Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

Similar documents
Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Security functions in mobile communication systems

ETSI TS V3.4.0 ( )

Mobile Security Fall 2013

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Secure and Authentication Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography.

ETSI TS V3.5.0 ( )

City Research Online. Permanent City Research Online URL:

ETSI TS V3.1.0 ( )

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

COMP327 Mobile Computing Session: Lecture Set 5 - Wireless Communication Part 2

GPRS and UMTS T

UMTS System Architecture and Protocol Architecture

GPRS Security for Smart Meters

EP B1 (19) (11) EP B1 (12) EUROPEAN PATENT SPECIFICATION

LTE Security How Good Is It?

Questioning the Feasibility of UMTS GSM Interworking Attacks

GSM System Overview. Ph.D. Phone Lin.

Rab Nawaz Jadoon. Cellular Systems - II DCS. Assistant Professor. Department of Computer Science. COMSATS Institute of Information Technology

Wireless Communications and Mobile Computing

Talk 4: WLAN-GPRS Integration for Next-Generation Mobile Data Networks

Security of Cellular Networks: Man-in-the Middle Attacks

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

UMTS Security Features. Technical Brief

Chapter 3 GSM and Similar Architectures

Basics of GSM in depth

Please refer to the usage guidelines at or alternatively contact

Communication Systems for the Mobile Information Society

Evolution from GSM to UMTS

Secure 3G user authentication in ad-hoc serving networks

UMTS Addresses and Identities Mobility and Session Management

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

GSM Open-source intelligence

Communication and Distributed Systems Seminar on : LTE Security. By Anukriti Shrimal May 09, 2016

Mobile Security Fall 2014

ETSI TR V ( )

3GPP security. Valtteri Niemi 3GPP SA3 (Security) chairman Nokia

NS-AKA: An Improved and Efficient AKA Protocol for 3G (UMTS) Networks

Private Identification, Authentication and Key Agreement Protocol with Security Mode Setup

Securing Cellular Access Networks against Fraud

Threat patterns in GSM system. Basic threat patterns:

Mobile Security Fall 2015

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Cellular Communication

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Improved One-Pass IP Multimedia Subsystem Authentication for UMTS

ETSI TS V6.0.0 ( )

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

3GPP TS V9.4.0 ( )

Communication Networks 2 Signaling 2 (Mobile)

T325 Summary T305 T325 B BLOCK 2 4 PART III T325. Session 1 Block III Part 2 Section 2 - Continous Network Architecture. Dr. Saatchi, Seyed Mohsen

New Privacy Issues in Mobile Telephony: Fix and Verification

UMTS Authentication and Key Agreement - A comprehensive illustration of AKA procedures within the UMTS system

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

Mobility management: from GPRS to UMTS

Key Management Protocol for Roaming in Wireless Interworking System

UNIK4230: Mobile Communications Spring Semester, Per Hj. Lehne

Designing Authentication for Wireless Communication Security Protocol

Understanding IMSI Privacy!

USIM based Authentication Test-bed For UMTS-WLAN Handover 25 April, 2006

Secure military communications on 3G, 4G and WiMAX

ETSI TS V ( )

Network Node for IMT-2000

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

E3-E4 (CM MODULE) CDMA x & EV-DO. For internal circulation of BSNL only

3GPP TS V ( )

Mobile Communications

Mobility and Security Management in the GSM System

3GPP TS V ( )

Security Management System of Cellular Communication: Case Study

Hands-On Modern Mobile and Long Term Evolution LTE

Design and Analysis of Cryptographic Algorithms for Mobile Communication Systems. Henri Gilbert Orange Labs.

The security of existing wireless networks

3GPP TS V ( )

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

Wireless Security Security problems in Wireless Networks

IP multimedia in 3G. Structure. Author: MartinHarris Orange. Understanding IP multimedia in 3G. Developments in 3GPP. IP multimedia services

Wireless LAN Based GPRS Support Node

GPRS security. Helsinki University of Technology S Security of Communication Protocols

EXAM IN TTM4137 WIRELESS SECURITY

3G/UMTS Complete Mobile Originated Circuit Switched Call Setup. July 2009, Turin

JP-3GA (R99) Network Architecture

Past & Future Issues in Smartcard Industry

Identity Management in a Fixed Mobile convergent IMS environment

3G TS V3.1.0 ( )

Long Term Evolution - Evolved Packet Core S1 Interface Conformance Test Plan

2 Overview of existing cipher mode setting procedure

Data and Voice Signal Intelligence Interception Over The GSM Um Interface

Mobile Network Evolution Part 2

Understanding Carrier Wireless Systems

Diminishing Signaling Traffic for Authentication in Mobile Communication System

Femtocells : Inexpensive devices to test UMTS security

ETSI TS V ( ) Technical Specification

Security Provisions in CDMA2000 Networks

Chapter 2 The 3G Mobile Communications

Implementation of Enhanced AKA in LTE Network

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

Request for Comments: Cisco Systems January 2006

Transcription:

Network Security: Cellular Security Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2013

Outline Cellular networks GSM security architecture and protocols Counters UMTS AKA and session protocols 2

Cellular networks

History GSM Groupe Spéciale Mobile (GSM) founded in 1982 Standardized by European Telecommunication Standards Institute (ETSI) Renamed Global System for Mobile Communications (GSM) First Release in 1990, GPRS (2.5G) in 1997 UMTS Universal Mobile Telecommunications System (UMTS) Standardized by the 3rd Generation Partnership Project (3GPP) formed by ETSI and Japanese, Korean and Chinese standards bodies First Release 1999 High-Speed Downlink Packet Access (HSDPA) standardized in 2001; came into wide use in 2007-8 LTE (4G networks) standardized in 2009 4

GSM network Mobile station (MS) = mobile equipment (ME) + subscriber identity module (SIM) Base station subsystem (BSS) = base station controller (BSC) + base transceiver stations (BTS) BTS = base station (BS) Network switching subsystem (NSS) = mobile switching centers (MSC) and their support functions MSC is an advanced telephone exchange MSC uses the SS7 signalling network (but moving to IP) Advanced functions (not covered in this lecture): Text messages GPRS, HSDPA IP multimedia subsystem (IMS)

GSM network architecture 6

UMTS network Based on the GSM architecture User equipment (UE) i.e. terminal = mobile equipment (ME) + universal subscriber identity module (USIM) UMTS terrestrial radio access network (UTRAN) = radio network controller (RNC) + base stations (BS) Core network = different service domains + home location register 3GPP Release 8 specifies an all-ip network for signalling and data, but deployment will take time Circuit-switched (CS) domain for voice Packet-switched (PS) domain for IP data 7

UMTS architecture UMTS terrestrial radio network (UTRAN) Core network Base station BS = Node B Mobile switching center MSC / Visitor location register VLR CS domain Public switched telephone network PSTN MSC Terminal BS Radio network controller RNC Home location register HLR / Authentication center AuC MSC PS domain Internet BS Serving GPRS support node (SGRN) IMS domain etc. 8

Threats against cellular networks Discussion: What the threats? Charging fraud, unauthorized use Charging disputes Handset cloning (impersonation attack) multiple handsets on one subscription let someone else pay for your calls Voice interception casual eavesdropping and industrial espionage Location tracking Handset theft Handset unlocking (locked to a specific operator) Network service disruption (DoS) What about integrity? 9

GSM security

GSM security architecture Home location register (HLR) keeps track of the mobile s location Visitor location register (VLR) keeps track of roaming mobiles at each network Shared key Ki between SIM and authentication center (HRL/AuC) at the home network VLR of the visited network obtains authentication triplets from AuC of the mobile s home network and authenticates the mobile Encryption between mobile and the base station

GSM authentication Ki Ki MS = ME + SIM BS MSC/VLR HLR/AuC IMSI or TMSI IMSI SRES = A3 (Ki, RAND) Kc = A8 (Ki, RAND) Challenge: RAND On or more authentication triplets: < RAND, SRES, Kc > RES = Kc = A3 (Ki, RAND) A8 (Ki, RAND) Response: RES RES = SRES? Kc Encryption with Kc TMSI 12

GSM authentication Alice-and-Bob notation: 1. Network MS: RAND 2. MS Network: A3 (Ki, RAND) Ki = shared master key Kc = A8 (Ki, RAND) = session key After authentication, BS asks mobile to turn on encryption. A5 cipher with the key Kc 13

GSM security Mobile authenticated prevents charging fraud Encryption on the air interface No casual sniffing Encryption of signalling gives some integrity protection TMSI not easy to track mobile with a passive radio Algorithms A3, A8 can be replaced by home operator AuC and SIM must use the same algorithms Non-protocol features: Subscriber identity module (SIM) is separate from the handset Flexibility Thiefs and phone unlockers don t even try to break the SIM International mobile equipment identity (IMEI) to track stolen devices 14

GSM security weaknesses Only the mobile is authenticated, network not BS decides when to turn on encryption; mobiles have no indicator Possible to set up a fake BS that uses no encryption Integrity protection depends on encryption but some networks do not use encryption Decryption at BS, but BS may be at a hard-to-monitor location and compromised Early encryption algorithms based on COMP128, which has been broken. A5 cannot be upgraded without replacing the handset Authentication triplets transferred over the SS7 signalling network, which can be accessed by thousands of operators No non-repudiation no protection against false charges from dishonest operators IMSI sent when requested by BS IMSI catchers to track mobiles IMEI not authenticated can be changed to prevent the tracking of stolen mobiles 15

UMTS improvements over GSM RAN separate from CN Roles of radio-network operator and service operator separated Encryption endpoint moved from BS to RNC Mutual authentication protocol AKA Support for multiple service domains Circuit-switched, packet-switched, multimedia, WLAN Protection of core-network signalling Security indicator to user (e.g. encryption off) 16

Counters

Using counters for freshness Simple shared-key authentication with nonces: 1. A B: N A 2. B A: N B, MAC K (Tag2, A, B, N A, N B ) 3. A B: MAC K (Tag3, A, B, N A, N B ) K = master key shared between A and B SK = h(k, N A, N B ) Using counters can save one message or roundtrip: 1. A B: 2. B A: N B, SQN, MAC K (Tag2, A, B, SQN, N B ) 3. A B: MAC K (Tag3, A, B, SQN, N B ) SK = h(k, SQN, N B ) Another benefit: B can pre-compute message 2 A must check that the counter always increases 18

Using counters Counters must be monotonically increasing Never accept previously used values Persistent state storage needed Recovering from lost synchronization: Verifier can maintain a window of acceptable values to recover from message loss or reordering Protocol for resynchronization if badly off Values must not be exhausted Limit the rate at which values can be consumed But support bursts of activity Long enough counter to last equipment or key lifetime 19

UMTS authentication and key agreement (AKA)

UMTS AKA AKA = authentication and key agreement Based on GSM authentication Mutual authentication Sequence number for freshness to mobile saves one roundtrip to AuC authentication vectors can be retrieved early, several at a time Why is this so important? Why not just use a client nonce? 21

UMTS AKA (simplified) K, SQN Network K, SQN Phone MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) RAND, AUTN [SQN, MAC] XMAC = f1 (K, RAND,SQN) RES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) MAC = XMAC? RES RES= XRES? Encryption and integrity protection with CK, IK 22

UMTS AKA (simplified) K, SQN K, SQN Phone RNC MSC/VLR AuC IMSI MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) RAND, AUTN [SQN, MAC] RAND, AUTN [SQN, MAC], XRES, CK, IK MAC = f1 (K, RAND,SQN) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) MAC = XMAC? RES CK, IK RES= XRES? Encryption and integrity protection with CK, IK 23

UMTS AKA K, SQN UE = ME + USIM Network K, SQN MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) RAND, AUTN [SQN AK, AMF, MAC] MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) MAC = XMAC? RES RES= XRES? Encryption and integrity protection CK, IK 24

K, SQN UE = ME + USIM RNC MSC/VLR AuC K, SQN IMSI UMTS AKA RAND, AUTN [SQN AK, AMF, MAC] MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) RAND, AUTN [SQN AK, AMF, MAC], XRES, CK,IK,AK MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) MAC = XMAC? RES RES= XRES? CK, IK Encryption and integrity protection with CK, IK 25

K, SQN UE = ME + USIM RNC MSC/VLR AuC K, SQN UMTS AKA User authentication request: RAND, AUTN [SQN AK, AMF, MAC] MAP authentication data request: IMSI MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) MAP authentication data response: one of more authentication vectors <RAND, AUTN [SQN AK, AMF, MAC], XRES, CK, IK, AK> MAC = f1 (K, RAND,SQN,AMF) XRES = f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) MAC = XMAC? User authentication response: RES RRC security mode command RANAP security mode command: CK, IK RES= XRES? Encryption and integrity protection with CK, IK 26

UMTS authentication Alice-and-Bob notation: 1. Network terminal: RAND, SQN AK, f1 (K, RAND, SQN) 2. Terminal Network: f2 (K, RAND) CK = f3 (K, RAND) IK = f4 (K, RAND) AK = f5 (K, RAND) USIM must store the highest received SQN value AuC must also store SQN and increment it for each authentication TMSI used in 3G just like in GSM Masking SQN with AK prevents the use of SQN to identify the mobile 27

Sequence number SQN Implementation can be changed in USIM and AuC Length is fixed to 48 bits One suggested implementation: SEQ1 (19 bits) SEQ2 (24 bits) IND (5 bits) SEQ2 time counter, 2 24 seconds = 194 days, individual mobile may run ahead of the global time but can never be left behind (Note: the clock is local to AuC; mobile has no secure clock!) SEQ1 per-mobile epoch counter, incremented when SEQ2 wraps, or appears to wrap IND partitions the SQN space to independent sequences; highest used SEQ1 SEQ2 stored independently for each IND value 0..31 IND enables creation of multiple simultaneously valid authentication vectors Enables buffering of unused authentication vectors in VLR Enables parallel authentication in CS, PS, IMS and WLAN domains 28

Staying in sync SEQ1 (19 bits) SEQ2 (24 bits) IND (5 bits) Mobile may run ahead of the global time counter SEQ2 if it needs a burst of values; long-term authentication rate capped at 1/s Incrementing SEQ at AuC: if SEQ2 is less than the global time counter, set equal if equal or slightly (at most 2 16 ) higher than global time, increment by 1 otherwise, SEQ2 has wrapped set SEQ2 equal to global time and increment SEQ1 USIM stores the largest received value of SEQ1 SEQ2 for each IND value 0..31 If mobile receives a lower or equal value, authentication fails If mobile receives a slightly higher value (SEQ1 SEQ2 increased by at most 2 28 = 8.5 years), USIM updates the stored value If the increment is larger than 2 28, USIM initiates a resynchronization procedure 29

RSQ Resynchronization K, SQN UE = ME + USIM Resynchronization needed if the sequence number gets out of sync between USIM and AuC. MSC/VLR AuC K, SQN IMSI RAND, AUTN [SQN AK, AMF, MAC] RAND, AUTN [SQN AK, AMF, MAC], XRES, CK,IK,AK MAC = f1 (K, RAND,SQN,AMF) AK = f5 (K, RAND) MAC = XMAC? SQN too high! MAC-S = f1* (K, RAND,SQN,AMF) AUTS [ SQN AK, MAC-S ] RAND, AUTS [ SQN AK, MAC-S ] Update stored SQN 30

SQN resynchronization If USIM receives an SEQ1 SEQ2 value that is too much higher than the previous stored value, it sends AUTS to the AuC: AUTS = SQN AK, MAC-S MAC-S = f1*(k, SQN, RAND, AMF) SQN = USIM s stored sequence number One extra roundtrip to AuC May cause a noticeable delay, similar to when switching on a phone in a new country for the first time The delay only takes place in exceptional situations example of an optimistic protocol 31

Session protocol: encryption Encryption of MAC SDUs and RLC PDUs between terminal and RNC with the 128-bit session key CK BS does not have the key can use untrusted BS hardware Ciphertext = PDU f8(ck, COUNT-C, bearer, direction, length) f8 based on block cipher KASUMI CK = f3(k, RAND) bearer radio bearer identity, to enable simultaneous connection to multiple bearers, e.g. 3G and WLAN direction one bit, uplink or downlink length PDU length COUNT-C = HFN CFN CFN RLC frame number HFN hyper frame number, incremented when CFN wraps HFN is set to zero when rekeying with AKA 32

Session protocol: signalling integrity Authentication for RRC messages between terminal and RNC signalling only! Message authentication code = f9(ik, message, direction, COUNT-I, FRESH) f9 based on block cipher KASUMI IK = f4(k, RAND) direction one bit, uplink or downlink COUNT-I = HFN RRC sequence number HFN incremented if the RRC sequence number wraps HFN is set to zero when rekeying with AKA FRESH random nonce chosen by RNC Monotonously increasing counter COUNT-I protects against replays during one session USIM stores highest COUNT-I, but RNC might not remember it. FRESH prevents the replay of old signalling messages if the RNC reuses old authentication tuples and, thus, old session keys 33

Session protocol: data integrity Integrity of voice data is not protected Bit errors on the radio link are common Voice encodings cope well with bit errors Resending corrupt data would lead to lower voice quality Periodic local authentication: counter check Terminal and RNC periodically compare the high-order bits of COUNT-C Integrity of the counter check is protected by the MAC on RRC signalling Release connection if large differences in couters Makes it more difficult to spoof significant amounts of data 34

UMTS security weaknesses IMSI may still be sent in clear IMEI still not authenticated Non-repudiation for roaming charges is still based on server logs. No public-key signatures Still no end-to-end security Thousands of legitimate radio network operators Any government or big business gain control of one and intercept calls at RNC 35

Backward compatibility 3G users may roam in GSM networks: Challenge RAND = c1(rand) Response SRES = c2(res) Encryption key Kc = c3 (CK, IK) Possible because the keys and algorithms are shared between SIM and AuC only, not by the mobile equipment or radio network 36

37 User authentication with mobile phone

User authentication with mobile phone Generic bootstrapping architecture (GBA): The mobile operator provides an authentication service for the mobile subscriber to third parties e.g. to web-based services Authentication is based on AKA and the secret key K in the USIM 3GPP standard, but not widely used Mobile signature service (ETSI MSS) = mobile certificate SIM card contains a public key pair and certificate, which is used to authenticate to third parties Home operator needed every time to send an authentication request to the SIM (needed for charging, not for security) E.g. see http://password.aalto.fi/ Detailed information: http://www.mobiilivarmenne.fi/en/, http://www.mobiilivarmenne.fi/documents/mss_ficom_implementation_guideline_2.1.pdf Text messages as a second authentication method Assumes that text messages cannot be intercepted Google, Microsoft etc. send a secret code to the user s mobile phone for a second method of authentication (used in addition to a password) Banks send transaction details and a secret code to the phone (used in addition to the password and one-time passcode) 38

Exercises Who could create false location traces in the GSM HLR and how? Is this possible in UMTS? Consider replacing the counter with a client nonce in AKA. What would be lost? Try to design a protocol where the IMSI is never sent over the air interface, i.e. the subscriber identity is never sent in clear. Remember that the terminal may have just landed from an intercontinental flight, and the terminal does not know whether it has or not Find the current cost of an IMSI catcher and fake GSM/3G base station for intercepting calls Learn about GBA and MSS. How is the operator involved in the protocols, and is it necessary? In GBA and MSS, there is a concept called four-corner model. What does it mean? Can you find a link between roaming and the four-corner model. 39

Related reading Gollmann, Computer security, 3rd ed. chaptes 19.2 19.3 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback