Title: Security Algorithms for Mobile Networks
1Security Algorithms for Mobile Networks
- By
- Lakshaman Singh Parihar
- ME CS 2001H103425
2Security Definition ?
- The two facets to security in communications
perspective - Privacy of Communications The networks have
evolved over time to provide all kinds of
services to the user. - Correctness of Billing Intricacies on the
wireless interface.
- Security concerns
- Communications on a Shared Media (party lines)
can be intercepted by any user. - A communication request does not uniquely
identify the originator.
3How to Achieve ?
- Non Cryptographic Means MIN/ESN
- Cryptographic Means Encrypt the Data
4Privacy Requirements
- Call Setup Information Calling number,type of
Service - Speech / Message Eavesdropping
- Data
- User Location
- User Identification
- Calling Patterns Frequency of calling, financial
transations
5Theft Resistance Requirements
- Clone Resistant Design prevent compromise of the
unique information. - Unique user Id More than two users can use a MS
- Unique MS Id Uniquely identifies a stolen MS
6First Generation Systems
- Were the Analog Systems 825-845 870-890 MHZ
- Used Non cryptographic means (MIN / ESN)
MIN Mobile Identity Number ( 10 digit telephone
number). ESN Electronic Serial Number ( 32 bit
binary stored in
ROM during manufacture). 32
bit 8 bit manufacturer code
6 bit reserved (unused) 18
bit manufacturer
assigned serial number
7First Generation Systemscontd
Security Protocol - MS sends MIN/ESN in plain
to authenticate itself while receiving or
placing calls. (Cloning) - The switching
system checks the MIN/ESN against a
bad/stolen unit list - If an MS roams into a
new system authenticate from its HLR -
All communications is sent in clear
(Eavesdropping)
8Cryptographic Requirements
- Low power, low gate count hardware as well as
software. - No practical attack significantly more efficient
than exhaustive key search. - Fast in operation.
92G GSM Systems
GSM Global System for Mobile Communications 1.
Operates at 900 MHz and 1800 MHz. 2. Uses TDMA
technology to divide bandwidth. 3. High
mobility, reachability. 4. Integrated Security
mechanisms - Encryption of transmitted
data - Authentication (PIN, SIM etc)
- Temporary Identification (pseudonyms)
10GSM Security Model
Based on a shared secret key between HLR and
SIM card of subscriber called Ki, (128
bit). Stored in the SIM card of the subscriber
and at the Authentication Center of MSC. The
key is used for authentication and generation of
the session key used for encryption of data over
the air channel.
11GSM Authentication Algo. A3
- A3 implemented in SIM and Authentication center
- MSC sends a Random Challenge (RAND) to MS.
- RAND and Ki given as input to A3 which gives a
32 bit Signed Response (SRES). - MS sends back SRES which is compared with SRES
generated at MSC.
12GSM Session Key GenerationAlgo. A8
Session key Kc is generated from RAND and Ki. Kc
is 64 bit key used to encrypt over the air
channel. Both SIM and AuC run A8 algorithm and
generate Kc. Same session key used until MS is
authenticated again
13GSM COMP-128
A3 and A8 algorithms together are known as
COMP-128 algorithm. COMP-128 generates both SRES
and Kc as 128 bit output in one run. First 32
bits SRES. Last 54 bits Kc. Kc is actually
64 bits. 10 zero bits are appended to the 54 bit
output of COMP- 128. COMP-128 implemented in SIM
and AuC.
14GSM Encryption Algo. A5
It is a symmetric stream cipher algorithm which
is run for every frame sent. It is initialized
with the session key Kc and the frame number
being encrypted/decrypted. Inputs 64 bit Kc, 22
bit frame number. Output 114 bit key
block. This key block is XORed with the 114 bit
voice stream and the result is sent over the air.
15GSM Algorithm Implementation
16GSM Flaws in the Security Model
The problems in GSM security model stem by and
large from the design limitations on what is
protected rather than defects in security
mechanisms themselves.
- Active attacks using a "false base station" are
possible. - Cipher keys and authentication data are
transmitted in clear between and within networks. - Ecryption does not extend far enough towards the
core network resulting in the cleartext
transmission of user and signalling data across
microwave links (in GSM, from the BTS to the
BSC). - Lack of confidence in cryptographic algorithms.
173G The Third Generation Partnership Project
Global standardization initiative (Dec.
1998) Concept devised by ETSI and
SDOs. Referred to as UMTS. Original scope To
develop technical specs. for a 3G mobile system
based on GSM core n/w and UTRA. Amended to
include maintenance of GSM standards and GPRS.
183G Security Principles
- Build on the GSM security features that are
robust and needed. - Correct the problems with GSM by addressing its
weaknesses. - Add new security features to provide additional
services offered by 3G.
193G Security algo. Used
f0 f0 random challenge generating
function f1 network authentication
function f1 the re-synchronisation message
authentication function f2 user authentication
function f3 cipher key derivation
function f4 integrity key derivation
function f5 anonymity key derivation function for
normal operation f5 anonymity key derivation
function for re-synchronisation f8 UMTS
encryption algorithm f9 UMTS integrity algorithm
203G Confidentiality f8 and Integrity f9 Algo.
f8 Algorithm - stream cipher that
encrypts/decrypts blocks of data between 1
and 20000 bits in length. - 128 bit
Confidentiality Key (CK)
f9 Algorithm - Computes a MAC on the input
message. - 128 bit Integrity Key. Both
algorithms depend on KASUMI, a block cipher
algorithm
213G KASUMI Algo.
- Fiestel cipher with 8 rounds.
- Operates on 64 bit data blocks using 128 bit
key. - Basic operation
- - Input data block I (64 bit), Key K (128 bit)
and - 64 bit output OUTPUT.
- - Input I divided into 32 bit strings L0 and
R0. - - Ri Li-1, Li Ri-1 XOR fi (Li-1, RKi).
- - OUTPUT L8 R8.
- - fi is the round function.
223G KASUMI 2
- Round Function fi.
- - 32 bit input and 32 bit output.
- - Round Key RKi split as (KLi, KOi, Kli).
- - Consists of two sub functions FL and FO with
- subkeys KLi (for FL) and KOi, Kli (for FO).
- - fi(I,RKi) FO( FL( I, KLi), KOi, KIi )
(ODD). - fi(I,RKi) FL( FO( I, KOi, KIi ), KLi)
(EVEN)
233G KASUMI 3
- S boxes
- - complex XOR function of the input bits.
- - defined completely in the specifications.
- - can be implemented either in H/W as a
- combinational logic of XOR gates or in S/W
as a - lookup table.
- Key Schedule
- - Each key has a different key.
- - derived from the 128 bit key K and a
- set of 8 constants Cis.
24References
1 Vijay K. Garg and Joseph E. Wilkes, Wireless
and Personal Communications Systems, Prentice
Hall, NJ, 1996, pp 227-239. 2 TS 33.120
Security principles and objectives technical
specification document produced by the 3rd
generation partnership project. 3 TS 33.102
Security architecture technical specification
document produced by the 3rd generation
partnership project.