Securing Wireless Cellular Systems

Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009

Contents Scope Cellular Basics Security Goals Elements of Security Protocol Procedures Algorithmic Background GSM Flaws & Solutions Implementation Challenges Conclusion References

Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS

Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR

Cellular Basics – GPRS Protocol Stack Control Plane

Cellular Basics – UMTS Protocol Stack Control Plane

Security Threats Eavesdropping Spoofing – mobile phishing Denial of service Hacking into Core Network Theft of SIM Theft of mobile phone Employees, partners, sub-contractors Viruses, worms, trojans

Security Goals User identity confidentiality User location confidentiality User untraceability User authentication Network authentication Data confidentiality Data integrity Algorithm and key agreement Mobile equipment identification User-to-USIM authentication USIM-Terminal authentication

Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context

What is AKA? AKA is also known as Authentication and Key Agreement Network authenticates the subscriber Subscriber authenticates the network (not in GSM) Both parties agree on the keys to use for data confidentiality and data integrity USIM AuC

GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n

Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange

Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN

Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.

Updating the START Value START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2 Once updated, it is saved into SIM/USIM and deleted from the mobile

Counter Check Procedure Check does not involve Core Network Prevent “man-in-the-middle” attacks RRC will query RLC for COUNT-C values RRC will include mismatches in its response UTRAM may release RRC connection

Indicating Current CKSN/KSI This field is indicated by UE MM/GMM in the following messages: LOCATION UPDATING REQUEST CM SERVICE REQUEST PAGING RESPONSE CM RE-ESTABLISHMENT REQUEST This field is indicated by UE GMM in the following messages: ROUTING AREA UPDATE REQUEST SERVICE REQUEST ATTACH REQUEST

Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM

Data Integrity Additional protection within the same authentication session

Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message

Integrity Exceptions Integrity is not applied for: HANDOVER TO UTRAN COMPLETE PAGING TYPE 1 PUSCH CAPACITY REQUEST PHYSICAL SHARED CHANNEL ALLOCATION RRC CONNECTION REQUEST RRC CONNECTION SETUP RRC CONNECTION SETUP COMPLETE RRC CONNECTION REJECT RRC CONNECTION RELEASE (CCCH only) SYSTEM INFORMATION SYSTEM INFORMATION CHANGE INDICATION TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)

USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key

AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM

AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN

GSM Handover Intra-BSC HO Nothing to be done Inter-BSC & Intra-MSC HO BSC informs MSC that HO is required MSC commands target BSC and passes on security context Inter-MSC HO Same as above except that current MSC informs target MSC to initiate HO to target cell

Algorithmic Background – Cipher Types Symmetric cipher: shared secret key Stream cipher (OTP) Block cipher (DES, Triple-DES, AES, RC2) Block ciphers can be used as stream ciphers Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR E/D E/D

Algorithmic Background – Cipher Types Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) Private key Public key One-way hash (MD5, SHA-1, SHA-2, Triple-DES) E D H

GSM Security Flaws – 1 Weak algorithms – cracked long ago COMP128 was used: this is a keyed hash function generating a 96 bit digest Fault with operators in using COMP128 A3 and A8 based on COMP128 Kc is only 54 bits COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries! COMP128-4 is based on AES

GSM Security Flaws – 2 Same basic algorithm is used to generate both SRES and Kc No integrity on signalling data No network authentication Encryption does not extend far into the network Microwave links not protected by operators – Kc could be read easily

UMTS Algorithms KASUMI Design authority: ETSI SAGE Based on the block cipher MISTY (Mitsubishi) KASUMI is the Japanese for “MIST” f8 and f9 are based on KASUMI Changes made to aid hardware implementation Keys are 128 bits long No known hacks exist

Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS

Implementation Challenges Hardware Or Software ? Rarely matters at the network end. Matters a lot to the mobile.

SW Optimization of f8 and f9 Convert 16-bit to 32-bit operations on ARM Single instruction instead of 2 or 4 15% faster Using non-static memory for sub-keys Avoid ARM’s LDR instruction Use structures and pass pointers to functions 5% faster Key scheduling only when CK and IK change 3.5 KB increased memory 60% faster Optimizing FI with table lookups Not recommended since memory usage increases by 256 KB Estimated to give 50% improvement in the best case if tables are cached but not practical

End-to-End Security Beyond the scope of cellular systems IPSec Firewall VPN Public Key Infrastructure (PKI) & Digital Certificates MAC on files for download

Conclusion Current GSM networks are far more secure than early ones UMTS improves on GSM security Inter-working between UMTS and GSM still has implementation issues Constant innovation – anything secure today is not likely to be secure tomorrow User has the responsibility to protect his/her SIM/USIM

Standards (Release 99) Technical specifications TS 21.133 Security threats and requirements TS 22.022 Personalisation of Mobile Equipment (ME) TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture TS 33.120 Security principles and objectives TS 35.20x Access network algorithm specifications Technical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for algorithm design TR 33.902 Formal analysis of authentication

Securing Wireless Cellular Systems

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Securing Wireless Cellular Systems (20)

More from ACMBangalore (16)

Recently uploaded (20)

Securing Wireless Cellular Systems