The Security of Cellular Systems - PowerPoint PPT Presentation

1 / 22

About This Presentation

Title:

The Security of Cellular Systems

Description:

GSM Key Generation and Encryption. A5 stream cipher. Principles of 3GPP Security. 3GPP Security Architecture ... has a black list of stolen (or locked) devices ... – PowerPoint PPT presentation

Number of Views:107

Avg rating:3.0/5.0

Slides: 23

Provided by: dunca2

Category:

more less

Transcript and Presenter's Notes

Title: The Security of Cellular Systems

1

The Security of Cellular Systems
Duncan S. Wong
City University of Hong Kong

2
Outline

What service providers want
What users want
Security in GSM
Authentication
Anonymity
Data Confidentiality
GSM Authentication
GSM Key Generation and Encryption
A5 stream cipher
Principles of 3GPP Security
3GPP Security Architecture Overview
3GPP Authentication and Key Agreement Protocol
(AKA)
References

3
What Service Providers Want

Only legitimate subscribers can access the
network
Service providers have no interest on who is
using the SIM card.
Before allowing connection, a service provider
wants to make sure that the SIM (Subscriber
Identity Module) card in a cellphone associating
with a 15-digit IMSI (International Mobile
Subscriber Identity) is valid
Registered
Authenticated

4
Review of GSM Functional Architecture

Registered the IMSI reported by a MS and its
corresponding records in HLR are valid.
Authenticated one-way authentication takes place
between MS and AuC
One-way authentication AuC authenticates MS
How is it done?... will come to this shortly
AuC contains keys for authentication and
encryption, and related cryptographic algorithms
AuC may be situated in a special protected part
of the HLR.
Why not MS authenticating AuC?

radio cell
BSS
MS
MS
Um
radio cell
MS
BTS
RSS
BTS
Abis
BSC
BSC
A
MSC
MSC
NSS
VLR
VLR
signaling
HLR
ISDN, PSTN
GMSC
PDN
IWF
O
EIR
OSS
OMC
AuC
5
What Users/Subscribers Want - 1

Prevent malicious users from using your SIM card
Soln use a PIN (personal identity number) to
lock the SIM card
If incorrect PINs are entered three times
consecutively, the SIM card would be locked
How about a naïve owner making the mistake?
A PIN unblocking key (PUK) is needed to unblock
the SIM card.
Usually 10 incorrect trials of PUK code will
block a SIM card permanently

6
What Users/Subscribers Want - 2

Prevent malicious users from using your phone
Soln Phone lock easy to break
GSMs EIR (Equipment Identity Register)
stores all IMEIs (Intl Mobile Equipment
Identities)
has a black list of stolen (or locked) devices
Most service providers in HK do not have EIR
implemented
Find out your cellphones 15-digit IMEI type
06

7
What Users/Subscribers Want 3 4

Data Confidentiality
keep ones conservation secret by scrambling
digitized data
The technique encryption
How to encrypt?
Where to encrypt?
Anonymity
Hide the identity of the SIM card and prevent
from tracking the SIM cards movements and
whereabouts
Enemies
eavesdroppers
service providers
Can GSM provide data confidentiality and
anonymity against these two types of enemies?
These are the questions we want to answer today

8
Security in GSM

Security services
access control/authentication
user ? SIM secret PIN
SIM ? network (AuC) one-way authentication using
simple challenge-response method
confidentiality
voice and signaling encrypted on the wireless
link only (after successful authentication)
anonymity
temporary identity TMSI (Temporary Mobile
Subscriber Identity)
newly assigned at each new location update
encrypted transmission
3 algorithms specified in GSM
A3 for authentication (secret, open interface)
A5 for encryption (standardized)
A8 for key generation (secret, open interface)

secret
A3 and A8 available via the Internet

9
Using randomness to authenticate(Challenge-respon
se one-way authentication)

Abstraction

-Im Joe, let me in!
Challenge (only Joe can answer)
Response
Realization
Key
Challenge
Random Challenge
Key
Challenge
Authentication Function
Authentication Function
Response
Response
Response
Response ? Response
10
Security Requirements
Key
Challenge
Random Challenge
Key
Challenge
Authentication Function
Authentication Function
Response
Response
Response
Response ? Response

Authentication Function
easy to compute
difficult to invert
A fixed length response
The response length should be long enough to
discourage online guessing. E.g. 32 bits
Random challenge should be long enough to reduce
the chance of generating repeated challenge
numbers. E.g. 128 bits

11
GSM - Authentication
SIM
mobile network
RAND
RAND
K
RAND
K
128 bit
128 bit
128 bit
128 bit
128 bit
AuC
A3
A3
SIM
SRES 32 bit
SRES 32 bit
SRES
SRES ? SRES
MSC
SRES
32 bit
K individual subscriber authentication key SRES
signed response
12
GSM Key Generation and Encryption
MS with SIM
mobile network (BTS)
RAND
RAND
K
RAND
K
AuC
SIM
128 bit
128 bit
128 bit
128 bit
A8
A8
cipher key
Kc 64 bit
Kc 64 bit
SRES
encrypteddata
data
data
BSS
MS
A5
A5
13
GSM Security Remarks

K never leaves the SIM card or AuC.
A3 and A8 are kept secret. They are known only to
AuC developers and SIM card designers and
manufacturers.
Even service providers are supposed to know
nothing about A3 and A8.
A8 should be designed should be given Kc and
RAND, it is difficult to obtain K
A3 and A8 algorithms usually combined as COMP128
COMP128 was broken in 1998
Allows adversaries obtain K from over-the-air
queries to a phone

14
GSM A5 stream cipher
Kc

Kc 64 bits (but deliberately weakened by
zeroing 10 key bits)
Effective key length 54 bits only
Each frame 114 bits (data payload)
A5 a stream cipher
Two versions of A5
stronger A5/1 version (used in Europe)
weaker A5/2 version (other markets)
Both versions have been broken

15
The Summary of GSM Security Problems

Weak authentication and encryption algorithms
COMP128 and A5 have been broken
No data integrity check
No MAC
No network authentication (i.e. no mutual
authentication)
Only SIM authentication
false base station attack possible
Since the SIM card does not authenticate the
network
Limited encryption scope
Encryption terminated at the base station, in
clear on microwave links
Insecure key transmission
Cipher keys (Kc) and authentication parameters
are transmitted in clear between and within
networks

16
False Base Stations

Used as IMSI Catcher / GSM Interceptor for law
enforcement
Used to intercept mobile originated calls
Encryption controlled by network and user unaware
if it is not on

17
Principles of 3GPP Security

http//www.3gpp.org
Build on the security of GSM
Remain compatible with GSM network architecture
SIM authentication and radio interface encryption
Correct the problems with GSM
Stronger algorithms for authentication and
encryption
Add new security features

18
3GPP Security Architecture Overview

Main Focus Network access security
Mutual authentication between USIM and VLR
Message authentication and confidentiality
between USIM and VLR
Authentication (Integrity) key (IK) and
encryption key (CK)
Setup USIM and Home Network (HE/AuC) share a
long-term symmetric key, K
Protocol Authentication and Key Agreement (AKA)

19
3GPP - AKA
Mobile station
Home Network
Serving Network Conn Req Auth data req
Serving Network AV RAND,
AUTN RES
20
3GPP AKA Details

K, CK, IK 128 bits
RAND 128 bits
RES 32 128 bits
AUTN 128 bits
SQN, AK 48 bits
Concealment of SQN by AK is optional prevent
serving network from knowing the value of SQN
AMF (authentication management field) 16 bits
MAC (message authentication code) 64 bits
CK is used for encryption
IK is used for integrity check (message
authentication)
f1, f2, f3, f4, f5 are based on the AES block
cipher (Rijndael)
Consider them as distinct one-way functions
Both encryption and integrity check algorithms
are also based on the AES

21
AKA Network Authentication

What is the purpose of the pair MAC and XMAC?
To conduct network authentication.
That is, to let the cellphone make sure that the
serving network is a trustworthy network.
Details Suppose RAND is random. Then only the
entities who have K can compute a value of MAC
whose value is the same as that of XMAC.

22
References