CELLULAR TELEPHONE NETWORK SECURITY - PowerPoint PPT Presentation

About This Presentation

Title:

CELLULAR TELEPHONE NETWORK SECURITY

Description:

First digital cellular phone standard. 1982 GSM (Groupe Special Mobile) ... e.g. Serge Vaudenay 'FFT-Hash-II is not yet Collision-Free' http://lasecwww.epfl. ... – PowerPoint PPT presentation

Number of Views:202

Avg rating:3.0/5.0

Slides: 46

Provided by: TOL

Category:

more less

Transcript and Presenter's Notes

Title: CELLULAR TELEPHONE NETWORK SECURITY

1
CELLULAR TELEPHONE NETWORK SECURITY
Ari Vesanen, ari.vesanen_at_oulu.fi Department of
Information Processing Sciences, University of
Oulu
2
Contents

Introduction to GSM
GSM network structure and properties
GSM network security model
GSM network security threats
GPRS vs. GSM Security
UMTS vs. GSM Security

3
Introduction to GSM

GSM worlds most widely used cellular phone
system
About 1000 million users
First digital cellular phone standard
1982 GSM (Groupe Special Mobile) committee to
create standard
1989 ETSI (European Telecommunications Standards
Institute) responsible for development
1990 first specifications frozen

GSM specifications developed secretly
No public evaluation according to scientific
procedure
Kerckhoffs principle violated Algorithm
strength should depend on secrecy of key and not
on the secrecy of the algorithm itself
GSM specifications and encryption algorithms have
leaked and been subject to criticism

5
GSM Network Structure
Mobile station MS
SIM
PHONE
Um
BTS
BTS
Abis
Base Station subsystem BSS
BSC
BSC
A
HLR
VLR
Network Switching Subsystem NSS
MSC
EIR
AuC
PLMN, PSTN, ...
6

Mobile Station phone SIM
SIM Subscriber Identity Module
User identity IMSI (International Mobile
Subscriber Identity) on SIM
MSISDN (Mobile Subscriber International
Integrated Services Digital Network) number
Phone number on SIM
Phone identity IMEI (International Mobile
Equipment Identity) in phone
Got from phone type 06

BSS components Base Transceiver Station (BTS)
and Base Station Controller (BSC)
BTS controls radio communication with phone,
encrypts calls and does decryption
BSC can control several BTSs, tasks
Initialization of radio channel
Frequency hopping
Handover (transferring user between cells)
Traffic between BSS and MSC

NSS MSC SMSC Registers ( OSS)
Mobile Services Switching Centre (MSC)
Main component of NSS
Works as link to wired network
Services for registering and authenticating
mobile user
Services related to mobility
Short Message Service Centre (SMSC)
Transmission of short messages
Needs routing information -gt works in
co-operation with HLR

HLR (Home Location Register)
Information on subscribers registered in this GSM
network
Current location of users (location networks VLR
address)
One network can contain only one HLR
VLR (Visitor Location Register)
Relevant information on all active users in GSM
network
AuC (Authentication Center)
User secret key information by IMSI
EIR (Equipment Identity Register)
Valid equipments by their IMEI code

10
GSM Network Radio Interface

Band control combined TDMA/FDMA
FDMA divides band into 200 kHz wide channels
GSM 900 124 channels
GSM 1800 374 channels
Channels grouped and distributed to operators
Carrier frequency into time frames according to
TDMA model
TDMA frame eight time intervals (slots)
Message in one slot burst
Logical channel one slot in one frame

Frequency hopping
216,7 hops/second
After each burst frequency changed according to
predefined pattern
Spreads disturbances
Makes eavesdropping more difficult
TDMA/FDMA model technically challenging

12
Establishing Call

Updating location
Uses MSC, HLR and VLR
When MS moves to new location area or to new
operator area -gt must register for update
Location update message to new MSC/VLR pair that
registers new information and sends it to
subscribers HLR. HLR sends the previous VLR
information that subscriber left its area

13
Incoming call
1
Phones home MSC
HLR
3
4
2
5
Phones location MSC
VLR
6
BSC
BTS
MS
Call Routing
14
GSM Network Security Model

Identification of subscriber IMSI
IMSI consists of three components
Mobile Country Code (MCC)
Mobile Network Code (MNC)
Mobile Subscriber Identity Number (MSIN)
TMSI temporary identifier, used instead of IMSI
in communication
Changed when location changed
Makes IMSI capturing and subscriber communication
monitoring more difficult

Authentication
Actors SIM card and (home networks)
Authentication Center (AuC)
Authenticates user to network (not vice versa)
Based on secret 128 bit key Ki (resides only on
SIM and in AuC)
Authentication always in home network!
Authentication algorithm may be changed, yet
works in visited networks
Authentication method challenge-response
Algorithm A3

16
2. Request authentication triplet

HLR
MSC
MS
3. Authentication triplet (RAND,SRES,Kc)
4. RAND
AuC
6. Check SRES
5. SRES
SRES A3(RAND,Ki) Kc Air interface encryption
key
Authentication in GSM Network
17

Air interface encryption
Encryption algorithm A5 must reside in phone, for
all network operators common algorithm
Key generated using algorithm A8 on SIM, hence
may be operator specific
Uses (64 bit) session key Kc A8(RAND, Ki) and
(22 bit) TDMA frame number
A5 stream cipher, re-synchronized for each frame
Kc rarely updated (in connection with
authentication)
Only air interface encrypted in GSM network, no
encryption in operator network
Relied on physical security

18
MS (A)
BTS (B)
A5
A5
Kc (64 bit)
Kc (64 bit)
Frame no (22 bit)
Frame no (22 bit)
114 bit
114 bit
114 bit
114 bit
CIPHER A-gtB
PLAIN A-gtB
PLAIN A-gtB
XOR
XOR
CIPHER B-gtA
XOR
PLAIN B-gtA
XOR
PLAIN B-gtA
Air Interface Encryption in GSM Network
19
Algorithms

SAGE group under ETSI designed algorithms
Composition secret
A3, Device authentication algorithm
Takes as parameters 128 bit key Ki and random
number RAND, computes 32 bit fingerprint, SRES.
Almost without exception COMP128 algorithm
used both as A3 and A8
COMP128 proposed in GSM specification

A8 air interface encryption key generation
algorithm
Mostly COMP128
Takes as parameters 128 bit key Ki and random
number RAND, computes 64 bit session key Kc
Kc used until MSC decides to re-authenticate
device
Both A3 and A8 on SIM card
Operator can decide algorithms
Authentication done in subscribers home network
-gt local network does not have to know
algorithms, yet authentication works also when
user roams

COMP128 not public, found out using SIM cards and
leaked specifications
http//www.iol.ie/kooltek/a3a8.txt (Marc
Briceno, Ian Goldberg and David Wagner)
implementation
Published in April 1998
Produces both SRES and Kc in one run
Upper 32 bits SRES
Lowest 54 bits 10 zeros Kc -gt effectively Kc is
54 bit!

22
A5 Air Interface Encryption Algorithm

Stream cipher algorithm
Original European algorithm A5 leaked in
general already in 1994, details in May 1999
(Briceno from GSM phone)
Initialized each sent frame
Key Kc used during call, but 22-bit frame number
changed

European A5
Three feedback shift registers (LFSR Linear
Feedback Shift Register) of different lengths
Register lengths 19, 22 and 23 bits
Register values XORed and obtained bit XORed with
plaintext bit
Registers initialized using session key Kc and
frame number
After initialization 228 bits pseudo random bit
stream formed 114 first bits to encrypt frame
from device to base station, rest 114 bits from
base station to device
Cf. http//cryptome.org/a51-bsw.htm

24
0
18
13
C1

R1 (19)
XOR
C2
21
0
XOR

R2 (22)
XOR
22
C3
7
0

R3 (23)
XOR
A5 - cipher
Rotation Majority of C1,C2 and C3
25

Algorithm in many forms, original A5/1
Stronger than other A5/x s
A5/0 No encryption
A5/2 decidedly weakened form (used e.g. in USA)
Published and analyzed in August 1999 (very weak)
Other A5/x s not become public (if any)

26
GSM Network Security Defects

Network not authenticated
Faking base station principally possible
Algorithm weaknesses
Both A5 and COMP128 defective
Data integrity not checked
Makes alteration of data possible

Authentication data transmitted in clear both
inside and between networks
Contains also air interface encryption key
Lack of visibility
User can not know whether encryption used or not
No confirmation to home network, whether serving
network uses correctly authentication parameters
when user roams

28
Threats

Attacks against A5
A5 implementation (Mike Roe) http//www.hackcana
da.com/blackcrawl/cell/gsm/gsm_security.html
Breaking air interface encryption -gt call
eavesdropping
Many methods proposed for breaking A5
Almost practical attack by Golic
Cryptanalysis of Alleged A5 Stream Cipher cf.
http//downloads.securityfocus.com/library/a5-hack
.html
Birthday attack type time/memory -optimization

Attack applicable in real time
Biryukov, Shamir and Wagner (cf.
http//cryptome.org/a51-bsw.htm) Real time break
algorithm on PC against the strong algorithm A5/1
Basic assumption Attacker knows or guesses part
of bit stream produced by cipher
Basic idea Great number of pre-computed states
stored (possible, since feedback registers can
only be in 264 different states)
Idea by Golic

Key can be deduced from initial state of each
frame
A5/1 can be effectively implemented on PC (each
register small enough to store their states in
computers memory as three cyclic arrays)
A5/1 can be run backwards effectively
However, backward computation not entirely
deterministic one state can be arrived at from
several states

Suitable 16-bit number alpha in advance chosen
and only frames that include alpha considered
The number of register states producing alpha is
about 248
States computed in advance and stored on disk
-gt attack demands large amount of space
Three different attacks (all require at least two
73GB hard drives)

Estimate First type attack (biased birthday
attack two versions), needs about 2 minutes of
call data
Alpha appears sufficiently many times (ca. 71) in
data
Direct collision with disk data and cipher data
Encryption broken in one second
Third type attack (random subgraph attack)
call data 2 seconds
Performing attack takes minutes
No crypto attack carried out in practice
(presumably)

SIM card cloning (by physical contact)
Subscribers secret key on SIM and security
depends on this key -gt if attacker obtains SIM
security can be broken
An identical copy of SIM can be made
If card noticed missing, it can quickly be shut
out of services
If copy and original simultaneously used, network
notices and invalidates both
In principal cloned card can be used such that
subscriber is billed

Revealing key Ki from SIM
Based on weakness of COMP128
Inventors SDA (Smartcard Developer Association)
and ISAAC (Internet Security, Applications,
Authentication and Cryptography)
Cf. http//www.isaac.cs.berkeley.edu/isaac/gsm-faq
.html
Flaw in algorithm -gt information on Ki obtained
by giving suitable random number inputs RAND as
an argument to A8
Input RAND slightly changed and observed when
identical answer obtained
217.5 inputs enough to deduce Ki

Test attack SIM in card reader attached to PC
PC generated 150 000 challenges, using which SIM
computed SRES response and session key Kc -gt
based on information Ki computed. Took ca. 8
hours
April 1998
Used attack technique standard -like
Cf. e.g. Serge Vaudenay FFT-Hash-II is not yet
Collision-Free http//lasecwww.epfl.ch/pub/lasec/
doc/liens-92-17.A4.ps

SIM cloning over-the-air
ISAAC According to experts possible in practice
(faking base station)
Cf. http//www.isaac.cs.berkeley.edu/isaac/
gsm.html
Type 1 Attacker builds fake base station,
covering subscribers valid BTS -gt Subscribers
SIM may be bombed with self-generated
authentication requests

Estimate Attack duration 8 13 hours, victim
device has to be in operating area of fake base
station (not necessarily continuously)
Subscriber can not detect attack
Enhanced version of COMP128 exists (COMP128-2)
Some operators use
Not (known to be) broken
Type 2 Attack from legal network
Client outside home network (e.g. abroad)
Attacker inside location network

Building fake (rogue) base station
Cost estimate 10 000 euros
Can capture IMSI
Gathered information might be used in networks
with more loose authentication
Counter Temporary identifier TMSI, changed
when subscriber location updated
TMSI not entirely prevents IMSI capture since
IMSI has to be sent once
Also other attacks (e.g. mentioned SIM cloning)

Cell change in GSM network
Phone sends audibility reports to BTS
BTS adds own information and sends to BSC
BSC cell change request to MSC (if necessary)
MSC resource allocation request to new BSC, that
waits for MS to arrive
New BSC send acknowledgement to MSC that sends
cell change command to old BSC, this forwards it
to MS
MS breaks connection to old base station and
continues with new one

How to hook up a phone to my fake base station?
Item 5 Cell change command from the network -gt
Attacker may simulate command and force the phone
to change
No authentication for base stations -gt Device can
not know communicating with a rogue base station

41
GPRS vs. GSM Security

GPRS transition phase to 3G, supports packet
switched traffic
Voice (circuit switched traffic) as in GSM
GPRS data uses multiple slots
Air interface encryption (differences with GSM)
New A5 algorithm GEA
Yet secret
GPRS traffic encryption extends further (base
stations cannot cope with traffic using several
slots)

Authentication (differences with GSM)
Separate authentication for circuit switched and
packet switched traffic
Packet switched backbone has own security
features
Not considered here

43
UMTS vs. GSM Security

UMTS design applies open standardization
Specs 3GPP ( 3rd Generation Partnership Project)
WWW site http//www.3gpp.org, contains
specifications etc.
Cf. TTAE.3G-33.102 3G Security Security
Architecture
UMTS network constructed on (and parallel to)
existing GSM networks -gt Security model
constructed on GSM security model