Cryptography in Mobile Networks

1
Cryptography in Mobile Networks

• Mats Näslund
• Communication Security Lab
• Ericsson Research
• mats.naslund_at_ericsson.com
• March 6, 2009

2
Outline

• Overview of GSM Cryptography
• Some attacks on GSM
• Lessons to be learnt
• Overview of 3G UMTS Cryptography
• The new thing Cryptography in LTE

3
History

• Mobile (wireless) communication has inherent
  threats
• Eavesdropping
• Impersonation
• Connection hijacking
• ...
• Except early systems (e.g. NMT), use of
  cryptography has been deemed necessary

• Early systems were not perfect and under
  restrictions...

4
GSM Cryptography Overview
5
GSM Security

• Use of a smart card SIM Subscriber Identity
  Module, tamper resistant device holding critical
  information,
• e.g. 128-bit key shared with Home Operator
• The SIM is the entity which is authenticated
• Challenge response mechanism (one-sided)
• At the time (ca 1990) crypto was considered
  weapon
• Initial GSM algorithms (were) not publicly
  available
• Limited key size
• Special export version of encryption algorithms
• GSM ciphering on first hop only stream ciphers
  using 54/64 bit keys
• In a free world, we will soon see 128 bits in
  GSM
• Basic user identity protection (pseudonyms)

GSM crypto is probably (one of) the
mostfrequently used crypto in the world.
6
GSM Architecture (2G)
MSC Mobile Switching Center BSC Base Station
ControllerRBS Radio Base Station MS Mobile
Station HLR Home Location RegisterAuC
Authentication Center SIM Subcriber Identity
Module
HLR/AuC
To other (mobile) network(s)
MSC
BSC
RBS
MS
SIM
7
GSM Authentication Overview
Home Network
K
AuC/HLR
MSC
K
RBS
Visited Network
8
GSM Authentication Details
A3 and A8 Authentication and key derivation
(proprietary)
A5 encryption (A5/1-4, standardized)
Note one-sided authentication
Phone
Ki(128)
SIM
A3A8
A5/x
9
Quick Note LFSR

• (Linear feedback shift register)

key 0 1 1 0 1 0 1
State
...0
1

• Very efficient, rich theory, unfortunately very
  insecure
• Add non-linear components
• Combine several LFSRs
• Irregular clocking

10
Idea behind the attack
A5/2 is highly linear, can be expressed as
linear equation system in 660 unknown 0/1
variables, of which 64 is the key
If plaintext known, each 114-bit frame gives 114
equations
Only difference between frames is that frame
numberincreases by one.
Lesson 1 Avoid using the same key for
twodifferent things
After 6 frames (in reality only 4) we have gt 660
equations ? can solve! (Takes about 1sec on a PC)
Even if speech plaintext unknown, GSM control
channelscontains known info and uses same key as
speech channel!
11
Impact 1 Find key, eavesdrop (passive attack)
Impact 2 Active attacks in any network(False
base-station/man-in-the-middle attacks)
Lesson 2 Signalling that controls the security
should be authentciated/integrityprotected
5 Start encr A5/1
6 Start encr A5/2
8 Stop encr
9 Start encr A5/1
Lesson 3 If you change encryptionalgorithm,
change also the key
7 Attack ? key
12
Note

• A5/2 is an export version, not used in Sweden
  (or Europe)
• Attack does not apply to A5/1, A5/3
• well almost.
• Various countermeasures proposed but expensive
  toupgrade all equipment
• Adding integrity, change of keys as proposed on
  previous slidefall into the not-for-free
  category

• Simple and quite good solution is to phase out
  A5/2
• - This is in progress (done?)

13
GSM Summary

• GSM was desiged in the dark ages of crypto
• It addresses the threats that were considered at
  the time
• It targeted a 10-year economic lifetime
• The best feature of GSM security is that securiy
  is built-in
• as a user, you dont need to do configuration
  etc

14
UMTS Security Overview
15
3G (UMTS) Security

• Mutual Authentication with Replay Protection
• Protection of signalling data
• Secure negotiation of protection algorithms
• Integrity protection and origin authentication
• Encryption
• Protection of user data payload
• Encryption
• Open algorithms basis for security
• AES for authentication and key agreement
• Kasumi (block cipher) for confidentiality/integrit
  y
• Security level (key sizes) 128 bits
• Protection further into the network

16
UMTS Architecture (3G)
GSN GPRS Support Node SGSN Serving GSN GGSN
Gateway GSNRNC Radio Network Controller ME
Mobile Equipment
HLR/AuC
To other (mobile) network(s)
MSC
Internet
SGSN
GGSN
RNC
NodeB
K
ME
17
UMTS Encryption Example UEA1
COUNT BEARER DIR 00 (64 bits)
Kasumi
m (const)
?
c 1
c 2
c B
?
?
?
Provably secure underassumptions on Kasumi
Kasumi
Kasumi
Kasumi
Kasumi
CK(128 bits)
keystream XORed with plaintext
18
Note

• There are no known security problems with UMTS
• HSPA (a.k.a. Mobile broadband, Turbo 3G,...)
  is from crypto/security point of view identical
  to 3G/UMTS
• You can feel safe when using it!

19
LTE Long Term Evolution
20
Disclaimer on Notation

• LTE refers only to the radio part of the new
  standard
• Also other parts of the mobile network is
  upgraded
• Refered to as EPC, Evolved Packet Core
• Will for simplicty use LTE to denote the entire
  architecture
• If you do look at the standards document (3GPP TS
  33.401) you will not see the same names for keys
  etc

21
Background Standardization

• Mobile standards (including security functions)
  are definedby 3GPP (part of ETSI)
• Participation by mobile vendors and operators
• The cryptography is defined by SAGE (also part of
  ETSI)
• Special Algorithm Group of Experts
• 2006 initiative for next generation, LTE,
  started
• Slogan At least as secure as UMTS

22
LTE ThinkingStarting from a UMTS network...
HLR/AuC
After ? 1 years of discussion instandardization
it was decided to terminate (most) security in
NodeB.
MSC
Internet
SGSN
GGSN
RNC
secure env
insecure env
NodeB
ME
23
LTE- A simplified network -
HSS Home Subscriber System MME
Mobility Management Entity eNodeB Evolved NodeB
encryption
intgegrity
HSS
Internet IP services
Gateway
MME
eNodeB
K
ME
24
Recap of Lesson 1 and 3

• Dont use the same key for two different things

Suppose we have a function, F, from a set of
pseudo random functions (outputs look random)

• Applications
• Key1 for algorithm1, Key2 for algorithm2
• Key1 for encryption, Key2 for integrity
• Key1 for user data, Key2 for control sign.
• ...etc...

Key1 can not be reverse-engineered from Key2
(or v.v.) Key can not be reverse-engineered
from Key1 and/or Key2
25
Fasten Seatbelts...

• Notation
• black color for unprotected info
• red color for encrypted into
• yellow color for integrity protected info
• blue color for encrypted and integrity protected
• Next slides does not show which-key-is-used-for-wh
  at
• F denotes a PRF based on HMAC_SHA256
• AES1, AES2, AES3 denotes 3 PRFs based on AES

26
LTE Initial Attach
K
K
27
LTE Key Hirearchy
USIM/HSS
ME/HSS
ME/MME
ME/eNB
ME/MME
PRF infeasible to to get another key on same
level
28
Example
Ck, Ik
HSS
KA F(Ck, Ik, ....)
KA
MME
Ke F(KA, ....)
Ke
eNodeB
29
LTE Key Handling at Handover (1/3)
Backard Security
Gateway
MME
KA
Ke2 F(Ke1,...)
eNodeB1 Ke1
eNodeB2
KA, Ke1, ...
30
LTE Key Handling at Handover (2/3)
Gateway
MME
KA
eNodeB1 Ke1
eNodeB2
KA, Ke1, ...
31
LTE Key Handling at Handover (3/3)
Forward Security
Ke2 F(KA,...)
Gateway
MME
KA
eNodeB1 Ke1
eNodeB2
Ke2
Ke2 F(Ke1,...)
KA, Ke1, ...
Ke2
32
Inter-System Handover/Mobility

• 3GPP systems support optimized handover between
  systems,e.g. GSM ? UMTS during an ongoing call
• Waiting for (re)authentication too expensive
• The ongoing call would be halted
• Solution key transfer and implict
  authentication...

33
Implicit Authetication
... moves to UMTS
User already authenticated in GSM
HLR/AuC
KGSM
MSC
SGSN
BSC
RNC
or...?
KGSM
NodeB
RBS
KGSM
34
LTE Inter-system Key HandlingExample UMTS ? LTE
UMTS
LTE
KUMTS
KLTE F1(KUMTS)
KUMTS F2(KLTE)
SGSN
MME
RNC
NodeB
eNodeB
F1, F2 based on HMAC_SHA256
35
Note on Crypto capacity
600Mb/s
100Mb/s
NodeB
100Mb/s
36
LTE Crypto Algorithms...

• Key derivation (128 or 256 bits) functions using
• AES on the USIM card
• HMAC_SHA256 in the phone
• Integrity protection
• AES-CMAC
• Function based on polynomials over finite fields
• Can be proven to be secure
• Encryption
• AES-CounterMode
• SNOW 3G

37
SNOW 3G
Basic design by T. Johansson P. Ekdahl (U.
Lund) Improvements by ETSI SAGE
38
Summary

• Despite some attacks on GSM security, the
  security is so far pretty much a success story

Main reason convenience and invisibility to user

• UMTS crypto significantly improved, use with
  confidence

Main reason free world, longer keys, open
standard

• LTE much more complex, needed to meet at
  least as secure as 3G

Main reason security ends at the base station
39
(No Transcript)