Download - Rad Commendation UMTS Deciphering
-
8/6/2019 Rad Commendation UMTS Deciphering
1/14
Network Test Solutions
RADCOMmendation
Online UMTS Deciphering Using theCellular Performer
RADCOM Ltd., 2004
-
8/6/2019 Rad Commendation UMTS Deciphering
2/14
Copyright 2004 by RADCOMThis documentation contains proprietary information of RADCOM Ltd. and RADCOM Equipment Inc. Such
information is hereby supplied solely for the purpose of informing explicitly and properly authorized persons
of the documentation on the operation of RADCOM equipment. Without the express prior written permissionof RADCOM Ltd. and RADCOM Equipment Inc., no part of the contents hereof may be used for any other
purpose, disclosed to persons or firms outside the recipient company, or reproduced by any means.
The text and drawings herein are for the purpose of illustration and reference only. The specifications on which
they are based are subject to change without notice.
Publication Date: November, 2004
Trademark Acknowledgements
RADCOM is a trademark of RADCOM Ltd. in Israel and/or other countries. Microsoft Windows and
Microsoft Windows NT are registered trademarks or of Microsoft Corporation in the US and/ or other
countries. All other brand and product names referred to herein are either registered or unregistered trademarksor service marks belonging to their respective owners.
-
8/6/2019 Rad Commendation UMTS Deciphering
3/14
Online UMTS Deciphering Using the Cellular Performer 1
Preview
Many service providers are deploying and some have already launched UMTS 3G services. UMTS provides its
users with voice, data and video. UMTS ciphering is used between the End User Mobile Device and the RNC
to protect the privacy of user information, i.e. both dedicated signalling and the user payload (voice, data or
video) from being seen by unauthorized hackers that might be trying to attack the operators more sensitive and
exposed part, the radio interface. Many operators are now deploying ciphering on their GPRS and UMTS
networks. Once ciphering is enabled most of the information over the radio interface and Iub, Iur is not visible
any more.
Therefore, in order to analyze and troubleshoot the Iub interface while the ciphering is active, a protocol
analyzer with deciphering capabilities is needed.
Background
The ciphering mechanism is activated between the MS and the RNC. When the MS accesses the network, it
informs the RNC about the ciphering algorithms than can be supported, then the RNC in the Security ModeCommand will inform which ciphering algorithm will be used and activate the ciphering mechanism. Both the
RNC and MS use a Kc (ciphering key) that is stored in MS and RNC. This Kc is provided from the AuC using
the Iu interface during the process of Authentication and Ciphering of MS in the network..
What is encrypted and what is not:
Encrypts most signaling and all user data
Encrypts only dedicated channels
Signaling radio bearers
Data radio bearers
Managed by the RNC
Ciphered in the MAC layer for transparent RLC Mode.
Ciphering in RLC layer for non-transparent RLC mode.
-
8/6/2019 Rad Commendation UMTS Deciphering
4/14
-
8/6/2019 Rad Commendation UMTS Deciphering
5/14
Online UMTS Deciphering Using the Cellular Performer 3
RADCOM provides a wining combination of a UMTS deciphering online package, with the
Multi OC-3/STM-1 LIM with up to 4 ports together with the UMTS Consultants.
The present document will explain how to demonstrate this feature.
Elements Needed to Demonstrate UMTS Online Deciphering:
Cellular Performer Analyzer
GenFEP.
Multi OC3/STM-1 Interface with 2 or 4 OC-3 Ports.
The ciphering keys are provided to the RNC towards the Iu interface. Many vendors use 2 STM-1 linkswith load balancing or load sharing for IU-PS and/or 1 STM-1 for Iu-CS for example. So with the newLIM with 4 OC-3 ports we can capture the STM-1 for Iub, the 2 x STM-1 of Iu-PS and the 1x STM-1
for IuCS using a single GenFEP and LIM
UMTS Deciphering Online application add-on authorization
Iub and Iu Consultants.
Connection SetupA typical connection setup to make a live demo of UMTS deciphering is depicted in the following
figure:
-
8/6/2019 Rad Commendation UMTS Deciphering
6/14
Online UMTS Deciphering Using the Cellular Performer 4
Configuration:
1. Configuration of Multi OC3/STM-1 interface: To facilitate the complete deciphering of user sessions in
the Iub interface for any kind of service (voice, video call, video streaming or data) it is extremely important tohave the capability to capture the Iu-PS and Iu-CS interfaces at the same time(to read and extract the ciphering
keys) and the Iub interface. The new Multi OC3/STM-1interface brings us this possibility.
In our example 2 Iu-PS STM-1 links in load balancing; another STM-1 link for the Iu-CS and finally a single
STM-1 Iub interface with the aggregated traffic coming from several NodesB to the RNC are used.
Note: The Multi OC3 has two possible configurations, both reflected in the price list.
PA-LIM-LB-OC3-2PLoad Balancing ATM OC-3/STM-1 LIM (optical transceivers not included).
Requires PA-FEP-GenFEP and 4 compatible SFPs. (MM or SM)
PA-CA-LB-2P-SM
OR
PA-CA-LB-2P-MM
2 more ports for Load Balancing ATM OC-3/STM-1 capability add-on with
Single mode transceivers. Requires PA-LIM-LB-OC3-2P(This SFF connectors are built-in and assembled in RADCOM so it is very
important to specify if SM or MM option is needed in the order)
DUAL or (QUAD) ATM OC-3/STM-1 INTERFACE MODULE:
2 full duplex STM-1 ports(requires 4 removableSFPSM or MM)
LC/PC connectors. 2 additional (option) full
duplex STM-1 ports (use2 SFFassembled onboard, customer mustspecify SM or MMtransceivers in purchaseorder)
-
8/6/2019 Rad Commendation UMTS Deciphering
7/14
Online UMTS Deciphering Using the Cellular Performer 5
The following screen demonstrates the physical configuration of the port of the MultiOC3/STM-1 interface.
- For ports 1,2 and 3,4 you can select either Pass Through or Optical Splitter.
- For ports 5,6 and 7,8 only Rx for a connection with an Optical Splitter is available.
Configure all of the following, and use the Advanced Port Configuration to specify which ports are Uplink and
which are Downlink
-
8/6/2019 Rad Commendation UMTS Deciphering
8/14
Online UMTS Deciphering Using the Cellular Performer 6
Select the Deciphering button to specify which ports are going to be used for Iub and Iu, and activate the
Deciphering Check box in order to enable the Deciphering option online.
Now you are ready to start to trace the Iub sessions or all User sessions, whether they are ciphered or not.
Notice that only one Consultant can be run at a time for each GenFEP, since initially Iu monitoring is used toextract the ciphering keys. Lets concentrate on the Iub interface to show the deciphered sessions.
Open the Iub Consultant. Ask the customer to provide you with a defined IMSI that they know is ciphered.
Make a Query on this specific IMSI, and show the detailed signaling flows. (At the same time it will be a good
opportunity to explain how deciphering works and the messages involved).
-
8/6/2019 Rad Commendation UMTS Deciphering
9/14
Online UMTS Deciphering Using the Cellular Performer 7
1. RRC Connection Setup: During this process, the MS informs the RNC in theRRC Connection Setup
Complete about the possible ciphering algorithms supported by the cellular equipment. (In the example we
see that this mobile equipment supports uea1 and uea0 ciphering algorithms)
-
8/6/2019 Rad Commendation UMTS Deciphering
10/14
Online UMTS Deciphering Using the Cellular Performer 8
2. The MS Starts the Ciphering Key Sequence Number that will be used during the Authentication process, to
receive the RAND and AUTN.
3. Authentication Process: The MSC/VLR (that previously stored the quintuplets for this mobile) sends the
next Ciphering Key Sequence number, the RAND and AUTN vectors for Authentication of the MS to the MS,
in the Authentication Request Message; and the MS completes the Authentication Process sending the RES
vector in the Authentication Response Message.
-
8/6/2019 Rad Commendation UMTS Deciphering
11/14
Online UMTS Deciphering Using the Cellular Performer 9
After Authentication the MS and RNC already have the Kc generated and stored.
3. Using the RANAP: Security Mode Command message the network informs the RNC of the encryption
algorithm permitted in the communication with the network, and the SGSN or VLR sends the RNC the
Deciphering Key for the RNC. The RNC then informs the UE of the ciphering algorithm chosen in the RRC:
Security Mode Command message sent from RNC to UE.
Ciphering Key Vector
Chosen Ciphering Algorithm
-
8/6/2019 Rad Commendation UMTS Deciphering
12/14
Online UMTS Deciphering Using the Cellular Performer 10
4. The Security Mode Command Complete message is the starting point and trigger for the encryption
mechanism. The RNC sends this message to the MSC/VLR or SGSN after receiving confirmation from the UE,
to inform about the Chosen Integrity and Ciphering Algorithms.
5. After the dedicated signaling with UE and user payload are encrypted, RADCOMs online deciphering
enables the user to spotlight the next messages on the Iub interface for this MS. As you can see, with the
deciphering, the whole process can be followed on the Performer.
ENCRYPTED
-
8/6/2019 Rad Commendation UMTS Deciphering
13/14
Online UMTS Deciphering Using the Cellular Performer 11
Summary
Why is the UMTS Deciphering Important?
Once ciphering is activated the only possibility to analyze the ciphered traffic in Iub sessions is by using
deciphering.
Who needs the deciphering?
The vendors: to verify that their ciphering implementation is working correctly in their labs and on customer
premises.
The operators at all the levels of Radio Access Network operations to be able to trace many users while
deciphering the information in real time to be able to see the signalling messages and user data to detect and fix
problems and guarantee QoS to their customers.
Here is RADCOMs best cocktail to make a killer sales application.
Consultants UMTS Deciphering On-Line
.
-
8/6/2019 Rad Commendation UMTS Deciphering
14/14
US Office:
RADCOM Equipment Inc.6 Forest Avenue, Paramus, NJ 07652, USATel: (201) 518-0033 or 1-800-RADCOM-4, Fax: (201) 556-9030
E-mail: [email protected]
Israel Office:
RADCOM Ltd.24 Raoul Wallenberg St., Tel Aviv, 69719, Israel
Tel: 972-3-6455055, Fax: 972-3-6474681E-mail: [email protected]
China Office:
RADCOM Ltd.
Handerson Center, Office 506, Tower 3,18 Jianguomennei Avenue, Beijing 1000005, P.R. ChinaTel: +86-10-65187723, Fax: +86-10-65187721E-mail: [email protected]
United Kingdom Office:
RADCOM UK2440 The QuadrantAztec West, Almondsbury
Bristol, BS32 4AQ EnglandTel: +44-145-487-8827, Fax: +44-145-487-8788E-mail: [email protected]
Web Site:
http://www.radcom.com
RADCOM, 2004