A Review on Security Analysis of Satellite Phones

Transcription

1 A Review on Security Analysis of Satellite Phones Mr. Mayur B. Kachare 1, Dr. Umesh S. Bhadade 2 1 ME-I st (Digital Electronics), 2 Prof. and Head of Electronics and Telecommunication Department 12 S.S.B.Ts C.O.E.T. Bambhori, Jalgaon, North Maharashtra University, Jalgaon , Maharashtra (India) Abstract There is lots of work related to the security of cellular phones with respect to GSM and UMTS. But as per the survey there is not a proper investigation related to the security aspects of satellite phones. Security plays an important role for satellite phones because of their application domains which are sensitive in nature (e.g., natural disaster areas or military areas). In this paper, the encryption systems used in two existing satellite phones standards, GMR-1 and GMR-2 are analysed. In result of this survey leads to the fact that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas GMR-2 cipher is a new design. The stream ciphers of two existing satellite phones systems are weaker than what is state-of- the-art in symmetric cryptography. Keywords Cryptanalysis, Geostationary Earth Orbit (GEO) mobile radio interface (abbr. GMR), GSM, Linear shift feedback register (abbr. LFSR), Mobile security, Satellite phones (abbr. Satphones) I. INTRODUCTION Cellular is one of the fastest growing and most demanding telecommunications applications. Today, it represents a continuously increasing percentage of all new telephone subscriptions around the world. Currently there are more than 50 million cellular subscribers worldwide. It is forecasted that cellular systems using a digital technology will become the universal method of telecommunications. The concept of cellular service is the use of low-power transmitters where frequencies can be reused within a geographic area. Throughout the evolution of cellular telecommunications, various systems have been developed without the benefit of standardized specifications. This presented many problems directly related to compatibility, especially with the development of digital radio technology. Hence, a system with high capacity, high transmission quality with total mobility was developed known as Global system for mobile communication (GSM). In cellular phones, each mobile uses a separate, temporary radio channel to talk to the cell site. The cell site talks to many mobiles at once, using one channel per mobile. Channels use a pair of frequencies for communication i.e. forward link and reverse link. Radio energy always lost over distance, so mobile must stay near to the cell site or base station. However, it is not always practically possible to be close to a cell site and there are many areas where no coverage is possible like workers on an oil rig or on board of a ship, researchers on a field trip in a desert or near the poles, people living in remote areas or areas that are affected by a natural disaster, or certain military and governmental systems. To overcome this limitation, satellite telecommunication systems were introduced that provide telephony and data services based on telecommunications satellites. In such systems, the mobile handset (typically called satellite phone) communicates directly with satellites in orbit and thus coverage can be provided without the need of an infrastructure on the Earth s surface. II. BACKGROUND At this point, there are two satphone standards that were both developed in the past few years: 1. Geostationary Earth Orbit (GEO) Mobile Radio Interface (GMR-1) is a family of ETSI standards that were derived from the terrestrial cellular standard GSM. In fact, the specifications of GMR are an extension of the GSM standard, where certain aspects of the specification are adjusted for satphone settings [1]. 2. The GMR-2 family is also an ETSI standard that is even closer to GSM. It deviates from the GMR-1 specifications in numerous ways ISSN: Page 153

2 Fig. 3 Layout of a geostationary orbit telephone network [9] Fig. 1 The Thuraya SO-2510 phone [1] Fig. 2 The Inmarsat IsatPhone Pro [1] [1]; most notably the network architecture is different. There are two popular satellite phones that represent typical handsets: 1. The Thuraya SO-2510 phone implements the GMR-1 standard. It was released in November 2006 and one of the most popular handsets sold by Thuraya shown in Fig The Inmarsat IsatPhone Pro implements the GMR- 2 standard and supports functions such as voice telephony and text/ messaging. It was introduced in June 2010 by Inmarsat as shown in Fig. 2. Here is the necessary background information to understand the basics of satellite telephone systems, and the architecture of the mobile handsets. A. Satellite Telecommunication system A geostationary orbit telephone network consists of a set of satellites and terrestrial gateway/control stations, as depicted in Fig. 3 [9]. Gateway stations provide the connectivity to any tethered networks, e.g., telephone calls to a landline are forwarded to the public switched telephone network (PSTN). Satellite operators also run additional control facilities for maintenance and configuration purposes. Both types of transmissions employ conventional wavelength (C-Band) signals. Each satellite serves a specific region, with each region being further subdivided by several spot beams. This mainly allows transferring multiple signals from different regions on equal frequencies. The system uses long wavelength transmission (L-Band) for spotbeams. B. Satellite Telephone Architecture In general, the architecture of satellite phones is similar to the architecture of cellular phones [11]. Both types of phones have to perform a lot of signal processing due to speech processing and wireless communication, thus they typically ship with a dedicated digital signal processor (DSP) for such purposes. DSPs are also suitable for executing cryptographic algorithms, which makes DSP code a prime candidate for holding GMR cipher code. The core of the phone is a standard microprocessor (usually an ARM-based CPU) that serves as the central control unit within the system. This CPU initializes the DSP during the boot process. Furthermore, both processors share at least parts of the main memory or other peripheral devices to provide inter-processor communication. Satellite telecommunication systems are related to terrestrial cellular systems, the GMR-1 standard ISSN: Page 154

3 is for example derived from the GSM standard. Briceno et al. published in 1999 the implementation of the GSM A5/1 and A5/2 algorithms, which they apparently obtained by reverse engineering an actual GSM handset [12].There has been lots of work on the security analysis of the ciphers used within GSM [13] [21]. A5-GMR-1 is related to the A5/2 algorithm used within GSM, but the configuration of the cipher is different. III. SECURITY ANALYSIS OF GMR-1 A satphone Thuraya SO-2510 was used as an example of GMR-1 standard by investigators. The inventors didn t analyze any other GMR-1 satellite phone, but since the protocol is standardized they were confident that this analysis results apply to all other GMR-1 phones as well. A. Hardware The Thuraya SO-2510 runs on a Texas Instruments OMAP 1510 platform. The core of the platform is an ARM CPU along with a TI C55x DSP processor. This information can be taken from corresponding strings in the binary and from pictures of the actual components soldered on the circuit board [22]. Fig. 4 shows a high-level overview of the architecture.the DSP code can be located in either the on-chip SARAM (which holds 96 KB of memory) or in the SRAM, which is accessed through the memory interface controller (MIC). The official OMAP1510 documents suggest predefined memory regions to be used by the ARM-MMU for mapping this memory area [22]. Since GMR-1 is derived from GSM so, the cipher algorithm employed in GMR-1 bears at least some resemblance to the A5/2 cipher from GSM. Due to the nature of this algorithm (e.g., the presence of feedback shift registers), the cipher code is bound to contain a lot of bit shift and XOR operations. Hence, an analysis tool within IDA Pro was implemented that counts the occurrences of such instructions in each function and sets them in relation to the total number of instructions in the function. Similar ideas Fig. 4 The OMAP1510 [22] to spot cryptographic terms are found in the literature [2] [4]. B. Structure of the Ciphers The over-the-air privacy of GSM telephone conversations is protected by the A5 stream cipher. This algorithm has two main variants: The stronger A5/1 version is used by about 130 million customers in Europe, while the weaker A5/2 version is used by another 100 million customers in other markets. The approximate design of A5/1 was leaked in 1994, and the exact design of both A5/1 and A5/2 was reverse engineered by Briceno from an actual GSM telephone in 1999 [12]. 1) A5/1 Stream Cipher: A GSM conversation is sent as a sequence of frames every 4.6 millisecond. Each frame contains 114 bits representing the digitized A to B communication, and 114 bits representing the digitized B to A communication. Each conversation can be encrypted by a new session key K. For each frame, K is mixed with a publicly known frame counter Fn, and the result serves as the initial state of a generator which produces 228 pseudo random bits. These bits are XOR'ed by the two parties with the bits of the plaintext to produce the bits of the ciphertext. A5/1 is built from three short linear feedback shift registers (LFSR) of lengths 19, 22, and 23 bits, which are denoted by R1; R2 and R3 respectively. The rightmost bit in each register is labelled as bit zero. ISSN: Page 155

4 Fig. 5 A5/1 Stream Cipher [15] The taps of R1 are at bit positions 13, 16, 17, 18; the taps of R2 are at bit positions 20, 21; and the taps of R3 are at bit positions 7, 20, 21, 22 shown Fig. 5 [15]. When a register is clocked, its taps are XOR ed together, and the result is stored in the rightmost bit of the left-shifted register. The three registers are maximal length LFSR's with periods , , and , respectively. They are clocked in a stop/go fashion using the following majority rule: Each register has a single clocking" tap (bit 8 for R1, bit 10 for R2, and bit 10 for R3); each clock cycle, the majority function of the clocking taps is calculated and only those registers whose clocking taps agree with the majority bit are actually clocked. At each step either two or three registers are clocked, and that each register moves with probability ¾ and stops with probability ¼ [16]. 2) A5/2 Stream Cipher: The operation of A5/2 cipher is similar to A5/2 only structural differences are there as shown in Fig. 6 [14]. 3) A5-GMR-1 Cipher: The cipher used in GMR-1 is a typical stream-cipher. Its design is a modification of the A5/2 cipher [14], [19], which is used in GSM networks. The cipher uses four linear feedback shift registers (LFSR) which are clocked irregularly named as R 1, R 2, R 3 and R 4 ; Fig. 7 [1] shows the schematic of the structure. Comparing A5/2 and A5-GMR-1; for most registers the feedback polynomials and also the selection of input taps for the non-linear majority function M with M: {0, 1} 3 {0, 1} x x 2 x 1 x 2 x 0 x 0 x 1 were changed, Table-I shows the details [1]. Also, the positions of the bits that are XOR ed with the respective outputs of the majority functions are different. For curious reasons, all feedbackpolynomials have five polynomials. TABLE I CONFIGURATIONS FOR THE LFSRS [1] Size Feedback Polynomial Taps Final R 1 19 x 19 +x 18 +x 17 +x ,6,15 11 R 2 22 x 22 +x 21 +x 17 +x ,8,14 1 R 3 23 x 23 +x 22 +x 19 +x ,15,19 0 R 4 17 x 17 +x 14 +x 13 +x ,6,15 - Fig. 6 A5/2 Stream Cipher [14] ISSN: Page 156

5 Fig. 7 A5-GMR-1 Cipher [1] Clocking single LFSR means evaluating its respective feedback polynomial and using the resulting bit to overwrite the leftmost position of the LFSR after shifting its current state by one bit to the right. When the cipher is clocked for the l-th time with irregular clocking active, the following happens: (1) The irregular clocking component C evaluates all taps of R 4, the remaining registers are clocked accordingly, i.e., a) Iff M (R 4,1, R 4,6, R 4,15 ) = R 4,15, register R 1 is clocked. b) Iff M (R 4,1, R 4,6, R 4,15 ) = R 4,6, register R 2 is clocked. c) Iff M (R 4,1, R 4,6, R 4,15 ) = R 4,1, register R 3 is clocked. (2) The taps of R 1, R 2, and R 3 are evaluated and one bit of keystream is output accordingly, i.e., Zl = M (R 1,1, R 1 6, R 1,15 ) M (R 2,3, R 2,8, R 2,14 ) M (R 3,4, R 4,15, R 3,19 ) R 1,11 R 2,1 R 3,0 is generated. (3) R 4 is clocked. A5-GMR-1 is operated in two modes, initialization and generation mode. Running the cipher in former mode includes setting the initial state of the cipher, which is done in the following way: 1) All four registers are set to zero. 2) A 64-bit initialization value I is computed by xor ing the 19-bit frame-number N and 64-bit key K in a certain way. However, the specific mapping is not relevant in the remainder. 3) I is clocked into all four registers, i.e., R 1 is clocked and one bit of I is xor ed with the feedback-bit, R 2 is clocked and xor ed with the same bit of I, etc. While doing this, no irregular clocking takes place, i.e., the taps of R 4 are not evaluated. 4) The least-significant bits of all four registers are set to 1, i.e., R 1,0 = R 2,0 = R 3,0 = R 4,0 = 1. Now the cipher is switched into generation mode and clocked for 2 m times, generating one bit of keystream at a time. Where, 250 l m is the number of irregular clocking and N the framenumber that was used for initialization. Experimentally, there are several variants of this attack possible on different channels, even more so when multiple frames are used. These attacks have a lower computational complexity but require more ciphertext [1]. IV. SECURITY ANALYSIS OF GMR-2 To obtain the code responsible for implementing the cipher according to the GMR-2 standard, the investigators analyzed the latest publically available firmware image of the Inmarsat IsatPhone Pro, which was released in June Only Inmarsat handsets support the GMR-2 standard at this point and these results apply to all satphones. ISSN: Page 157

6 A. Hardware The Inmarsat IsatPhone Pro runs on an analog devices LeMans AD6900 platform. The core of the platform is an ARM 926EJ-S CPU, which is supplemented by a Blackfin DSP as shown in Fig. 8 [21]. This architecture can be deduced from plain text strings within the firmware image. An operating system function that returns information on the underlying hardware of the system and this function return the platform name as a static string. Both CPUs connect to the same bus interface, which is attached to the system RAM, any external memory that might be present as well as the shared peripherals (e.g., SIM card, keypad, SD/MMC slots, etc.). The system is initialized by the boot ROM code of the ARM CPU. The ARM CPU then has the task to initialize the DSP for further operations. However, a correct mapping of the DSP code and data section is required since correct references in subroutine calls or string references from within the code are crucial to disassemble and understand the code Therefore, inventors reverse-engineered [1] the very first initialization routines in the Blackfin code, which turned out to hold a DSP memory initialization routine that builds the DSP code and data from the firmware image into another memory region (presumably RAM). In the firmware image, the actual DSP code and data regions are stored as multiple chunks of data that are either uninitialized (i.e., filled with null bytes) or initialized. Initialized blocks are repeated consecutively in memory multiple times. The Meta information for each data chunk (i.e., chunk type, block length, etc.) is pretended as a header. The first chunk starts at a fixed address and each header also contains an offset to the next chunk in memory. As no encryption or compression for the DSP code and data is used within the firmware, the corresponding firmware regions can be extracted directly. This information was helpful to investigators to reconstruct the actual memory layout of the DSP in RAM. The DSP code also contains plenty of demodulation and speech encoding algorithms that naturally bear some resemblance to cryptographic algorithms in that they make extensive use of mathematical operations. Fig. 8 The LeMans AD6900 Platform [21] In order to further narrow down the relevant code parts, inventors created [1] the forward call graphs of all nine thread routines and computed the intersection of all the nodes in the graphs. The idea behind this approach is that in every case the stream cipher has to be called eventually, regardless of the actual purpose of the thread. The intersection greatly reduces the candidate set of code regions from about 140 subroutines to only 13 functions shared by all threads (not including further nested subroutine calls). In the last step, they analyzed these remaining functions manually. At first, this analysis revealed the subroutine which encodes the TDMA-frame counters into a 22-bit frame-number. Shortly after this function, the actual cipher code is called. The algorithm itself, as explained in the next section, is completely dissimilar to A5/2, which also explains why one is not able to spot the cipher with the same methods as in the analysis of GMR-1. B. Structure of the Cipher After having obtained the cipher s assembler code, they found a more abstract description in order to enhance intuitive understanding of its way of functioning. We arbitrarily chose to split the cipher into several distinct components which emerged after examining its functionality. ISSN: Page 158

7 Fig. 9 The A5-GMR-2 Cipher [1] The cipher uses a 64-bit encryption-key and operates on bytes. When the cipher is clocked, it generates one byte of keystream, which was denoted by Zl, where l represents the number of clocking. The cipher exhibits an eight byte state register S = (S0, S1,..., S7)2 8 and three major components we call F, G, and H. Additionally, there is a 1-bit register T that outputs the so-called toggle-bit, and a 3-bit register C that implements a counter. Figure 9 provides a schematic overview of the cipher structure. The detailed cryptanalysis is given in [1]. V. CONCLUSIONS Though there is a large body of work related to the security aspects of the GSM, there had been no scientific or other publicly available investigation of the security mechanisms employed by the two existing satphone standards, GMR-1 and GMR-2. Contradictory to the practice recommended in modern security engineering, both standards rely on proprietary algorithms for voice encryption. Even though, it is impossible for us to decide whether this is due to historic developments or because of secret algorithms to provide a higher level security. GMR-1 relies on a variant of the GSM cipher A5/2, for which serious weakness have been demonstrated for more than a decade. The GMR-2 cipher, which appears to be an entirely new stream cipher, shows even more serious cryptographic weaknesses. In the case of GMR-1, an attacker can mount a successful ciphertext-only attack. With respect to the GMR-2 cipher, in a known-plaintext setting where approximately bytes plaintext are known to the attacker, it is possible to recover a session key with a moderate computational complexity, allowing the attack to be easily performed with a current PC. The cipher code inside the firmware was not specifically protected against reverse-engineering efforts. The difficulty in reconstructing both algorithms thus stems from the inherent complexity in analyzing large pieces of code. If software engineers had employed state-of-the art obfuscation schemes, the analysis could have been at least complicated significantly. Furthermore, implementing the ciphers in hardware would also hamper reverse-engineering. REFERENCES [1] B. Driessen, R. Hund, C. Willems, Don t Trust Satellite Phones: A Security Analysis of Two Satphone Standards, in IEEE Symposium on Security and Privacy, [2] Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, ReFormat: Automatic Reverse Engineering of Encrypted Messages, in European Symposium on Research in Computer Security (ESORICS), [3] J. Caballero, P. Poosankam, C. Kreibich, and D. Song, Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse- Engineering, in ACM Conference on Computer and Communications Security (CCS), [4] F. Gröbert, C. Willems, and T. Holz, Automated Identification of Cryptographic Primitives in Binary Programs, in Symposium on Recent Advances in Intrusion Detection (RAID), [5] D. Wright, Reaching out to remote and rural areas: Mobile satellite services and the role of Inmarsat, Telecommunications Policy, vol. 19, no. 2, pp , [6] D. Matolak, A. Noerpel, R. Goodings, D. Staay, and J. Baldasano, Recent progress in deployment and standardization of geostationary mobile satellite systems, in Military Communications Conference (MILCOM), [7] ETSI, ETSI TS V1.1.1 ( ); GEO-Mobile Radio Interface Specifications; Part 3: Network specifications; Sub-part 2: Network Architecture; GMR , Std., [8] G. Maral and M. Bousquet, Satellite Communications Systems: Systems, Techniques and Technology, 5th ed. John Wiley & Sons, [9] Jim Geovedi and Raoul Chiesa, Hacking a Bird in the Sky, in HITBSecConf, Amsterdam, [10] ETSI, ETSI TS V1.1.1 ( ); GEO-Mobile Radio Interface Specifications; Part 3: Network specifications; Sub-part 9: Security related Network Functions; GMR , Std., [11] H. Welte, Anatomy of contemporary GSM cellphone hardware, [Online]. Available: [12] M. Briceno, I. Goldberg, and D. Wagner, A pedagogical implementation of the GSM A5/1 and A5/2 voice privacy encryption ISSN: Page 159

8 algorithms, 1999, originally published at mirror at gsm-a512.htm. [13] J. D. Golic, Cryptanalysis of alleged A5 stream cipher, in Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques, ser. EUROCRYPT 97. Springer-Verlag, 1997, pp [14] S. Petrovic and A. Fuster-Sabater, Cryptanalysis of the A5/2 Algorithm, Cryptology eprint Archive, Report 2000/052, Tech. Rep., 2000, [15] E. Biham and O. Dunkelman, Cryptanalysis of the A5/1 GSM Stream Cipher, in Indocrypt, [16] A. Biryukov, A. Shamir, and D. Wagner, Real Time Cryptanalysis of A5/1 on a PC, in Fast Software Encryption (FSE), [17] P. Ekdahl and T. Johansson, Another Attack on A5/1, IEEE Transactions on Information Theory, vol. 49, no. 1, [18] A. Bogdanov, T. Eisenbarth, and A. Rupp, A Hardware- Assisted Realtime Attack on A5/2 Without Precomputations, in Cryptographic Hardware and Embedded Systems (CHES), [19] E. Barkan, E. Biham, and N. Keller, Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication, Journal of Cryptology, vol. 21, March [20] K. Nohl and C. Paget, GSM: SRSLY? 2009, 26th Chaos Communication Congress. [21] Jose Fridman, Analog Devices. How to optimize H.264 video decode on a digital baseband processor. [Online]. Available: ISSN: Page 160