Security functions in mobile communication systems

Similar documents
ETSI TS V3.4.0 ( )

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

City Research Online. Permanent City Research Online URL:

Mobile Security Fall 2013

ETSI TS V3.1.0 ( )

NS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks

ETSI TS V3.5.0 ( )

GPRS Security for Smart Meters

Private Identification, Authentication and Key Agreement Protocol with Security Mode Setup

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Wireless Communications and Mobile Computing

Secure and Authentication Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography.

The security of existing wireless networks

Designing Authentication for Wireless Communication Security Protocol

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

EP B1 (19) (11) EP B1 (12) EUROPEAN PATENT SPECIFICATION

Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection

Communication Networks 2 Signaling 2 (Mobile)

Questioning the Feasibility of UMTS GSM Interworking Attacks

Security of Cellular Networks: Man-in-the Middle Attacks

GPRS security. Helsinki University of Technology S Security of Communication Protocols

UMTS Security Features. Technical Brief

Mobile Security Fall 2014

Key Management Protocol for Roaming in Wireless Interworking System

T325 Summary T305 T325 B BLOCK 2 4 PART III T325. Session 1 Block III Part 2 Section 2 - Continous Network Architecture. Dr. Saatchi, Seyed Mohsen

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems. Henri Gilbert Orange Labs.

UMTS System Architecture and Protocol Architecture

Secure military communications on 3G, 4G and WiMAX

Mobile Security Fall 2015

Chapter 13 Location Privacy

MIXes in Mobile Communication Systems: Location Management with Privacy *

Security Management System of Cellular Communication: Case Study

Secure 3G user authentication in ad-hoc serving networks

UMTS Addresses and Identities Mobility and Session Management

USIM based Authentication Test-bed For UMTS-WLAN Handover 25 April, 2006

UMTS Authentication and Key Agreement - A comprehensive illustration of AKA procedures within the UMTS system

ETSI TR V ( )

Securing SMS of a GSM Network Message Center Using Asymmetric Encryption Technique Algorithm.

Request for Comments: Cisco Systems January 2006

Chapter 3 GSM and Similar Architectures

Past & Future Issues in Smartcard Industry

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

New Privacy Issues in Mobile Telephony: Fix and Verification

Securing Cellular Access Networks against Fraud

COMP327 Mobile Computing Session: Lecture Set 5 - Wireless Communication Part 2

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Wireless Security Security problems in Wireless Networks

Threat patterns in GSM system. Basic threat patterns:

3G TS V3.1.0 ( )

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

New mobile phone algorithms a real world story

Understanding TETRA Security

LTE Security How Good Is It?

Diminishing Signaling Traffic for Authentication in Mobile Communication System

GSM System Overview. Ph.D. Phone Lin.

Mobile Communications

Security issues in mobile communications

UNIK4230: Mobile Communications Spring Semester, Per Hj. Lehne

Summary on Crypto Primitives and Protocols

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

ETSI TS V6.4.0 ( )

Communication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

Integration of voice and data in an m-commerce situation

GSM Mobility Management

3GPP TS V6.6.0 ( )

GSM Open-source intelligence

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

EUROPEAN ETS TELECOMMUNICATION July 1998 STANDARD

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

3GPP TS V4.0.0 ( )

GSM Security Overview

2 Overview of existing cipher mode setting procedure

Session key establishment protocols

Session key establishment protocols

GSM Mobility Databases

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

Applications of Cryptography in Wireless Communication

Mobile Security Fall 2013

Network Node for IMT-2000

ETSI TS V ( )

Understanding IMSI Privacy!

Network Working Group Request for Comments: 3310 Category: Informational V. Torvinen Ericsson September 2002

Chapter 6. Stream Cipher Design

Identity Management in a Fixed Mobile convergent IMS environment

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011

3GPP TS V ( )

Mobility and Security Management in the GSM System

Communication Systems for the Mobile Information Society

3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

ETSI TS V6.3.0 ( )

EFFICIENT MECHANISM FOR THE SETUP OF UE-INITIATED TUNNELS IN 3GPP-WLAN INTERWORKING. 1. Introduction

Rab Nawaz Jadoon. Cellular Systems - II DCS. Assistant Professor. Department of Computer Science. COMSATS Institute of Information Technology

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Data and Voice Signal Intelligence Interception Over The GSM Um Interface

Modifying Authentication Techniques in Mobile Communication Systems

Transcription:

Security functions in mobile communication systems Dr. Hannes Federrath University of Technology Dresden Security demands Security functions of GSM Known attacks on GSM Security functions of UMTS Concepts for hiding locations of mobile users

Security deficits of existing mobile networks Example of security demands: Cooke, Brewster (1992) protection of user data protection of signaling information, incl. location user authentication, equipment verification fraud prevention (correct billing) Security deficits of GSM (selection) Only symmetric cryptography (algorithms no officially published) Weak protection of locations (against outsiders) No protection against insider attacks (location, message content) No end-to-end services (authentication, encryption) Summary GSM provides protection against external attacks only. the designers of GSM did not aim at a level of security much higer than that of the fixed trunk network. Mouly, Pautet (1992)

Security functions of GSM Overview Subscriber Identity Module (SIM, smart card) Admission control and crypto algorithms Authentication (Mobile station Æ network) Challenge-Response-Authentication (A3) Pseudonymization of users on the air interface Temporary Mobile Subscriber Identity (TMSI) Link encryption on the air interface Generation of session key: A8 Encryption: A5

Challenge-Response-Authentication When initialized by the mobile network? Location Registration Location Update when changing the VLR Call Setup (both directions) Short Message Service Protocol MS MSC/VLR/AuC max. 128 Bit 128 Bit Random Generator Ki Authentication Request RAND Ki A3 32 Bit A3 Authentication Response SRES = Authentication Result

Challenge-Response-Authentication Algorithm A3 Implemented on SIM card and in Authentication Center (AuC) Cryptographic one way function A3: SRES = A3(Ki, RAND) (Ki: individual user key) Interfaces are standardized, cryptographic algorithm not standardized Specific algorithm can be selected by the network operator Authentication data (RAND, SRES) are requested from AuC by the visited MSC visited MSC: only compares SRES == SRES visited MSC has to trust home network operator MS max. 128 Bit 128 Bit MSC/VLR/AuC Random Generator Ki Authentication Request RAND Ki A3 32 Bit A3 Authentication Response SRES = Authentication Result

Attacks Telephone at the expense of others SIM cloning Weakness of authentication algorithm Interception of authentication data Eavesdropping of internal communication links IMSI catcher Man-in-the-middle attack on the air interface

SIM cloning Scope Telephone at the expense of others Described by Marc Briceno (Smart Card Developers Association), Ian Goldberg and Dave Wagner (both University of California in Berkeley) http://www.isaac.cs.berkeley.edu/isaac/gsm.html Attack uses a weakness of algorithm COMP128, which implements A3/A8 SIM card (incl. PIN) must be under control of the attacker for at least 8-12 hours Effort Approx. 150.000 calculations to determine Ki (max. 128 bit) 6,25 calculations per second only, due to slow serial interface of SIM card

Interception of authentication data Scope Telephone at the expense of others Described by Ross Anderson (University of Cambridge) Eavesdropping of unencrypted internal transmission of authentication data (RAND, SRES) from AuC to visited MSC Weakness GSM standard only describes interfaces between network components. They forgot the demand for internal encryption. Microwave links are widely used for internal linkage of network components.

No encryption of internal links Microwave link (not encrypted) originator device radio transmission (encrypted) BTS fixed network domain of network operator 1 domain of network operator 2 Gateway-MSC Database terminating device radio transmission (encrypted) BTS fixed network (not encrypted)

Interception of authentication data faked microwave link mobile station air interface visited network (not encrypted) home network (any message) TMSI mapping TMSI IMSI Provide Auth. Info IMSI RAND Ki Lookup store auth. info Auth. Request RAND store auth. info SRES Authentication Information RAND, SRES, Kc A3+A8 Auth. Response SRES Ciphering Mode Cmd. = auth. res. Interception of Authentication Triplets RAND, SRES, Kc Kc Start Ciphering Kc A5 Ciphering Mode Compl. A5...

IMSI-Catcher Scope Identities of users of a certain radio cell Eavesdropping of communications (Telephone at the expense of others) Man-in-the-middle attack (Masquerade) MS IMSI catcher network BCCH Location Upd. Request (TMSI) Identity Request Identity Response (IMSI) Authentication Request (RAND) Authentication Response (SRES) knows identities Note: The IMSI Catcher sends its location area identity with a higher power than the genuine BCCH Location Upd. Request (IMSI) Authentication Request (RAND) Authentication Response (SRES) Weakness No protection against malicious or faked network components Ciph. Mode Cmd. (No Ciphering) TMSI Realloc. Cmd. (TMSI new) suppress ciphering Ciph. Mode Cmd. (Start Ciph.) Ciphering Mode Complete (Fault) Ciph. Mode Cmd. (No Ciphering) TMSI Realloc. Cmd. (TMSI new) Location Updating Accept Location Updating Accept TMSI Reallocation Complete TMSI Reallocation Complete

Universal mobile telecommunication system (UMTS) Security functions of UMTS have been»inspired«by GSM security functions From GSM Subscriber identity confidentiality (TMSI) Subscriber authentication Radio interface encryption SIM card (now called USIM) Authentication of subscriber towards SIM by means of a PIN Delegation of authentication to visited network No need to adopt standardized authentication algorithms Additional UMTS security features Enhanced UMTS authentication and key agreement mechanism Integrity protection of signaling information (prevents false-base-station attacks) New ciphering / key agreement / integrity protection algorithms and a few minor features

UMTS Security Architecture Serving Network Home Environment USIM MS Base Station RNC VLR / SGSN HLR / AuC Ciphering/integrity protection cipher key CK, integrity key IK ciphering function f8 integrity function f9 User authentication Network authentication USIM MS RNC VLR SGSN HLR AuC UMTS Subscriber Identity Module Mobile Station Radio Network Controller Visitor Location Reg. SG Serving Network Home Location Register Authentication Centre authentication key K, authentication function f1, f2 key generation function f3, f4, f5 sequence number management SQN

Generation of authentication vectors K [128] AMF [16] Generate SQN Generate RAND SQN [48] f1 f2 f3 f4 f5 MAC XRES CK IK AK RAND [128] [64] [32 128] [128] [128] [48] SQN Sequence number RAND Random number AMF Authenticated Management Field K Secret Key MAC Message authentication code XRES Expected response CK Cipher key IK Integrity key AK Anonymity key AUTN Authentication token AV Authentication vector [ ] # of bits AUTN := SQN AK AMF MAC AV := RAND XRES CK IK AUTN

Authentication function in the USIM K [128] f5 RAND [128] AUTN SQN Sequence number RAND Random number AMF Authenticated Management Field SQN AK AMF MAC K Secret Key [48] [16] [64] MAC Message authentication code AK [48] XMAC Expected MAC RES Response SQN [48] CK Cipher key IK Integrity key AK Anonymity key f1 f2 f3 f4 AUTN Authentication token XMAC RES CK IK [64] [32 128] [128] [128] [ ] # of bits Verify MAC == XMAC Verify that SQN is in the correct range

Security mode setup procedure MS RNC VLR/SGSN UE Security capabilities START CS, START PS User Identity (IMSI or TMSI), KSI AKA (optional) Decision about AKA Select sec. algorithms Start Integrity Protection Allowed security algorithms, CK, IK Control of UE Sec. Cap. Integrity check Start Integrity Protection Start Ciphering Security Mode Command (incl. UE Sec. Cap., selected alg., FRESH Security Mode Complete Integrity check MS Mobile Station RNC Radio Network Controller VLR Visitor Location Reg. SGSN SG Serving Network UE? START CS Start circuit switched START PS Start packet switched IMSI Intl. Mob. Subscriber Ident. TMSI Temp. Mob. Subscr. Identity KSI Key Set Identifier AKA Authentication and Key Agreement CK Ciphering Key IK Integrity Key FRESH prevents Replay attacks Security Mode Complete Start Ciphering

Cipher algorithm f8 Combination of Output Feedback mode (OFB) and counter mode First encryption under CK prevents chosen plaintext attacks (initialization vector is encrypted, KM: key modifier) COUNT BEARER DIRECTION 0 0 CK =CK KM KASUMI BLKCTR=0 BLKCTR=1 BLKCTR=2 BLKCTR=n CK KASUMI CK KASUMI CK KASUMI CK KASUMI KS[0] KS[63] KS[64] KS[127] KS[128] KS[191] KS[64 n] KS[64 (n+1) 1] Key stream is XORed with MESSAGE block

Integrity algorithm f9 ISO/IEC 9797-1 (MAC algorithm 2) Sender and receiver use f9 Receiver verifies MAC == XMAC COUNT FRESH MESSAGE[0] MESSAGE[63] MESSAGE[64] MESSAGE[127] Final Message Block (padded) IK KASUMI IK KASUMI IK KASUMI IK KASUMI IK KASUMI MAC or XMAC (left 32 bits)

Protection of locations Mobile user whishes to be reachable at his current location. He won t be localizable by outsiders and the network operator unless the explicitly gives his permission There is no mobile network that fulfills this demand. HLR Address of the VLR: A VLR VLR Address of the LA: LAI MSISDN database request database request broadcast long distance from the location area near the location area

Protection of locations GSM (Global System for Mobile Communication) Distributed storage at location registers Home Location Register (HLR) Visitor Location Register (VLR) Network operator has global view on location information Tracking of mobile users is possible HLR Address of the VLR: A VLR VLR Address of the LA: LAI MSISDN database request database request broadcast long distance from the location area near the location area

Systematic: Protection of locations A. Trust into the mobile station only A.1 Broadcast method A.2 Group pseudonyms B. Additional trust into a private fixed station B.1 Trusted address translation and broadcast B.2 Reduction of broadcast areas B.3 Explicit trustworthy storage of locations B.4 Temporary pseudonyms (TP method) C. Additional trust into a trusted third party C.1 Trust Center C.2 Co-operating chips C.3 Mobile Communication-MIXing

Overview: Broadcast No storage of locations and global paging of mobile users A HLR VLR MS B

Overview: Broadcast No storage of locations and global paging of mobile users A broadcast service Immense costs for bandwith

Broadcast in general Local choice, Unobservable receiving Radio, TV, Paging services,... Brodcast srv.

Overview : Trustworthy storage Replace databases by trusted devices in the fixed network A HLR VLR MS B

Overview : Trustworthy storage Replace databases by trusted devices in the fixed network A individual trusted fixed station Every location updating needs communication with trusted station. Question: How can we reduce cost of location updating?

Overview : Trustworthy storage Tempory Pseudonyms (TP method) A trusted FS HLR VLR Can we do this without a trusted fixed station?

Overview : Mobile Communication-MIXing Covered storage of location information A HLR VLR MS B MIX MIX A MIX hides the communication relation between HLR and VLR VLR and location area

Implicit Addresses First contact: Covered Implicit Address CIA Recipient publishes public encryption key c Sender creates CIA := c(r,s,m) Redundancy R Seed S of a pseudo-random generator PRG Message M (optional, may contain symmetric key k) Recipient decrypts all received messages with private key d Finds correct R for own messages only Following addressing: Open Implicit Address OIA OIA i+1 := PRG(i,seed) (i = 0,1,2, ) Sender : calculates next OIA encrypts message (optional) M under k Sends OIA, M Receiver: Associative memory of all valid OIAs to recognize own messages

Broadcast method Performance 1 10 9 bandwidth b [bit/s] 1 10 8 T v = 2 m - n l 2 m (m - n l) m = b B l =1/(300 s) T v = 0.5 s 1 10 7 1 10 6 1 10 5 1 10 4 1 10 6 1 10 7 1 10 8 number of users n covered implicit address: B = 500 bit open implicit address: B = 50 bit minimal coding: B = Èld(n)

Performance: Message lengths on the air interface Mobile Terminated Calls GSM reference B.3 explicit trustworthy storage B.4 TP method C.2 cooperating chips 4000 Bit Message intervals on the Air interface in bit for Mobile Terminated Calls 3000 2776 2000 2120 2144 2090 1536 1440 1520 1446 1000 0 GSM B.3 B.4 C.2

Performance: Message lengths on the air interface Location Update GSM reference B.3 explicit trustworthy storage B.4 TP method C.2 cooperating chips 500 Bit 400 300 200 100 Message intervals in bit for Location Updating 328 328 216 216 280 398 322 0 GSM B.3 B.4 C.2

Security of mobile communication Conclusion Protection of locations can be technically realized However, there is a demand for legal enforcement More information http://www.inf.tu-dresden.de/~hf2/mobil/ Intelligent Network... Access Network Core Network Anonymous Network

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback