securing wireless cellular systems
DESCRIPTION
ACM Bangalore Tech Talk - Securing Wireless Cellular SystemsTRANSCRIPT
Page 2
Contents
Scope Cellular Basics Security Goals Elements of Security Protocol Procedures Algorithmic Background GSM Flaws & Solutions Implementation Challenges Conclusion References
Page 3
Scope
Page 4
Cellular Basics – Network Architecture
SS7BTS
BSCMSC
VLR
HLRAuC
GMSC
BSS
PSTN
NSS
AE
CD
PSTNAbis
B
H
MS
GSM MS
IP
GPRS MS
PSDNGi
SGSN
Gr
Gb
Gs
GGSN
Gc
Gn
UMTS UE
Node B
RNC
RNS
Iub
IuCS
ATM
IuPS
Page 5
Cellular Basics – GSM Protocol Stack Control Plane
MS BTS BSC MSC/VLR
Page 6
Cellular Basics – GPRS Protocol Stack Control Plane
BSSGPRelay
GMM/SM
LLC
RLC
MAC
GSM RF
GMM/SM
LLC
BSSGP
L1bis
Um GbMS BSS 2G-SGSN
NetworkService
RLC
MAC
GSM RF L1bis
NetworkService
Page 7
Cellular Basics – UMTS Protocol Stack Control Plane
RLC
RRC
L1
GMM /SM / SMS
RRC
MAC
ATM
RANAP
AAL5
Relay
ATM
AAL5
3G SGSNRNSMS
Iu-PsUu
RLC SCCP
SignallingBearer
MAC
L1
SignallingBearer
RANAP
SCCP
GMM /SM / SMS
Page 8
Security Threats
Eavesdropping Spoofing – mobile phishing Denial of service Hacking into Core Network Theft of SIM Theft of mobile phone Employees, partners, sub-contractors Viruses, worms, trojans
Page 9
Security Goals User identity confidentiality User location confidentiality User untraceability User authentication Network authentication Data confidentiality Data integrity Algorithm and key agreement Mobile equipment identification User-to-USIM authentication USIM-Terminal authentication
Page 10
Security Contexts
User-SIM context
Air interface contextRAN-CN context
CN context
Authentication context Application context
Page 11
What is AKA?
AKA is also known as Authentication and Key Agreement Network authenticates the subscriber Subscriber authenticates the network (not in GSM) Both parties agree on the keys to use for data
confidentiality and data integrity
USIM AuC
Page 12
GSM AKA
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
KcKc
mi Encrypted Data mi
SIM
Signed response (SRES)SRESSRES
Fn Fn
Authentication: are SRES values equal?
Page 13
AKA OverviewMS VLR/SGSN HE/HLR
Generate authenticationvectors AV(1..n)
Store authentication vectors
Select authentication vector AV(i)
Authentication data request
Authentication data responseAV(1..n)
User authentication requestRAND(i) || AUTN(i)
User authentication responseRES(i)
Compare RES(i) and XRES(i)
Verify AUTN(i)Compute RES(i)
Compute CK(i) and IK(i) Select CK(i) and IK(i)
Authentication andkey establishment
Distribution ofauthenticationvectors from HEto SN
Page 14
Location Update Procedure
Get CKSN from SIM
Get Auth Vectorfrom AuC
Invoke SIM calculations
Secure dataexchange
Page 15
IncomingCall
Page 16
RRC Security Procedure MS
2. “Initial L3 message” with user identity, KSI etc.
VLR/SGSN
3. Authentication and key generation
1. Storage of HFNs START values and UE security capability
4 Decide allowed UIAs and UEAs
SRNC
1. RRC connection establishment including transfer of the HFNs START values and the UE security capability from MS to SRNC
5. Security mode command (UIAs, IK, UEAs, CK, etc.)
6. Select UIA and UEA, generate FRESH Start integrity
7. Security mode command (CN domain, UIA, FRESH, UE security capability, UEA, MAC-I, etc.)
10. Verify received message
9. Security mode complete (MAC-I, etc.)
11. Security mode complete (selected UEA and UIA)
8. Control of UE security capability, Verify message, Start of integrity
“UE security capability” indicates UIAs and UEAs supported by MS
Start ciphering/deciphering Start ciphering/deciphering
Page 17
Security Procedure at UE RRCMACRLCRRC
Decode SECURITYMODE COMMAND
CRLC_Suspend_Req(N)Suspend all AM/UMRLC entities in the CNdomain and also allsignalling RB
CRLC_Suspend_Cnf(VT)
Set IE “Radio bearer uplink activationtime info” in IE “Ciphering mode
info” for all suspended RBs
RLC_Data_Req(SECURITY MODE COMPLETE)
RLC PDUs
RLC ACK
RLC_Data_Cnf(SECURITY MODE COMPLETE)
CRLC_Config_Req(new ciphering elements for uplink)
CRLC_Resume_Req
Resume all suspendedAM/UM RLC entities inthe CN domain and alsoall signalling RB
Reconfigure to use newCK at the “activationtime” for uplink
RLC_Data_Ind(SECURITY MODE COMMAND)
CMAC_Config_Req(new ciphering elements for both uplink)
RLC PDUs
RLC ACK
CRLC_Config_Req(new ciphering elements for downlink)
Reconfigure to use newCK at the “activationtime” for downlink
CMAC_Config_Req(new ciphering elements for both downlink)
Page 18
Change of Location Area
VLRn/SGSNn VLRo/SGSNo
(TMSIo || LAIo)or (P-TMSIo || RAIo)
IMSI || ({Qi} or {Ti}) ||((CK || IK || KSI) or (Kc || CKSN))
User IdentityRequest
User IdentityResponse
Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
Page 19
Authenticated Session Lifetime
START <
Yes
Session is valid.Keys can be re-used.
Updated when RRC connection is released.
THRESHOLD
No
Keys have reached their end of life.Set START as invalid.Set CKSN/KSI as invalid.
Fixed by the operator. Stored on SIM/USIM.
Page 20
Updating the START Value
START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2
Once updated, it is saved into SIM/USIM and deleted from the mobile
Page 21
Counter Check Procedure
Check does not involve Core Network Prevent “man-in-the-middle” attacks RRC will query RLC for COUNT-C values RRC will include mismatches in its response UTRAM may release RRC connection
UE UTRAN
COUNTER CHECK
COUNTER CHECK RESPONSE
Page 22
Indicating Current CKSN/KSI
This field is indicated by UE MM/GMM in the following messages: LOCATION UPDATING REQUEST CM SERVICE REQUEST PAGING RESPONSE CM RE-ESTABLISHMENT REQUEST
This field is indicated by UE GMM in the following messages: ROUTING AREA UPDATE REQUEST SERVICE REQUEST ATTACH REQUEST
Page 23
Deriving Ciphering and Integrity Counters
HFN (25 bits) CFN (7 bits)MAC-d DCH
HFN (25 bits) RLC SN (7 bits)RLC UM
HFN (20 bits) RLC SN (12 bits)RLC AM
RLC TM
CSN or COUNT-C
START (20 bits)
RRC HFN(28 bits)
RRC SN(4 bits)
COUNT-I
USIM
RRC
RLC-TM
RLC-UM
RLC-AM
Page 24
Ciphering Data
PLAINTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderUE or RNC
ReceiverRNC or UE
Page 25
Data Integrity
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
MAC -I
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
XMAC -I
SenderUE or RNC
ReceiverUE or RNC
Additional protectionwithin the same authentication session
Page 26
Transmission of Signalling Content
Signalling ContentRRC SNMAC
Messagef9
MAC
Signalling ContentRRC SNRB ID
Message
f8
Signalling ContentRRC SNMAC
Message
Page 27
Integrity Exceptions
Integrity is not applied for: HANDOVER TO UTRAN COMPLETE PAGING TYPE 1 PUSCH CAPACITY REQUEST PHYSICAL SHARED CHANNEL ALLOCATION RRC CONNECTION REQUEST RRC CONNECTION SETUP RRC CONNECTION SETUP COMPLETE RRC CONNECTION REJECT RRC CONNECTION RELEASE (CCCH only) SYSTEM INFORMATION SYSTEM INFORMATION CHANGE INDICATION TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)
Page 28
Generating the Quintet
K K
SQN
RAND
AMF
CK IKMAC-A XRES
f3 f4f1 f2
AK
f5
SQN AK
xor
K
AUTN = SQN [ AK] || AMF || MAC-AQ = (RAND, XRES, CK, IK, AUTN)
Page 29
USIM Security Execution
Resynchronization procedure exists in the USIM and HLR/AuC
Secret Key
K K
SQN
RAND
AMF
CK IKXMAC-A RES
f3 f4f1 f2
AK
f5
SQN AK
xor
K
Page 30
AKA for GSM Subscribers
GSM security context
Release 99+VLR/SGSN
Release 98-VLR/SGSN
Release 98- or Release 99+HLR/AuC
SIM
RANDSRES
CKIK
Kc
UTRAN
R99+ UE
RANDSRES
[Kc]
Kc
GSM BSS
Kc CK, IK
R98- UE
Kc CK, IK
RANDSRES
[Kc]
Kc
RANDSRES
[Kc]
Kc
R99+ UEor
R98- UE
Triplets Triplets
3G phone with GSM SIM connecting to UTRAN
3G phone with GSM SIM connecting to GSM
Page 31
AKA for UMTS Subscribers
Release 99+ VLR/SGSN Release 98-VLR/SGSN
Release 99+HLR/AuC
USIM
RANDAUTNRES
CKIK
CK, IKKc
UTRAN
R99+ ME capable ofUMTS AKA
RANDAUTNRES
[Kc]
CK, IKKc
GSM BSS
CK, IK KcRES SRES
CK, IK Kc
R99+ ME notcapable of UMTS
AKAor R98- ME
CK, IK Kc
CK, IK KcRES SRES
RAND[AUTN]
SRES
[Kc]
Kc
RANDSRES
[Kc]
Kc
ME
CK, IK KcRES SRES
Quintets Triplets
CK, IK KcRES SRES
UMTS security context GSM security context
CK, IK Kc
2G phone with USIM connecting to GSM & R98- VLR/SGSN
3G phone with USIM connecting to GSM & R98- VLR/SGSN
Page 32
Security Service Summary
Page 33
GSM Handover
Intra-BSC HO Nothing to be done
Inter-BSC & Intra-MSC HO BSC informs MSC that HO is required MSC commands target BSC and passes on
security context Inter-MSC HO
Same as above except that current MSC informs target MSC to initiate HO to target cell
Page 34
UMTS to GPRS Cell Reselection
MS new 2G_SGSN
HLR GGSN old 3G_SGSN
2. Routing Area Update Request (MS Radio Access Cap)
5. SGSN Context Response (MS Network Cap)
6. Security Functions
7. SGSN Context Acknowledge
BSS SRNS
3. SGSN Context Request
4. SRNS Context Request
4. SRNS Context Response
8. SRNS Context Acknowledge
1. Decision to perform cell reselection
Page 35
Algorithmic Background – Cipher Types
Symmetric cipher: shared secret key Stream cipher (OTP)
Block cipher (DES, Triple-DES, AES, RC2)
Block ciphers can be used as stream ciphers Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR
E/D
E/D
Page 36
Algorithmic Background – Cipher Types
Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) Private key Public key
One-way hash (MD5, SHA-1, SHA-2, Triple-DES)
E
D
H
Page 37
GSM Security Flaws – 1
Weak algorithms – cracked long ago COMP128 was used: this is a keyed hash function
generating a 96 bit digest Fault with operators in using COMP128 A3 and A8 based on COMP128 Kc is only 54 bits COMP128-2, COMP128-3 developed but these are not
public: Security Through Obscurity just doesn’t work Stream ciphers A5/1 and A5/2 cracked in 1999 in hours:
A5/3 used KASUMI In 2002, IBM developed new methods to crack Kc: using
side channels, can crack in only 8 queries! COMP128-4 is based on AES
Page 38
GSM Security Flaws – 2
Same basic algorithm is used to generate both SRES and Kc
No integrity on signalling data No network authentication Encryption does not extend far into the
network Microwave links not protected by operators –
Kc could be read easily
Page 39
UMTS Algorithms
KASUMI Design authority: ETSI SAGE Based on the block cipher MISTY (Mitsubishi) KASUMI is the Japanese for “MIST” f8 and f9 are based on KASUMI
Changes made to aid hardware implementation
Keys are 128 bits long No known hacks exist
Page 40
Comparing GSM & UMTSGSM/GPRS 3G
AuC Generated Vectors
(RAND,SRES,Kc): triplet (RAND,XRES,CK,IK,AUTN): quintet
Algorithms & Converters
A3, A5/[1,2,3]1, GEA[1,2,3] 1, A8, c4, c5
f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3
Ciphering inputs
GSM: Kc, COUNT, slot number
GPRS: Kc, LLC-based INPUT, DIRECTION
VBS/VGCS: group key no.
CK, RB ID, COUNT-C, DIRECTION
Activation Immediate/ Handshaking ActivationTime
Integrity No Yes
Synchronization & Key Reuse
CKSN KSI, START
1. A5/3 AND GEA3 are based on KASUMI
Page 41
Implementation Challenges
Hardware
Or
Software ?
Rarely matters at the network end. Matters a lot to the mobile.
Page 42
Performance of f8 and f9 - 1
Comparison of f8 and f9
0
50000
100000
150000
200000
250000
0 500 1000 1500 2000 2500 3000
Length (bytes)
ST
100
Cyc
les
f8 f9
Page 43
Performance of f8 and f9 - 2
Performance per unit length
0
50
100
150
200
250
300
0 500 1000 1500 2000 2500 3000
Length (bytes)
ST
100
Cyc
les/
Len
gth
f8 f9
Page 44
SW Optimization of f8 and f9 Convert 16-bit to 32-bit operations on ARM
Single instruction instead of 2 or 4 15% faster
Using non-static memory for sub-keys Avoid ARM’s LDR instruction Use structures and pass pointers to functions 5% faster
Key scheduling only when CK and IK change 3.5 KB increased memory 60% faster
Optimizing FI with table lookups Not recommended since memory usage increases by 256 KB Estimated to give 50% improvement in the best case if tables are
cached but not practical
Page 45
End-to-End Security
Beyond the scope of cellular systems IPSec Firewall VPN Public Key Infrastructure (PKI) & Digital
Certificates MAC on files for download
Page 46
Conclusion
Current GSM networks are far more secure than early ones
UMTS improves on GSM security Inter-working between UMTS and GSM still
has implementation issues Constant innovation – anything secure today
is not likely to be secure tomorrow User has the responsibility to protect his/her
SIM/USIM
Page 47
Standards (Release 99)
Technical specifications TS 21.133 Security threats and requirements TS 22.022 Personalisation of Mobile Equipment (ME) TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture TS 33.120 Security principles and objectives TS 35.20x Access network algorithm specifications
Technical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for algorithm design TR 33.902 Formal analysis of authentication