Cryptography in Mobile Networks - PowerPoint PPT Presentation

About This Presentation

Title:

Cryptography in Mobile Networks

Description:

Protection of buisness (robust charging of subscribers) ... Fasten Seatbelts... Notation: black color for unprotected info. red color for encrypted into ... – PowerPoint PPT presentation

Number of Views:92

Avg rating:3.0/5.0

Slides: 40

Provided by: anderslilj

Category:

more less

Transcript and Presenter's Notes

Title: Cryptography in Mobile Networks

1
Cryptography in Mobile Networks

Mats Näslund
Communication Security Lab
Ericsson Research
mats.naslund_at_ericsson.com
March 6, 2009

2
Outline

Overview of GSM Cryptography
Some attacks on GSM
Lessons to be learnt
Overview of 3G UMTS Cryptography
The new thing Cryptography in LTE

3
History

Mobile (wireless) communication has inherent
threats
Eavesdropping
Impersonation
Connection hijacking
...
Except early systems (e.g. NMT), use of
cryptography has been deemed necessary

Early systems were not perfect and under
restrictions...

4
GSM Cryptography Overview
5
GSM Security

Use of a smart card SIM Subscriber Identity
Module, tamper resistant device holding critical
information,
e.g. 128-bit key shared with Home Operator
The SIM is the entity which is authenticated
Challenge response mechanism (one-sided)
At the time (ca 1990) crypto was considered
weapon
Initial GSM algorithms (were) not publicly
available
Limited key size
Special export version of encryption algorithms
GSM ciphering on first hop only stream ciphers
using 54/64 bit keys
In a free world, we will soon see 128 bits in
GSM
Basic user identity protection (pseudonyms)

GSM crypto is probably (one of) the
mostfrequently used crypto in the world.
6
GSM Architecture (2G)
MSC Mobile Switching Center BSC Base Station
ControllerRBS Radio Base Station MS Mobile
Station HLR Home Location RegisterAuC
Authentication Center SIM Subcriber Identity
Module
HLR/AuC
To other (mobile) network(s)
MSC
BSC
RBS
MS
SIM
7
GSM Authentication Overview
Home Network
K
AuC/HLR
MSC
K
RBS
Visited Network
8
GSM Authentication Details
A3 and A8 Authentication and key derivation
(proprietary)
A5 encryption (A5/1-4, standardized)
Note one-sided authentication
Phone
Ki(128)
SIM
A3A8
A5/x
9
Quick Note LFSR

(Linear feedback shift register)

key 0 1 1 0 1 0 1
State
...0
1

Very efficient, rich theory, unfortunately very
insecure
Add non-linear components
Combine several LFSRs
Irregular clocking

10
Idea behind the attack
A5/2 is highly linear, can be expressed as
linear equation system in 660 unknown 0/1
variables, of which 64 is the key
If plaintext known, each 114-bit frame gives 114
equations
Only difference between frames is that frame
numberincreases by one.
Lesson 1 Avoid using the same key for
twodifferent things
After 6 frames (in reality only 4) we have gt 660
equations ? can solve! (Takes about 1sec on a PC)
Even if speech plaintext unknown, GSM control
channelscontains known info and uses same key as
speech channel!
11
Impact 1 Find key, eavesdrop (passive attack)
Impact 2 Active attacks in any network(False
base-station/man-in-the-middle attacks)
Lesson 2 Signalling that controls the security
should be authentciated/integrityprotected
5 Start encr A5/1
6 Start encr A5/2
8 Stop encr
9 Start encr A5/1
Lesson 3 If you change encryptionalgorithm,
change also the key
7 Attack ? key
12
Note

A5/2 is an export version, not used in Sweden
(or Europe)
Attack does not apply to A5/1, A5/3
well almost.
Various countermeasures proposed but expensive
toupgrade all equipment
Adding integrity, change of keys as proposed on
previous slidefall into the not-for-free
category

Simple and quite good solution is to phase out
A5/2
- This is in progress (done?)

13
GSM Summary

GSM was desiged in the dark ages of crypto
It addresses the threats that were considered at
the time
It targeted a 10-year economic lifetime
The best feature of GSM security is that securiy
is built-in
as a user, you dont need to do configuration
etc

14
UMTS Security Overview
15
3G (UMTS) Security

Mutual Authentication with Replay Protection
Protection of signalling data
Secure negotiation of protection algorithms
Integrity protection and origin authentication
Encryption
Protection of user data payload
Encryption
Open algorithms basis for security
AES for authentication and key agreement
Kasumi (block cipher) for confidentiality/integrit
y
Security level (key sizes) 128 bits
Protection further into the network

16
UMTS Architecture (3G)
GSN GPRS Support Node SGSN Serving GSN GGSN
Gateway GSNRNC Radio Network Controller ME
Mobile Equipment
HLR/AuC
To other (mobile) network(s)
MSC
Internet
SGSN
GGSN
RNC
NodeB
K
ME
17
UMTS Encryption Example UEA1
COUNT BEARER DIR 00 (64 bits)
Kasumi
m (const)
?
c 1
c 2
c B
?
?
?
Provably secure underassumptions on Kasumi
Kasumi
Kasumi
Kasumi
Kasumi
CK(128 bits)
keystream XORed with plaintext
18
Note

There are no known security problems with UMTS
HSPA (a.k.a. Mobile broadband, Turbo 3G,...)
is from crypto/security point of view identical
to 3G/UMTS
You can feel safe when using it!

19
LTE Long Term Evolution
20
Disclaimer on Notation

LTE refers only to the radio part of the new
standard
Also other parts of the mobile network is
upgraded
Refered to as EPC, Evolved Packet Core
Will for simplicty use LTE to denote the entire
architecture
If you do look at the standards document (3GPP TS
33.401) you will not see the same names for keys
etc

21
Background Standardization

Mobile standards (including security functions)
are definedby 3GPP (part of ETSI)
Participation by mobile vendors and operators
The cryptography is defined by SAGE (also part of
ETSI)
Special Algorithm Group of Experts
2006 initiative for next generation, LTE,
started
Slogan At least as secure as UMTS

22
LTE ThinkingStarting from a UMTS network...
HLR/AuC
After ? 1 years of discussion instandardization
it was decided to terminate (most) security in
NodeB.
MSC
Internet
SGSN
GGSN
RNC
secure env
insecure env
NodeB
ME
23
LTE- A simplified network -
HSS Home Subscriber System MME
Mobility Management Entity eNodeB Evolved NodeB
encryption
intgegrity
HSS
Internet IP services
Gateway
MME
eNodeB
K
ME
24
Recap of Lesson 1 and 3

Dont use the same key for two different things

Suppose we have a function, F, from a set of
pseudo random functions (outputs look random)

Applications
Key1 for algorithm1, Key2 for algorithm2
Key1 for encryption, Key2 for integrity
Key1 for user data, Key2 for control sign.
...etc...

Key1 can not be reverse-engineered from Key2
(or v.v.) Key can not be reverse-engineered
from Key1 and/or Key2
25
Fasten Seatbelts...

Notation
black color for unprotected info
red color for encrypted into
yellow color for integrity protected info
blue color for encrypted and integrity protected
Next slides does not show which-key-is-used-for-wh
at
F denotes a PRF based on HMAC_SHA256
AES1, AES2, AES3 denotes 3 PRFs based on AES

26
LTE Initial Attach
K
K
27
LTE Key Hirearchy
USIM/HSS
ME/HSS
ME/MME
ME/eNB
ME/MME
PRF infeasible to to get another key on same
level
28
Example
Ck, Ik
HSS
KA F(Ck, Ik, ....)
KA
MME
Ke F(KA, ....)
Ke
eNodeB
29
LTE Key Handling at Handover (1/3)
Backard Security
Gateway
MME
KA
Ke2 F(Ke1,...)
eNodeB1 Ke1
eNodeB2
KA, Ke1, ...
30
LTE Key Handling at Handover (2/3)
Gateway
MME
KA
eNodeB1 Ke1
eNodeB2
KA, Ke1, ...
31
LTE Key Handling at Handover (3/3)
Forward Security
Ke2 F(KA,...)
Gateway
MME
KA
eNodeB1 Ke1
eNodeB2
Ke2
Ke2 F(Ke1,...)
KA, Ke1, ...
Ke2
32
Inter-System Handover/Mobility

3GPP systems support optimized handover between
systems,e.g. GSM ? UMTS during an ongoing call
Waiting for (re)authentication too expensive
The ongoing call would be halted
Solution key transfer and implict
authentication...

33
Implicit Authetication
... moves to UMTS
User already authenticated in GSM
HLR/AuC
KGSM
MSC
SGSN
BSC
RNC
or...?
KGSM
NodeB
RBS
KGSM
34
LTE Inter-system Key HandlingExample UMTS ? LTE
UMTS
LTE
KUMTS
KLTE F1(KUMTS)
KUMTS F2(KLTE)
SGSN
MME
RNC
NodeB
eNodeB
F1, F2 based on HMAC_SHA256
35
Note on Crypto capacity
600Mb/s
100Mb/s
NodeB
100Mb/s
36
LTE Crypto Algorithms...