CRYPTOGRAPHIC CRYPTOGRAPHIC ALGORITHMS ALGORITHMS FOR UMTS FOR UMTS

OVERVIEWOVERVIEWMobile phone architectureGSM security featuresThe false base station attackSIM cloning attackUMTS security

Mobile phone architectureMobile phone architecture

RNS Core Network

BS

BS

BS

BS

RNC

RNC

AuCLHR

VLR

SIM

Mobile Phone ArchitectureMobile Phone ArchitectureMobile Equipment (e.g. Mobile Phone)◦SIM: Subscriber Identity Module

RNS (Radio Network Subsystem)◦RNC: Radio Network Controller ◦BS: Base Station

Core Network:◦LHR (Location Home Register)◦AuC: Authentication Centre◦VHR (Visiting Home Register)

GSM security featuresGSM security featuresSubscriber identity confidentiality.Subscriber identity authentication.User data confidentiality on

physical connections.Connectionless user data

confidentiality.Signalling information element

confidentiality.

GSM security algorithmsGSM security algorithmsThere are three main security

algorithms used in GSM system namely:◦ A3( The Authentication algorithm) ◦ A8(The Ciphering key generating

algorithm )◦ A5(The Ciphering Algorithm )

Security issues with GSMSecurity issues with GSMThough security is one of the

main strength of GSM, the system does have some security weaknesses, which are: ◦GSM algorithms security◦The false base station attack◦SIM cloning attack

GSM algorithms security GSM algorithms security considerationconsiderationThe following are some of the main issues

regarding the Algorithms used in GSM security: ◦The GSM cipher algorithms are not

published as part of the standard, which lead to the criticism from the research and the academic communities.

◦In the COMP-128 algorithm, carefully chosen values for the input RAND will provide enough information to determine the Ki in relatively small number of attempts.

◦The way COMP-128 has been implemented, it reduces the key length of the ciphering key Kc form 64 bits to 54 bits as the 10 least significant bits are fixed to zeros; this is a reduction of a factor of 1024.

The false base station The false base station attackattack

In the GSM standard only the MS is required to authenticate to the base station (BS), the BS is not required to authenticate itself to the MS.

The attacker would page the mobile phone, either using its IMSI or TMSI.

If the mobile phone was paged by its TMSI, the IMSI can easily be found out by sending the phone the IDENTITY REQUEST command (to which the phone must respond at any time).

The false base station The false base station attack(cont)attack(cont)Following this, the attacker can keep choosing RANDs to exploit the

COMP128 algorithm flaws and can keep submitting them to the phone via the AUTHENTICATION REQUEST messages (imitating a legitimate network asking the phone to authenticate itself); the phone simply returns the SRES.

The attacker could then repeat the authentication requests many times.

The false base station The false base station attack(cont)attack(cont)By collecting the SRESes until he/she

has gained enough information to learn the Ki.

Once the Ki and IMSI are known the attacker can impersonate that user, and make and receive calls in their name.

It can also be used to eavesdrop, since RANDs from a legitimate network to a legitimate user can be monitored, and thus combined with the known Ki can be used to determine the Kc used for the encryption.

SIM cloning attackSIM cloning attackThe GSM SIM card can be cloned,

this will lead to two possible scenarios.

The first is when attacker uses the SIM card pretending to be the legitimate user.

The second is when the attacker exploits the weakness in the COMP-128 algorithm to extract the secrete key Ki.

UMTS SecurityUMTS SecuritySecurity in the UMTS network is

based on three security principles: ◦Authentication and Key Agreement

protocol (AKA)◦Integrity◦Confidentiality

Authentication and Key Authentication and Key Agreement protocol (AKA)Agreement protocol (AKA) The Authentication and Key Agreement protocol is a

mechanism performs authentication and session key distribution in UMTS networks.

The AKA is a challenge response mechanism that uses symmetric cryptography.

This allows the network to authenticate the user and also allow the user to authenticate the network.

AKA is performed when one the following events happen:◦ Registration of a user in a Serving Network.◦ After a service request.◦ Location Update Request.◦ Attach Request.◦ Detach request.◦ Connection re-establishment request.

IntegrityIntegrityThe threats against integrity can include:

◦ Manipulation of transmitted data: Intruders may manipulate data transmitted over all reachable interfaces.

◦ Manipulation of stored data: Intruders may manipulate data that are stored on the system entities, in the terminal or stored by the USIM.

◦ Manipulation by masquerading: Intruders may masquerade as a communication participants and thereby manipulate data on any interface

Integrity(cont)Integrity(cont)The algorithm used in UMTS to provide

integrity is known as f9. This algorithm takes five inputs:◦ The 128 bits integrity key IK.◦ A 32 bits integrity sequence number

(COUNT-1).◦ A 32 bits random value generated by the

radio network controller (FRESH).◦ A direction identifier (DIRECTION).◦ The radio resource control (RRC) signalling

message content (MESSAGE).

Integrity(cont)Integrity(cont)The output is a 32-bit message

authentication code (MAC-I) computed by the sender for data integrity. The MAC-I will then be appended to the RRC message when sent over the radio access link.

The receiver will verify the message by computing the expected MAC-I (XMAC-I) on the message received

ConfidentialityConfidentialityThis is achieved by ciphering the data between

the MS and the RNC. This is an improvement from the GSM system which only encrypted data between the MS and the BS.

Confidentiality is very important in UMTS as it protect from various threats such as: ◦ Eavesdropping on user traffic,◦ signalling or control data on the radio interface;◦ passive traffic analysis.

The ciphering in UMTS is performed between the UE and the RNC, using an algorithm known as the f8 ciphering algorithm, which is used to encrypt plain text

ConfidentialityConfidentialityThe f8 takes five inputs:

◦ The 128 bits cipher key CK.◦ A 32 bits time dependent input COUNT-C.◦ The bearer identity BEARER.◦ The direction of transmission DIRECTION.◦ The length of the required key stream

LENGTH.The output will be the key stream block

KEYSTREAM, which is used to encrypt the input plaintext block PLAINTEXT to produce the output ciphertext block CIPHERTEXT.