Security Algorithms for Mobile Networks

1
Security Algorithms for Mobile Networks

• By
• Lakshaman Singh Parihar
• ME CS 2001H103425

2
Security Definition ?

• The two facets to security in communications
  perspective
• Privacy of Communications The networks have
  evolved over time to provide all kinds of
  services to the user.
• Correctness of Billing Intricacies on the
  wireless interface.

• Security concerns
• Communications on a Shared Media (party lines)
  can be intercepted by any user.
• A communication request does not uniquely
  identify the originator.

3
How to Achieve ?

• Non Cryptographic Means MIN/ESN
• Cryptographic Means Encrypt the Data

4
Privacy Requirements

• Call Setup Information Calling number,type of
  Service
• Speech / Message Eavesdropping
• Data
• User Location
• User Identification
• Calling Patterns Frequency of calling, financial
  transations

5
Theft Resistance Requirements

• Clone Resistant Design prevent compromise of the
  unique information.
• Unique user Id More than two users can use a MS
• Unique MS Id Uniquely identifies a stolen MS

6
First Generation Systems

• Were the Analog Systems 825-845 870-890 MHZ
• Used Non cryptographic means (MIN / ESN)

MIN Mobile Identity Number ( 10 digit telephone
number). ESN Electronic Serial Number ( 32 bit
binary stored in
ROM during manufacture). 32
bit 8 bit manufacturer code
6 bit reserved (unused) 18
bit manufacturer
assigned serial number
7
First Generation Systemscontd
Security Protocol - MS sends MIN/ESN in plain
to authenticate itself while receiving or
placing calls. (Cloning) - The switching
system checks the MIN/ESN against a
bad/stolen unit list - If an MS roams into a
new system authenticate from its HLR -
All communications is sent in clear
(Eavesdropping)
8
Cryptographic Requirements

• Low power, low gate count hardware as well as
  software.
• No practical attack significantly more efficient
  than exhaustive key search.
• Fast in operation.

9
2G GSM Systems
GSM Global System for Mobile Communications 1.
Operates at 900 MHz and 1800 MHz. 2. Uses TDMA
technology to divide bandwidth. 3. High
mobility, reachability. 4. Integrated Security
mechanisms - Encryption of transmitted
data - Authentication (PIN, SIM etc)
- Temporary Identification (pseudonyms)
10
GSM Security Model
Based on a shared secret key between HLR and
SIM card of subscriber called Ki, (128
bit). Stored in the SIM card of the subscriber
and at the Authentication Center of MSC. The
key is used for authentication and generation of
the session key used for encryption of data over
the air channel.
11
GSM Authentication Algo. A3

• A3 implemented in SIM and Authentication center
• MSC sends a Random Challenge (RAND) to MS.
• RAND and Ki given as input to A3 which gives a
  32 bit Signed Response (SRES).
• MS sends back SRES which is compared with SRES
  generated at MSC.

12
GSM Session Key GenerationAlgo. A8
Session key Kc is generated from RAND and Ki. Kc
is 64 bit key used to encrypt over the air
channel. Both SIM and AuC run A8 algorithm and
generate Kc. Same session key used until MS is
authenticated again
13
GSM COMP-128
A3 and A8 algorithms together are known as
COMP-128 algorithm. COMP-128 generates both SRES
and Kc as 128 bit output in one run. First 32
bits SRES. Last 54 bits Kc. Kc is actually
64 bits. 10 zero bits are appended to the 54 bit
output of COMP- 128. COMP-128 implemented in SIM
and AuC.
14
GSM Encryption Algo. A5
It is a symmetric stream cipher algorithm which
is run for every frame sent. It is initialized
with the session key Kc and the frame number
being encrypted/decrypted. Inputs 64 bit Kc, 22
bit frame number. Output 114 bit key
block. This key block is XORed with the 114 bit
voice stream and the result is sent over the air.
15
GSM Algorithm Implementation
16
GSM Flaws in the Security Model

The problems in GSM security model stem by and
large from the design limitations on what is
protected rather than defects in security
mechanisms themselves.

• Active attacks using a "false base station" are
  possible.
• Cipher keys and authentication data are
  transmitted in clear between and within networks.
• Ecryption does not extend far enough towards the
  core network resulting in the cleartext
  transmission of user and signalling data across
  microwave links (in GSM, from the BTS to the
  BSC).
• Lack of confidence in cryptographic algorithms.

17
3G The Third Generation Partnership Project
Global standardization initiative (Dec.
1998) Concept devised by ETSI and
SDOs. Referred to as UMTS. Original scope To
develop technical specs. for a 3G mobile system
based on GSM core n/w and UTRA. Amended to
include maintenance of GSM standards and GPRS.
18
3G Security Principles

• Build on the GSM security features that are
  robust and needed.
• Correct the problems with GSM by addressing its
  weaknesses.
• Add new security features to provide additional
  services offered by 3G.

19
3G Security algo. Used
f0 f0 random challenge generating
function f1 network authentication
function f1 the re-synchronisation message
authentication function f2 user authentication
function f3 cipher key derivation
function f4 integrity key derivation
function f5 anonymity key derivation function for
normal operation f5 anonymity key derivation
function for re-synchronisation f8 UMTS
encryption algorithm f9 UMTS integrity algorithm
20
3G Confidentiality f8 and Integrity f9 Algo.
f8 Algorithm - stream cipher that
encrypts/decrypts blocks of data between 1
and 20000 bits in length. - 128 bit
Confidentiality Key (CK)
f9 Algorithm - Computes a MAC on the input
message. - 128 bit Integrity Key. Both
algorithms depend on KASUMI, a block cipher
algorithm
21
3G KASUMI Algo.

• Fiestel cipher with 8 rounds.
• Operates on 64 bit data blocks using 128 bit
  key.
• Basic operation
• - Input data block I (64 bit), Key K (128 bit)
  and
• 64 bit output OUTPUT.
• - Input I divided into 32 bit strings L0 and
  R0.
• - Ri Li-1, Li Ri-1 XOR fi (Li-1, RKi).
• - OUTPUT L8 R8.
• - fi is the round function.

22
3G KASUMI 2

• Round Function fi.
• - 32 bit input and 32 bit output.
• - Round Key RKi split as (KLi, KOi, Kli).
• - Consists of two sub functions FL and FO with
• subkeys KLi (for FL) and KOi, Kli (for FO).
• - fi(I,RKi) FO( FL( I, KLi), KOi, KIi )
  (ODD).
• fi(I,RKi) FL( FO( I, KOi, KIi ), KLi)
  (EVEN)

23
3G KASUMI 3

• S boxes
• - complex XOR function of the input bits.
• - defined completely in the specifications.
• - can be implemented either in H/W as a
• combinational logic of XOR gates or in S/W
  as a
• lookup table.
• Key Schedule
• - Each key has a different key.
• - derived from the 128 bit key K and a
• set of 8 constants Cis.

24
References
1 Vijay K. Garg and Joseph E. Wilkes, Wireless
and Personal Communications Systems, Prentice
Hall, NJ, 1996, pp 227-239. 2 TS 33.120
Security principles and objectives technical
specification document produced by the 3rd
generation partnership project. 3 TS 33.102
Security architecture technical specification
document produced by the 3rd generation
partnership project.