AV AV = (RANDh :: MACh :: CK :: IK :: XRES) (M7) (RANDh :: MACh) (M8) Check MACh Generate XRES XRES (M9) Authentication Rejected XRES Equal? ck{ TMSI :: nimsi ) (M10) Figure 4.3: Full Network Authentication Sequence Diagram 46

59 4.2.3 Local Network Authentication The literature review describes how bandwidth consumption can be reduced (Huang and Li, 2005) by delegating subsequent authentications to the serving network. This forms the basis for the local network authentication. The requirement is to generate a temporary secret key (TK) to replace Ki. To ensure this is key is unique and related to the subscriber it needs to have been generated from Ki. The protocols that employ this technique create Tks from a new function in the HLR/AuC and append it to the Authentication Vector (AV). The solution used in this prototype is to create Tks in the MSC by XORing CK and IK. This has the advantage of reducing the bandwidth consumption as compared to other methods but also avoids having to add a new key generating function in the HLR/AuC. This is not too dissimilar to LTE networks where CK and IK are concatenated to form Ksn (figure 2.10). The main change that needs to occur in this model is the VLRs need to be upgraded to provide security functionality. The sequence diagram for the local network authentication is the same as the home network authentication except the HLR functionality is carried out by the serving network. The main difference affects the authentication code. The authentication key like Ki should not leave the home environment. The solution is to select four random numbers from the temporary key. The other change involves the random numbers. In the home network authentication, RANDs is generated by the serving network and used to generate MACsn. The HLR generates a random number RANDh for its challenge. In this case there is no need for the serving network to generate two random numbers, so RANDs will be used throughout. 47

60 To limit the use of the temporary key a validation period is used by both PFS-AKA and X-AKA. The solution here is to use a counter maintained by the mobile phone. Arbitrarily the count value is set to five to match the number of AVs sent from the HLR/AuC to the serving network in UMTS (3GPP TS , 2009). The counter is maintained by the mobile phone to strengthen the two factor authentication. If the count is set to zero a full network authentication is carried out indicated to the network by AuthType being set to zero. If the count is non zero the AuthType is set to one and a local network authentication is carried out. Once the counter reaches five it is reset to zero. If the mobile phone is turned off and back on again the counter is reset to zero. This is to prevent SIM swapping Anonymity The final secondary research question posed was Is it possible to provide a solution where the user s anonymity is preserved? The literature review covered a number of different methods of achieving user anonymity. The method employed is based on IUIC (Sattarzadeh et al, 2007). This method as all the others covered relies on the HLR/AuC to generate the new IMSI. This does not account for the way live networks operate. In the early days of the Orange network the first two digits of the MSIN part of IMSI (figure 2.13) indicated the subscriber HLR. This then bound the user to the HLR. This changed to allow the subscriber to move around to balance loads between the HLRs. To achieve this, a Service Location Register (SLR) is used as a network look up. When an IMSI arrives at the MSC in the users home network, the IMSI is sent to the SLR. This is where any allocation of anonymous IMSIs needs to be based. 48

61 SLR SLR MSC MSC HLR HLR (a) M801 Protocol (b) Other protocols Figure 4.4: IMSI Updates between Core Network Elements Figure 4.4 illustrates the difference in using the SLR to generate a new IMSI. This halves the number of signalling messages and more importantly removes the need for signalling between the MSC and HLR. The adjustment to the SLR is to create a table of unused IMSIs. The MSIN is ten digits long in the Orange network. This leaves a possibility for ten billion IMSIs. When an IMSI is allocated to a user on a temporary or permanent basis it is removed from the available list. If it is temporary it will be added back to the list later. Figure 4.4 shows the interaction between the MSC and SLR. This increases the amount of information between the two when compared to UMTS, but involves less overhead than other methods. The users permanent IMSI is always used in MACsn and in communication to the HLR. This avoids making changes to the HLR. 4.3 Prototype Implementation As detailed in section 3.4 an implementation of the prototype is to be produced using java s client server architecture. The prototype will be built using the netbeans IDE platform. The classes provided (Appendix E) simulate the components of a 49

62 cellular network. The client side comprises of the mobile phone class and SIM card class. The mobile phone class implements a GUI interface using java.awt.* (figure 4.5) to enable user interaction. Pressing the start button simulates a full authentication and the process this goes through is illustrated in the flow diagram (figure 4.6). Figure 4.5: Prototype GUI Interface 50