Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009

Contents Scope Cellular Basics Security Goals Elements of Security Protocol Procedures Algorithmic Background GSM Flaws & Solutions Implementation Challenges Conclusion References

Scope

Cellular Basics

Security Goals

Elements of Security

Protocol Procedures

Algorithmic Background

GSM Flaws & Solutions

Implementation Challenges

Conclusion

References

Scope

Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS

Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR

Cellular Basics – GPRS Protocol Stack Control Plane

Cellular Basics – UMTS Protocol Stack Control Plane

Security Threats Eavesdropping Spoofing – mobile phishing Denial of service Hacking into Core Network Theft of SIM Theft of mobile phone Employees, partners, sub-contractors Viruses, worms, trojans

Eavesdropping

Spoofing – mobile phishing

Denial of service

Hacking into Core Network

Theft of SIM

Theft of mobile phone

Employees, partners, sub-contractors

Viruses, worms, trojans

Security Goals User identity confidentiality User location confidentiality User untraceability User authentication Network authentication Data confidentiality Data integrity Algorithm and key agreement Mobile equipment identification User-to-USIM authentication USIM-Terminal authentication

User identity confidentiality

User location confidentiality

User untraceability

User authentication

Network authentication

Data confidentiality

Data integrity

Algorithm and key agreement

Mobile equipment identification

User-to-USIM authentication

USIM-Terminal authentication

Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context

What is AKA? AKA is also known as Authentication and Key Agreement Network authenticates the subscriber Subscriber authenticates the network (not in GSM) Both parties agree on the keys to use for data confidentiality and data integrity USIM AuC

AKA is also known as Authentication and Key Agreement

Network authenticates the subscriber

Subscriber authenticates the network (not in GSM)

Both parties agree on the keys to use for data confidentiality and data integrity

GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n

AKA Overview

Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange

Incoming Call

RRC Security Procedure

Security Procedure at UE RRC

Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN

Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.

Updating the START Value START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2 Once updated, it is saved into SIM/USIM and deleted from the mobile

START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2

Once updated, it is saved into SIM/USIM and deleted from the mobile

Counter Check Procedure Check does not involve Core Network Prevent “man-in-the-middle” attacks RRC will query RLC for COUNT-C values RRC will include mismatches in its response UTRAM may release RRC connection

Check does not involve Core Network

Prevent “man-in-the-middle” attacks

RRC will query RLC for COUNT-C values

RRC will include mismatches in its response

UTRAM may release RRC connection

Indicating Current CKSN/KSI This field is indicated by UE MM/GMM in the following messages: LOCATION UPDATING REQUEST CM SERVICE REQUEST PAGING RESPONSE CM RE-ESTABLISHMENT REQUEST This field is indicated by UE GMM in the following messages: ROUTING AREA UPDATE REQUEST SERVICE REQUEST ATTACH REQUEST

This field is indicated by UE MM/GMM in the following messages:

LOCATION UPDATING REQUEST

CM SERVICE REQUEST

PAGING RESPONSE

CM RE-ESTABLISHMENT REQUEST

This field is indicated by UE GMM in the following messages:

ROUTING AREA UPDATE REQUEST

SERVICE REQUEST

ATTACH REQUEST

Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM

Ciphering Data

Data Integrity Additional protection within the same authentication session

Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message

Integrity Exceptions Integrity is not applied for: HANDOVER TO UTRAN COMPLETE PAGING TYPE 1 PUSCH CAPACITY REQUEST PHYSICAL SHARED CHANNEL ALLOCATION RRC CONNECTION REQUEST RRC CONNECTION SETUP RRC CONNECTION SETUP COMPLETE RRC CONNECTION REJECT RRC CONNECTION RELEASE (CCCH only) SYSTEM INFORMATION SYSTEM INFORMATION CHANGE INDICATION TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)

Integrity is not applied for:

HANDOVER TO UTRAN COMPLETE

PAGING TYPE 1

PUSCH CAPACITY REQUEST

PHYSICAL SHARED CHANNEL ALLOCATION

RRC CONNECTION REQUEST

RRC CONNECTION SETUP

RRC CONNECTION SETUP COMPLETE

RRC CONNECTION REJECT

RRC CONNECTION RELEASE (CCCH only)

SYSTEM INFORMATION

SYSTEM INFORMATION CHANGE INDICATION

TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)

Generating the Quintet

USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key

AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM

AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN

Security Service Summary

GSM Handover Intra-BSC HO Nothing to be done Inter-BSC & Intra-MSC HO BSC informs MSC that HO is required MSC commands target BSC and passes on security context Inter-MSC HO Same as above except that current MSC informs target MSC to initiate HO to target cell

Intra-BSC HO

Nothing to be done

Inter-BSC & Intra-MSC HO

BSC informs MSC that HO is required

MSC commands target BSC and passes on security context

Inter-MSC HO

Same as above except that current MSC informs target MSC to initiate HO to target cell

UMTS to GPRS Cell Reselection

Algorithmic Background – Cipher Types Symmetric cipher: shared secret key Stream cipher (OTP) Block cipher (DES, Triple-DES, AES, RC2) Block ciphers can be used as stream ciphers Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR E/D E/D

Symmetric cipher: shared secret key

Stream cipher (OTP)

Block cipher (DES, Triple-DES, AES, RC2)

Block ciphers can be used as stream ciphers

Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR

Algorithmic Background – Cipher Types Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) Private key Public key One-way hash (MD5, SHA-1, SHA-2, Triple-DES) E D H

Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers)

Private key

Public key

One-way hash (MD5, SHA-1, SHA-2, Triple-DES)

GSM Security Flaws – 1 Weak algorithms – cracked long ago COMP128 was used: this is a keyed hash function generating a 96 bit digest Fault with operators in using COMP128 A3 and A8 based on COMP128 Kc is only 54 bits COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries! COMP128-4 is based on AES

Weak algorithms – cracked long ago

COMP128 was used: this is a keyed hash function generating a 96 bit digest

Fault with operators in using COMP128

A3 and A8 based on COMP128

Kc is only 54 bits

COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work

Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI

In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries!

COMP128-4 is based on AES

GSM Security Flaws – 2 Same basic algorithm is used to generate both SRES and Kc No integrity on signalling data No network authentication Encryption does not extend far into the network Microwave links not protected by operators – Kc could be read easily

Same basic algorithm is used to generate both SRES and Kc

No integrity on signalling data

No network authentication

Encryption does not extend far into the network

Microwave links not protected by operators – Kc could be read easily

UMTS Algorithms KASUMI Design authority: ETSI SAGE Based on the block cipher MISTY (Mitsubishi) KASUMI is the Japanese for “MIST” f8 and f9 are based on KASUMI Changes made to aid hardware implementation Keys are 128 bits long No known hacks exist

KASUMI

Design authority: ETSI SAGE

Based on the block cipher MISTY (Mitsubishi)

KASUMI is the Japanese for “MIST”

f8 and f9 are based on KASUMI

Changes made to aid hardware implementation

Keys are 128 bits long

No known hacks exist

Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS

Implementation Challenges Hardware Or Software ? Rarely matters at the network end. Matters a lot to the mobile.

Hardware

Or

Software ?

Rarely matters at the network end.

Matters a lot to the mobile.

Performance of f8 and f9 - 1

Performance of f8 and f9 - 2

SW Optimization of f8 and f9 Convert 16-bit to 32-bit operations on ARM Single instruction instead of 2 or 4 15% faster Using non-static memory for sub-keys Avoid ARM’s LDR instruction Use structures and pass pointers to functions 5% faster Key scheduling only when CK and IK change 3.5 KB increased memory 60% faster Optimizing FI with table lookups Not recommended since memory usage increases by 256 KB Estimated to give 50% improvement in the best case if tables are cached but not practical

Convert 16-bit to 32-bit operations on ARM

Single instruction instead of 2 or 4

15% faster

Using non-static memory for sub-keys

Avoid ARM’s LDR instruction

Use structures and pass pointers to functions

5% faster

Key scheduling only when CK and IK change

3.5 KB increased memory

60% faster

Optimizing FI with table lookups

Not recommended since memory usage increases by 256 KB

Estimated to give 50% improvement in the best case if tables are cached but not practical

End-to-End Security Beyond the scope of cellular systems IPSec Firewall VPN Public Key Infrastructure (PKI) & Digital Certificates MAC on files for download

Beyond the scope of cellular systems

IPSec

Firewall

VPN

Public Key Infrastructure (PKI) & Digital Certificates

MAC on files for download

Conclusion Current GSM networks are far more secure than early ones UMTS improves on GSM security Inter-working between UMTS and GSM still has implementation issues Constant innovation – anything secure today is not likely to be secure tomorrow User has the responsibility to protect his/her SIM/USIM

Current GSM networks are far more secure than early ones

UMTS improves on GSM security

Inter-working between UMTS and GSM still has implementation issues

Constant innovation – anything secure today is not likely to be secure tomorrow

User has the responsibility to protect his/her SIM/USIM

Standards (Release 99) Technical specifications TS 21.133 Security threats and requirements TS 22.022 Personalisation of Mobile Equipment (ME) TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture TS 33.120 Security principles and objectives TS 35.20x Access network algorithm specifications Technical reports TR 33.900 Guidelines for 3G security TR 33.901 Criteria for algorithm design TR 33.902 Formal analysis of authentication

Technical specifications

TS 21.133 Security threats and requirements

TS 22.022 Personalisation of Mobile Equipment (ME)

TS 33.102 Security architecture

TS 33.103 Integration guidelines

TS 33.105 Cryptographic algorithm requirements

TS 33.106 Lawful interception requirements

TS 33.107 Lawful interception architecture

TS 33.120 Security principles and objectives

TS 35.20x Access network algorithm specifications

Technical reports

TR 33.900 Guidelines for 3G security

TR 33.901 Criteria for algorithm design

TR 33.902 Formal analysis of authentication