GSM and UMTS Security

1
GSM and UMTS Security

• Vishal Prajapati (08305030)
• Vishal Sevani (07405010)
• Om Pal (07405702)
• Sudhir Rana (05005002)

2
GSM Security Architecture
HLR/AuC
VLR
Home network
Switching and routing
Other Networks (GSM, fixed, Internet, etc.)
SIM
Visited network
3
GSM Security Features

• Authentication
• network operator can verify the identity of the
  subscriber making it infeasible to clone someone
  elses mobile phone
• Confidentiality
• protects voice, data and sensitive signalling
  information (e.g. dialled digits) against
  eavesdropping on the radio path
• Anonymity
• protects against someone tracking the location of
  the user or identifying calls made to or from the
  user by eavesdropping on the radio path

4
GSM Authentication Protocol
Authentication Data Request
RAND, XRES, Kc
RAND
RES XRES?
RES
5
Encryption in GSM
6
GSM Encryption Principles

• Data on the radio path is encrypted between the
  Mobile Equipment (ME) and the Base Transceiver
  Station (BTS)
• protects user traffic and sensitive signalling
  data against eavesdropping
• extends the influence of authentication to the
  entire duration of the call
• Uses the encryption key (Kc) derived during
  authentication

7
GSM User Identity Confidentiality

• User identity confidentiality on the radio access
  link
• temporary identities (TMSIs) are allocated and
  used instead of permanent identities (IMSIs)
• Helps protect against
• tracking a users location
• obtaining information about a users calling
  pattern
• IMSI International Mobile Subscriber Identity
• TMSI Temporary Mobile Subscriber Identity

8
Specific GSM Security Problems

• The GSM cipher A5/2
• A5/2 is now so weak that the cipher key can be
  discovered in near real time using a very small
  amount of known plaintext
• Aim find the initial internal state of the
  registers.
• Each frame in - 4.615 ms
• So 28 frames in a sec.
• After finding the initial state go backward and
  can generate Kc

9

• False Base Station Attack(1)
• Compromises User Identity Confidentiality
• Force MS to send IMSI
• Cipher mode fault

10

• False Base Station Attack(2)
• Active attack
• IDENTITY REQUEST
• Compromises User Data Confidentiality

Source LiTH-ISY-EX-3559-2004
11
Accessing Signaling network

• No requirement of decrypting skills
• Need a instrument that captures microwave
• Gains control of communication between MS and
  intended receiver

12
UMTS Security Mechanisms
13
Limitations of GSM Security

• Design only provides access security -
  communications and signalling in the fixed
  network portion arent protected
• Design does not address active attacks, whereby
  network elements may be impersonated
• Design goal was only ever to be as secure as the
  fixed networks to which GSM systems connect
• Short key size of Kc (64 bits) makes it more
  vulnerable to various attacks

14
Enhancements in UMTS vs GSM

• Mutual Authentication
• provides enhanced protection against false base
  station attacks by allowing the mobile to
  authenticate the network
• Data Integrity
• provides enhanced protection against false base
  station attacks by allowing the mobile to check
  the authenticity of certain signalling messages
• Network to Network Security
• Secure communication between serving networks.
  MAPSEC or IPsec can be used

15
UMTS Enhancements (contd)

• Wider Security Scope
• Security is based within the RNC rather than the
  base station
• Flexibility
• Security features can be extended and enhanced as
  required by new threats and services
• Longer Key Length
• Key length is 128 as against 64 bits in GSM

16
UMTS Radio Access Link Security
(1) Distribution of authentication vectors
(2) Authentication
D
HLR
AuC
H
MSC
(3) CK,IK
(3) CK, IK
(4) Protection of the access link (ME-RNC)
MSC circuit switched services SGSN packet
switched services
RNC
USIM
ME
BTS
SGSN
Access Network (UTRAN)
Visited Network
User Equipment
Home Network
17
Authentication and Key Agreement

• Mutual Authentication between user and the
  network
• Establishes a cipher key and integrity key
• Assures user that cipher/integrity keys were not
  used before, thereby providing protection against
  replay attacks

18
Authentication and Key Agreement
19
Authentication and Key Agreement
20
UMTS Integrity Protection Principles

• Protection of some radio interface signalling
• protects against unauthorised modification,
  insertion and replay of messages
• applies to security mode establishment and other
  critical signalling procedures
• Helps extend the influence of authentication when
  encryption is not applied
• Uses the 128-bit integrity key (IK) derived
  during authentication
• Integrity applied at the Radio Resource Control
  (RRC) layer of the UMTS radio protocol stack
• signalling traffic only

21

Integrity Check
Integrity and authentication of origin of
signalling data provided. The integrity algorithm
(KASUMI) uses 128 bit key and generates 64 bit
message authentication code.
22
UMTS Encryption Principles

• Data on the radio path is encrypted between the
  Mobile Equipment (ME) and the Radio Network
  Controller (RNC)
• protects user traffic and sensitive signalling
  data against eavesdropping
• extends the influence of authentication to the
  entire duration of the call
• Uses the 128-bit encryption key (CK) derived
  during authentication

23
Encryption
Signaling and user data protected from
eavesdropping. Secret key, block cipher algorithm
(KASUMI) uses 128 bit cipher key.
24
Protection Against Active Attacks
25

• False Base Station Attack(1)
• Compromises User Identity Confidentiality
• Reason
• No provision to ascertain the origin of
  information ie. lack of integrity check

26

• False Base Station Attack(2)
• Exploits user data confidentiality
• Reason
• No provision to ascertain the origin of
  information ie. lack of integrity check

Source LiTH-ISY-EX-3559-2004
27

• False Base Station Attack
• Solution
• Use of Integrity Check
• After AKA SRNC sends integrity protected message
  containing security capabilities of the ME, which
  the mobile verifies to ensure there is no foul
  play

28
Lack of Network Domain Security

• No security for communication between network
  elements in GSM
• Easy to gain access to sensitive information such
  as Kc
• Network Domain Security in UMTS foils these
  attacks

29
Summary of UMTS Security

• UMTS builds upon security mechanisms of GSM, and
  in addition provides following enhancements,
• Encryption terminates at the radio network
  controller
• Mutual authentication and integrity protection of
  critical signalling procedures to give greater
  protection against false base station attacks
• Longer key lengths (128-bit)
• Network Domain Security using MAPSEC or IPSec

30
References

• UMTS security, Boman, K. Horn, G. Howard, P.
  Niemi, V. Electronics Communication Engineering
  Journal, Oct 2002, Volume 14, Issue5, pp. 191-
  204
• "Evaluation of UMTS security architecture and
  services, A. Bais, W. Penzhorn, P. Palensky,
  Proceedings of the 4th IEEE International
  Conference on Industrial Informatics, p. 6,
  Singapore, 2006
• UMTS Security, Valtteri Niemi, Kaisa Nyberg,
  published by John Wiley and Sons, 2003
• GSM-Security a Survey and Evaluation of the
  Current Situation, Paul Yousef, Masters thesis,
  Linkoping Institute of Technology, March 2004
• GSM Security, Services, and the SIM Klaus
  Vedder, LNCS 1528, pp. 224-240, Springer-Verlag
  1998
• Instant ciphertext-only cryptanalysis of GSM
  encrypted communication, Elad Barkan, Eli Biham,
  Nathan Keller, Advances in Cryptology CRYPTO
  2003