iir tutorial 2
DESCRIPTION
UMTS SecurityTRANSCRIPT
Page 1
Information and Communication Networks
Siemens Atea
USE
CA
3GPP Security architecture
Bart VinckSiemens Atea
Information and communication networksCommunications on Air
IRR Fraud and Security Conference,London, March 9, 2000
IRR Fraud and Security Conference,London, March 9, 2000
2
USE
CA
Contents
Introduction Network access security� Authentication and key agreement
� User identity confidentiality
� Confidentiality and integrity
� Connection establishment
� Mobile equipment identity security
Network domain security Summary
Page 2
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
3
USE
CA
IntroductionTechnical specifications
Principles, objectives and requirements� TS 33.120 Security principles and objectives� TS 21.133 Security threats and requirements
Architecture, mechanisms and algorithms� TS 33.102 Security architecture� TS 33.103 Integration guidelines� TS 33.105 Cryptographic algorithm requirements
Lawful interception� TS 33.106 Lawful interception requirements� TS 33.107 Lawful interception architecture and functions
IRR Fraud and Security Conference,London, March 9, 2000
4
USE
CA
IntroductionTechnical reports
Technical reports� TR 33.900 Guidelines for 3G security� TR 33.901 Criteria for cryptographic algorithm design� TR 33.902 Formal analysis of authentication
Page 3
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
5
USE
CA
IntroductionSecurity architecture overview
Homestratum/ServingStratum
USIM HETE
Transportstratum
MT
SN
AN
Applicationstratum
User Application Provider Application
I. Network access securityII. Provider domain securityIII. User domain securityIV. Application security
III.
IV.
I.
I.I.
I.
I.
II.
IRR Fraud and Security Conference,London, March 9, 2000
6
USE
CA
Authentication and key agreementContents
� Introduction� Authentication using sequence numbers� Message flow for successful authentication� Message flow for re-synchronisation� Sequence numbers - fine details� An authenticated signalling channel HE → USIM� GSM-UMTS interoperation� World-wide cross standard roaming� Summary
Page 4
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
7
USE
CA
Authentication and key agreementIntroduction - New security services
GSM AKA security services� User-to-network authentication SRES = A3Ki (RAND)
� Establishment of a 64 bit cipher key Kc = A8Ki (RAND)
Additional UMTS AKA security services� Establishment of longer cipher key CK = f3K (RAND)
� Establishment of integrity key IK = f4K (RAND)
� User assurance of key freshness
� (To some extent) network-to-user authentication
� Authenticated signalling channel HE → USIM
IRR Fraud and Security Conference,London, March 9, 2000
8
USE
CA
Authentication and key agreementAssurance of key freshness to the user
What is freshness assurance ?� The user is assured at AKA that the cipher/integrity keys are
fresh (i.e., have not been used before)� Not provided by GSM AKA � network (or intruder) can re-use
triplets (and for re-use of “insecure” cipher key)
Why have key freshness assurance ?� To limit the damage when a triplet is exposed or a cipher key
is broken
How to achieve key freshness assurance?� Option 1: mutual challenge/response� Option 2: authenticated challenge/response (preferred)
Page 5
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
9
USE
CA
Authentication and key agreementSequence numbers - basics
User (USIM)� Stores
SQNMS = last accepted SQN
� Receives (RAND, SQN, MAC)
� ComputesXMAC = fK (RAND, SQN)
� Verifies that XMAC = MAC andSQN > SQNMS
� Updates SQNMS
Home network (AuC)� Stores
SQNHE = last generated SQN
� Selects next SQN > SQNHE
� ComputesMAC = f1K (RAND, SQN)
� Sends the user(RAND, SQN, MAC)
� Updates SQNHE
AuCUSIMRAND, SQN, MAC K
SQNHE
KSQNMS
IRR Fraud and Security Conference,London, March 9, 2000
10
USE
CA
Authentication and key agreement0/4: Prerequisites
USIM AuC
SQNHE KSQNMS K
VLR or SGSN
� AuC and USIM share secret key K� AuC maintains SQNHE = largest sequence number generated
by the AuC (for the subscriber) (will be enhanced further on)� USIM maintains SQNMS = largest sequence number received
and accepted by the USIM (will be enhanced further on)
K = Subscriber authentication keySQNMS = Sequence number counter in the MSSQNHE = Sequence number counter in the HE
USIM = UMTS Subscriber Identity ModuleVLR = Visitor Location RegisterSGSN = Serving GPRS Support NodeAuC = Authentication CentreMS = Mobile StationHE = Home Environment
Page 6
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
11
USE
CA
Authentication and key agreement1/4: User-to-network authentication
USIM AuCVLR or SGSN
� AuC generates RAND and computes XRES� RAND is sent to the USIM; XRES is sent to the VLR/SGSN� USIM re-computes RES and sends RES to the VLR/SGSN� The VLR/SGSN verifies “RES = XRES?”
SQNHE KRANDXRES = f2K (RAND)
RANDRANDXRES
RES
XRES = RES ?
SQNMS KRANDRES = f2K (RAND)
RAND = Network challengeRES = User responseXRES = Expected response
IRR Fraud and Security Conference,London, March 9, 2000
12
USE
CA
Authentication and key agreement2/4: Cipher/integrity key establishment
USIM AuCVLR or SGSN
� AuC computes CK and IK from RAND and K� RAND is sent to USIM, CK and IK are sent to VLR or SGSN� USIM re-computes CK and IK from RAND and K
SQNHE KRANDXRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)
RAND
RANDXRESCK, IK
RES
XRES = RES ?
SQNMS KRANDRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)
CK = Cipher keyIK = Integrity key
Page 7
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
13
USE
CA
Authentication and key agreement3/4: Network-to-user authentication
USIM AuCVLR or SGSN
� AuC generates fresh SQN > SQNHE, protects the integrity bymeans of MAC and sends AUTN = SQN | MAC to the USIM
� USIM verifies the data origin of SQN by “XMAC = MAC ?”� USIM verifies the freshness of SQN by “SQN > SQNMS”� Freshness + data origin verification = entity authentication
SQNHE KRAND SQNXRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)MAC = f1K (RAND | SQN)
RANDAUTN
RANDXRESCK, IKAUTN
RES
XRES = RES ?
SQNMS KRAND SQNRES = f2K (RAND)CK = f3K (RAND)IK = f4K (RAND)XMAC = f1K( RAND | SQN)XMAC = MAC ?SQN > SQNMS
AUTN = SQN | MAC
AUTN = Authentication tokenSQN = Sequence numberMAC = Message authentication code
IRR Fraud and Security Conference,London, March 9, 2000
14
USE
CA
Authentication and key agreement4/4: An authenticated signalling channel
USIM AuCVLR or SGSN
� AuC determines AMF� AMF is input to f1 and MAC, AMF is part of AUTN� USIM receives AMF as part of AUTN� USIM verifies authenticity of AMF via “MAC = XMAC ?"
SQNHE KRAND SQN AMFXRES = f2K (RAND)MAC = f1K (RAND | SQN | AMF)CK = f3K (RAND)IK = f4K (RAND)
RANDAUTN
RANDAUTNXRESCK, IK
RES
XRES = RES ?
SQNMS KRAND SQNRES = f2K (RAND)XMAC = f1K( RAND | SQN | AMF)XMAC = MAC ?SQN > SQNMS
CK = f3K (RAND)IK = f4K (RAND)
AUTN = SQN | AMF | MAC
AMF = Authentication Management FieldQ = Quintet
Quintet
Page 8
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
15
USE
CA
Authentication and key agreementComposition of the quintet
Quintet� RAND Network challenge 128 bits� XRES Expected response 32-128 bits� CK Cipher key 128 bits� IK Integrity key 128 bits� AUTN Authentication token 128 bits
– SQN Sequence number 48 bits– AMF Authentication management field 16 bits– MAC(-A) Message authentication code 64 bits
Note� The standard allows the possibility to conceal SQN with an
anonymity key AK to ensure user identity confidentiality
Source: TS 33.102, Clause 6.3
IRR Fraud and Security Conference,London, March 9, 2000
16
USE
CA
Authentication and key agreementMessage flow for successful AKA
auth. data request
QuintetsQ = (RAND, XRES, CK, IK, AUTN)
RAND, AUTN
RES
Generate quintets
Verify MAC, SQNDerive CK, IK, RES
Start using CK, IK Start using CK, IK
XRES = RES ?
Source: TS 33.102, Clause 6.3
USIM AuCVLR or SGSN
Distribution ofquintets from HLR/AuCto VLR/SGSN
Over-the-airauthenticationand key agreement
Page 9
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
17
USE
CA
Authentication and key agreementFailure cases
USIM determines that XMAC-A ≠≠≠≠ MAC-A (new!)� USIM: sends indication of integrity failure to VLR� VLR: request for identification or try other quintet or request
new quintets from HLR/AuC USIM determines that “SQN ≤≤≤≤ SQNMS” (new!)� USIM: sends indication of synchronisation failure to VLR,
computation of re-synchronisation token� VLR: request new quintets from HLR/AuC with indication of
synchronisation failure and re-synchronisation token VLR determines that XRES ≠≠≠≠ RES� VLR: reject the user that attempts to access the system
Note: same procedures apply for CS and PS, for VLR and SGSN
Source: TS 33.102, Clause 6.3
IRR Fraud and Security Conference,London, March 9, 2000
18
USE
CA
Authentication and key agreementRe-synchronisation mechanism
USIM AuCVLR or SGSN
� USIM determines that “SQN ≤ SQNMS” and computes MAC-S� USIM sends AUTS to VLR, VLR adds RAND� AuC verifies integrity and whether “SQNMS > c” and updates
SQNMS is necessary
SQNHE KRAND SQNXRES = f2K (RAND)XMAC-S = f1*K (RAND | SQNMS)IF “SQNMS > SQNHE” ANDMAC-S = XMAC-S SET SQNHE = SQN
RANDRANDAUTS
SQNMS KRAND SQNSQN ≤≤≤≤ SQNMSMAC-S = f1*K (RAND | SQNMS)
AUTS = SQNMS | AMF* | MAC-S
AUTS = Re-synchronisation tokenMAC-S = MAC for re-synchronisation
Quintet
AUTS
Page 10
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
19
USE
CA
AKA: Re-synchronisation mechanism
Ind. of Sync. Failure AUTS
Auth. Data RequestAUTS, RAND
Quintets
Verify AUTS[Modify SQN-HE]
[Generate quintets]
SQN ≤≤≤≤ SQNMSCompute AUTS
RAND, AUTN
SQN now acceptable
(Continue as in successful AKA)
Source: TS 33.102, Clause 6.3
USIM AuCVLR or SGSN
Distribution of quintets from HLR/AuC to VLR/SGSN withindication of synchronisationfailure
IRR Fraud and Security Conference,London, March 9, 2000
20
USE
CA
Authentication and key agreementCauses of synchronisation failures
Re-use� VLR/SGSN (or intruder) attempts to re-use quintets� VLR/SGSN must not attempt to re-use quintets !!� SQNHE need not be modified
Out-of-order use� VLR/SGSN attempts to use quintets, while newer quintets
have been used already� SQN management shall allow out-of-order use (to a certain
extent) !! � one issue for enhanced SQN management� SQNHE need not be modified
Corruption of the counter in the AuC� SQNHE need be modified
Source: TS 33.102, Clause 6.3
Page 11
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
21
USE
CA
Authentication and key agreementEnhanced sequence number management
SQN management shall ...� … allow out-of-order use of a quintet when it is among the 50
most recently generated quintets� Different mechanisms are available; the USIM keeps track of
history information on successful passed authentication events� … prevent lock-out of a USIM due to SQNMS reaching SQNmax
� SQN management shall limit the increment of SQNMS to amaximum value ∆ such that SQNmax / ∆ is sufficiently large
� … not compromise user anonymity� SQN can either be concealed with an anonymity key AK, or may
be (partially) clock-based (then no concealment is required)� … be able to recover from corruption of the AuC database
� SQN management shall support re-synchronisation procedureas defined before
Source: TS 33.102, Clause 6.3
IRR Fraud and Security Conference,London, March 9, 2000
22
USE
CA
Authentication and key agreementSuggested SQN generation at the AuC
Composition of SQN� SEQ1: individual part, # SQN2
cycles + # re-synchronisations� SEQ2: time-based part, GLC at
the SQN generation� INDEX: differentiates SQN
generated at the same GLCNote� GLC: Global Time Counter
Generation of new SQN� Usual case
SEQ1 = SEQ1HESEQ2 = GLC
� GLC wraps aroundinstead: SEQ1 = SEQ1HE + 1
� >1 batch per time unitinstead: SEQ2 = SEQ2HE +1
� several quintets in one batchassign INDEX = 0, 1, 2, ...
SEQ1 SEQ2 INDEX
SQNSEQ Storage in the AuC
� SEQHE = SEQ1HE || SEQ2HE
Source: TS 33.102, Annex C
Page 12
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
23
USE
CA
Authentication and key agreementSuggested SQN verification at the USIM
Verification� If SEQ < SEQLO � reject
� If SEQ > SEQHI + ∆ � reject
� If ∃∃∃∃ i : SEQ = SEQMS(i)
IND > INDMS(i) � accept andupdate INDMS(i)
IND ≤ INDMS(i) � reject
�Otherwise � accept and add (SEQ, IND)
delete (SEQLO, INDLO)
SEQ1 SEQ2 INDEX
SQNSEQ
Storage in the USIM� Ordered list with
SQNMS(i) = SEQMS (i) || INDMS (i)with i ∈ {1, …, 50}withSEQMS (1) > … > SEQMS(50)
� SEQHI = SEQMS (1)
� SEQLO = SEQMS (50)
Source: TS 33.102, Annex C
IRR Fraud and Security Conference,London, March 9, 2000
24
USE
CA
Authentication and key agreementUse of authentication management field
Support for multiple algorithms and keys� key identifier, algorithm identifier
Optimisation memory consumption/re-synchronisation frequency� Modify list size (in the example: 50)
Optimise HE control/signalling efficiency� Modify how long cipher/integrity keys can be used before the
user triggers a new AKA Make user reject/allow unencrypted connections� Allow unencrypted connections only in networks in those
countries that do not allow encryption …
Source: TS 33.102, Annex F
Page 13
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
25
USE
CA
Authentication and key agreementIntroduction - Comparison with GSM AKA
GSM AKA�Secret key cryptography�Two-way
challenge/response�Allows use of proprietary
authentication algorithms�No algorithms in serving
network�No real-time interaction
between user and homenetwork
�Triplets
UMTS AKA�Secret key cryptography�Two-way authenticated
challenge/response�Allows use of proprietary
authentication algorithms�No algorithms in serving
network�No real-time interaction
between user and homenetwork
�Quintets
IRR Fraud and Security Conference,London, March 9, 2000
26
USE
CA
Authentication and key agreementInteroperation between UMTS and GSM
R99+ VLR/SGSN
UTRAN GSM BSS
R99+ ME R98- ME
R98- VLR/SGSN
UMTS HLR/AuC
UICC with USIM and SIM application
CK, IK →→→→ Kc CK, IK →→→→ Kc CK, IK →→→→ Kc
CK, IK →→→→ Kc CK, IK →→→→ Kc
CK, IK →→→→ Kc
Quintet Triplet
[Kc][Kc][Kc]CK, IK
KcKcKcCK, IK
CK, IK Kc
ME
UMTS AKAR99+ VLR/SGSNand UICC
GSM AKAOtherwise
CK, IKUTRAN
KcOtherwise
Standard functionc3: CK, IK → Kc
Page 14
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
27
USE
CA
Authentication and key agreementInteroperation between UMTS and GSM
R99+ VLR/SGSN
UTRAN GSM BSS
R99+ ME R98- ME
R98- VLR/SGSN
GSM HLR/AuC
GSM SIM
Kc →→→→ CK, IK
Kc →→→→ CK, IK
Triplet Triplet
[Kc][Kc][Kc]CK, IK
KcKcKcKc
CK, IK Kc
ME
UMTS AKAnever
GSM AKAalways
CK, IKUTRAN
KcOtherwise
Standard functionsc4: Kc → CKc5: Kc → IK
IRR Fraud and Security Conference,London, March 9, 2000
28
USE
CA
Authentication and key agreementWorld-wide cross-standard interoperation
Current situation� Good chance that TR- 45.2 (3GPP2) adopts 3GPP AKA� Adoption currently under discussion and subject to conditions� Would enable global roaming� Needs to be integrated in 3GPP2 specifications � AKA+
AKA+� global kernel = AKA
– Goal: establish secret keys between MS and VLR– Common to 3GPP and 3GPP2 � enables global roaming
� 3GPP2-specific local authentication (LA) mechanism– Goal: mutual authentication between MS and VLR when user is
registered– Remains within 3GPP2 � does not compromise global roaming
Page 15
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
29
USE
CA
Authentication and key agreementWorld-wide cross-standard interoperation
AKALA
SMNLAGCUC
3GPP2 3GPP1
SMN: Security Mode Negotiation
GC: Global ChallengeUC Unique Challenge
MSC/VLR
HLR/AuC
MSC/VLR
UE UEUIM
IRR Fraud and Security Conference,London, March 9, 2000
30
USE
CA
Authentication and key agreementConclusions
� Additional security services– Establishment of integrity key– Network-to-user authentication, key freshness– Authenticated signalling channel HE → USIM
� Maximal compatibility and similarity with GSM AKA– Pre-distribution of authentication data (triplets → quintets)– No cryptographic algorithms in the VLR or SGSN– Allows
� True global roaming– GSM simple conversion functions– 3GPP2 probable adoption of UMTS AKA
� Provable security– Formal proofs of AKA as well as from the re-synchronisation
mechanism are available in TR 33.902
Page 16
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
31
USE
CA
User identity confidentiality
� Attacks� TMSI mechanism� EMSI mechanism� Conclusion
IRR Fraud and Security Conference,London, March 9, 2000
32
USE
CA
User identity confidentialityAttacks
Eavesdropping attacks� Eavesdropping on the radio link and catching the IMSI that
are sent in clear textIMSI catching� Active attack whereby users are enticed to camp on a false
base station (IMSI catcher) and are then requested to sendthe IMSI in cleartext
IMSI probing� Active attacks whereby an intruder probes for the presence of
a certain user (or a number of users) in a certain area
Page 17
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
33
USE
CA
User identity confidentialityTMSI mechanism
Mechanism� TMSI = Temporary Mobile Subscriber Identity� Usually ME and VLR share a TMSI� TMSI was generated by the VLR and sent to the ME after the
initiation of ciphering � TMSI is “secret”� When ME or VLR wants to establish a radio connection, the
TMSI is used� A new TMSI is then assigned after start of ciphering
Shortcoming� When no valid TMSI is available, VLR requests the user to
send the IMSI in cleartext � allows IMSI catching
IRR Fraud and Security Conference,London, March 9, 2000
34
USE
CA
User identity confidentialityEMSI mechanism (1st enhancement)
Mechanism� EMSI = Encrypted Mobile Subscriber Identity� Complementary to TMSI mechanism� Only used when IMSI is requested by the VLR� Instead of sending the IMSI in cleartext, the USIM generates
an EMSI and the ME sends the VLR the EMSI and theaddress of the UIDN = User Identity Decryption Node
� VLR sends the UIDN the EMSI, which decrypts the IMSI andsends the IMSI back to the VLR
Shortcoming� VLR still pages the user with the IMSI in cleartext � allows
IMSI paging (which is a kind of IMSI probing)
Page 18
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
35
USE
CA
User identity confidentialityPMSI mechanism (2st enhancement)
Mechanism� PMSI = Encrypted Mobile Subscriber Identity� Enhancement of the EMSI mechanism� Provides the VLR with a paging identity (PMSI) to substitute
the use of the IMSI in paging requests� The PMSI is derived in the USIM when the IMSI is encrypted
(and then sent to the ME) and is derived in the UIDN whenthe EMSI is decrypted (and then stored and sent to the VLR)
� The VLR receives the PMSI together with the IMSI and is ableto request the PMSI from the UIDN at any time
Shortcoming� IMSI paging is prevented, but other IMSI probing attacks are
not prevented by this mechanism
IRR Fraud and Security Conference,London, March 9, 2000
36
USE
CA
User identity confidentialityConclusions
� Eavesdropping attacks– Rendered ineffective by TMSI mechanism (GSM/UMTS)
� IMSI catching– Prevented by EMSI mechanism (UMTS - optional)
� IMSI probing– Attempt to prevent it by PMSI mechanism (UMTS -optional)– But … cannot be prevented by cryptographic means
� Remaining questions– Is it useful to protect against IMSI catching without protecting
against IMSI probing ?– Cost/benefit balance of the enhancements ?– Is it useful to protect only UMTS-only customers ?
Page 19
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
37
USE
CA
Confidentiality and integrityContent
� Key features� Ciphering mechanism� Integrity mechanism� Algorithm: KASUMI
IRR Fraud and Security Conference,London, March 9, 2000
38
USE
CA
Confidentiality and integrityKey features
Common to ciphering and integrity� Secret key cryptography� Key length 128 bits (GSM: 54-64 bits)� Public algorithms (GSM: secret algorithm)
Termination points� User side: Mobile equipment� Network side: Radio Network Controller
(GSM: base station)Applied to� Confidentiality signalling and user data� Integrity signalling data
Page 20
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
39
USE
CA
Confidentiality and integrityEncryption mechanism (1/2)
Ciphering algorithm f8
CIPHERTEXTBLOCK
COUNT-CBEARER
DIRECTIONLENGTH
CK
PLAINTEXTBLOCK
f8
KEYSTREAMBLOCK
COUNT-CBEARER
DIRECTIONLENGTH
CK f8
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderME or RNC
ReceiverME or RNC
Source: TS 33.102, Clause 6.6
IRR Fraud and Security Conference,London, March 9, 2000
40
USE
CA
Confidentiality and integrityEncryption mechanism (2/2)
� Ciphering in layer 2RLC sublayer non-transparent RLC mode (signalling, data)MAC sublayer transparent RLC mode (voice)
� Key input values to algorithm– CK 128 bits Cipher key– COUNT-C 32 bits Ciphering sequence number
RLC sublayer HFNRLC + SNRLC (SNRLC is transmitted)MAC sublayer HFNMAC + CFNMAC (CFNMAC is transmitted)
� Further input values– BEARER 4 bits Bearer identity– DIRECTION 1 bit Uplink/downlink– LENGTH 16 bits Length of keystream block
Source: TS 33.102, Clause 6.6
Page 21
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
41
USE
CA
Confidentiality and integrityIntegrity mechanism (1/2)
� Integrity algorithm f9
COUNT- IMESSAGE
DIRECTIONFRESH
IK f9
MAC- I
COUNT- IMESSAGE
DIRECTIONFRESH
IK f9
XMAC- I
SenderME or RNC
ReceiverME or RNC
MESSAGEMAC- I
MAC- I = XMAC- I ?
Source: TS 33.102, Clause 6.5
IRR Fraud and Security Conference,London, March 9, 2000
42
USE
CA
Confidentiality and integrityIntegrity mechanism (2/2)
� Integrity protection: layer 2– RRC sublayer
� Key input values– IK 128 bits Integrity key– COUNT-I 32 bits Integrity sequence number
• consists of HFNRRC + SNRRC (SNRRC is transmitted)– FRESH 32 bits Network-side nonce– MESSAGE Signalling message
� Further input values– DIRECTION 1 bit Uplink/downlink
� Output values– MAC-I 32 bits message authentication code– XMAC-I 32 bits expected MAC
Source: TS 33.102, Clause 6.5
Page 22
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
43
USE
CA
Confidentiality and integrityAlgorithms - KASUMI
KASUMI� Design authority: SAGE� Based on the block cipher MISTY (Mitsubishi)� KASUMI is Japanese for “MIST”� Two modes of operation
– f8 for encryption– f9 for data integrity protection
� Externally reviewed by three teams of experts� Reviews were unanimously positive� Soon to be published
IRR Fraud and Security Conference,London, March 9, 2000
44
USE
CA
Confidentiality and integrityConclusions
� Additional security services– Explicit data integrity protection for signalling messages– Termination point moved away from the border of the network
towards the radio network controller
� Increased security– Longer key lengths– Reviews by three independent teams of experts
� Increased trust– Algorithms expected to be published soon
Page 23
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
45
USE
CA
Connection establishmentContent
� Initiation of ciphering and integrity� Triggering AKA versus local authentication� Negotiation of ciphering/integrity mode� Re-authentication during an ongoing connection� Periodic in-call authentication
IRR Fraud and Security Conference,London, March 9, 2000
46
USE
CA
Connection establishmentOverview
ME/USIM RNC VLR/SGSN
Connection Establishment RRCRRC1.
IMSI Interrogation MMMM3.
Authentication and key agreement MMMM4.
Security mode command RANAP5.
Security mode command RRC6.
Security mode responseRRC7.
Security mode completeRANAP8.
Response to initial L3 message MM9.
TMSI allocation MMMM10.
Initial L3 message2. MMMM
Page 24
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
47
USE
CA
Connection establishmentInitiation of ciphering/integrity
Three parameters� START 32 bits initial hyperframe number
– Used to initialise COUNT-C and COUNT-I– Assures the user that MAC-I are fresh– START is stored/update in the ME and the USIM
� CKSN 3 bits cipher key sequence number– Indicates the key set that is stored in the ME/USIM– When START exceeds a certain threshold, CKSN can be used
by the user to trigger a new AKA� FRESH 32 bits network nonce
– Nonce generated by the RNC– Assures the network that MAC-I are fresh
IRR Fraud and Security Conference,London, March 9, 2000
48
USE
CA
Connection establishmentInitiation of ciphering/integrity
ME/USIM RNC VLR/SGSN
Connection Establishment→→→→ START →→→→ 1.
Security mode commandCK, IK5.
Start of integrity protection
Start of ciphering/decipheringStart of integrity protectionStart of ciphering/deciphering
Authentication and key agreement4.
Initial L3 message CKSN
2.
Decide AKA / No AKA
Security mode commandFRESH6. (first integrity protected message)
Security mode response7. (first ciphered message)
Page 25
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
49
USE
CA
Connection establishmentTriggering AKA versus local authentication
AKA is performed when ...� … the user enters a new SN� … the user indicates that a new AKA is required (i.e., when
the amount of data ciphered with CK has exceeded a certainTHRESHOLD value, set by the USIM)
� … the serving network decides to (the SN should ensure thatCK/IK sets are replaced at least once every 24 hours)
Otherwise: Integrity-key based authentication� connection establishment (without AKA) provides mutual
authentication between UE and SN, through the mandatoryuse of integrity protection and the mandatory execution of thesecurity mode command/response procedure
���� Secure reduction of the frequency of AKA
IRR Fraud and Security Conference,London, March 9, 2000
50
USE
CA
Connection establishmentNegotiation of cipher/integrity modes
ME/USIM RNC VLR/SGSN
Connection Establishment→→→→ UEAMS, UIAMS →→→→ 1.
Security mode commandUEACN, UIACN, CK, IK5.
Security mode commandUEA, UIA, UEAMS, UIAMS
6.
Security mode response7.
Security mode completeUEA, UIA8.
RNC selects UEA and UIAStart of integrity protection
Start of ciphering/decipheringStart of integrity protectionStart of ciphering/deciphering
Page 26
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
51
USE
CA
Connection establishmentNegotiation of cipher/integrity modes
Security� User is assured that network has received accurate
information on UEAMS and UIAMS
Encryption is recommended� “0000”: no encryption� “0001”: Kasumi
Integrity is mandatory� “0001”: Kasumi
Negotiation built on user preference� UEAMS and UIAMS list supported modes in order of preference� RNC selects UEA and UIA supported by both sides and most
preferred by the user
IRR Fraud and Security Conference,London, March 9, 2000
52
USE
CA
(Connection establishment)Re-authentication during ongoing connection
ME/USIM RNC VLR/SGSN
Authentication and key agreement4.
Security mode commandCK, IK
5.
Security mode complete8.
Application new IK
Application new IKApplication new CK
Application new IKApplication new CK
Security mode command6. (first message integrity protected with new IK)
Security mode response7. (first message ciphered with new CK)
Re-authentication request2.
Page 27
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
53
USE
CA
(Connection establishment)Re-authentication during on-going connection
Purpose� re-authenticate during long connections (especially PS
connections) Applicability� PS connections (where need is highest)� CS connections
Initiation� VLR/SGSN
– when it detects that CK/IK set is in use for too long a time� UE (may be moved to release ‘00)
– when it detects that CK/IK set is in use for too much data, i.e.,the largest COUNT-C parameter exceeds a threshold value setbut the USIM in the ME
IRR Fraud and Security Conference,London, March 9, 2000
54
USE
CA
Connection establishmentConclusions
� Additional security services– Secure cipher/integrity mode negotiation– Re-authentication during an on-going connection– User-control over the lifetime of a cipher/integrity key set
� Additional home environment / user control– Selection of ciphering/integrity mode based on user preferences– Lifetime of cipher/integrity key sets
Page 28
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
55
USE
CA
Mobile equipment identity security
� IMEI is not properly secure in many GSM terminals� IMEI mechanism remains the same� New requirement (also on new GSM ME) once the mobile
equipment leaves the factory, it will be “impossible” to modifythe mobile equipment identity
� Additional improvement: the mobile equipment identity - whensent over the radio link - shall be integrity protected
� The cost of more enhanced mechanisms was to high to theenvisaged benefit
IMEI = international Mobile Equipment Identity
IRR Fraud and Security Conference,London, March 9, 2000
56
USE
CA
Network domain securityIntroduction
Purpose� Provide security services for signalling within the core
network, within one network, or between several networksServices� Entity authentication� Key establishment� Data integrity protection� Confidentiality
Protocols� MAP� GTP
MAP = Mobile Application PartGTP = GPRS Transport Protocol
Page 29
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
57
USE
CA
Network domain securityOverview
Network X
KACX
NEX(1)
NEX(2)
NEX(3)
Network Y
KACY
NEY(1)
NEY(2)
NEY(3)
Layer 1Key establishment
Layer 2
Key distribution
Layer 3
Transport security
KAC = Key administration CentreNE = Network entity
IRR Fraud and Security Conference,London, March 9, 2000
58
USE
CA
Network domain securityDiscussion of the different layers
Layer 1 - key establishment� Public key cryptography� KAC stores public/private key pairs� Establishes symmetric cipher/integrity keys� R’00
Layer 2 - key distribution� KAC distributes symmetric cipher/integrity keys to NE� To be standardised by SA-5 by mid-June (R’99 / R’00)
Layer 3 - transport security� NE apply symmetric cipher/integrity keys to protect signalling� Should be standardised by CN-2 by mid-March (R’99 / R’00)
Page 30
Information and Communication Networks
Siemens Atea
IRR Fraud and Security Conference,London, March 9, 2000
59
USE
CA
Conclusions
� Enhanced security– Protection against false base station attacks through enhanced
authentication and key agreement and integrity protection
– Stronger encryption through longer keys and strongeralgorithms; increased trust through public algorithms
– Encryption beyond the base station further into the network
– Mechanisms to secure core network signalling
� Interoperability and evolution from with GSM
� Interoperability with 3GPP2 system