Your SlideShare is downloading. ×
Securing Wireless Cellular Systems
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Wireless Cellular Systems

8,589
views

Published on

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,589
On Slideshare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
252
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009
    • 2. Contents
      • Scope
      • Cellular Basics
      • Security Goals
      • Elements of Security
      • Protocol Procedures
      • Algorithmic Background
      • GSM Flaws & Solutions
      • Implementation Challenges
      • Conclusion
      • References
    • 3. Scope
    • 4. Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS
    • 5. Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
    • 6. Cellular Basics – GPRS Protocol Stack Control Plane
    • 7. Cellular Basics – UMTS Protocol Stack Control Plane
    • 8. Security Threats
      • Eavesdropping
      • Spoofing – mobile phishing
      • Denial of service
      • Hacking into Core Network
      • Theft of SIM
      • Theft of mobile phone
      • Employees, partners, sub-contractors
      • Viruses, worms, trojans
    • 9. Security Goals
      • User identity confidentiality
      • User location confidentiality
      • User untraceability
      • User authentication
      • Network authentication
      • Data confidentiality
      • Data integrity
      • Algorithm and key agreement
      • Mobile equipment identification
      • User-to-USIM authentication
      • USIM-Terminal authentication
    • 10. Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context
    • 11. What is AKA?
      • AKA is also known as Authentication and Key Agreement
        • Network authenticates the subscriber
        • Subscriber authenticates the network (not in GSM)
        • Both parties agree on the keys to use for data confidentiality and data integrity
      USIM AuC
    • 12. GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
    • 13. AKA Overview
    • 14. Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange
    • 15. Incoming Call
    • 16. RRC Security Procedure
    • 17. Security Procedure at UE RRC
    • 18. Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
    • 19. Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.
    • 20. Updating the START Value
      • START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2
      • Once updated, it is saved into SIM/USIM and deleted from the mobile
    • 21. Counter Check Procedure
      • Check does not involve Core Network
      • Prevent “man-in-the-middle” attacks
      • RRC will query RLC for COUNT-C values
      • RRC will include mismatches in its response
      • UTRAM may release RRC connection
    • 22. Indicating Current CKSN/KSI
      • This field is indicated by UE MM/GMM in the following messages:
        • LOCATION UPDATING REQUEST
        • CM SERVICE REQUEST
        • PAGING RESPONSE
        • CM RE-ESTABLISHMENT REQUEST
      • This field is indicated by UE GMM in the following messages:
        • ROUTING AREA UPDATE REQUEST
        • SERVICE REQUEST
        • ATTACH REQUEST
    • 23. Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
    • 24. Ciphering Data
    • 25. Data Integrity Additional protection within the same authentication session
    • 26. Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message
    • 27. Integrity Exceptions
      • Integrity is not applied for:
          • HANDOVER TO UTRAN COMPLETE
          • PAGING TYPE 1
          • PUSCH CAPACITY REQUEST
          • PHYSICAL SHARED CHANNEL ALLOCATION
          • RRC CONNECTION REQUEST
          • RRC CONNECTION SETUP
          • RRC CONNECTION SETUP COMPLETE
          • RRC CONNECTION REJECT
          • RRC CONNECTION RELEASE (CCCH only)
          • SYSTEM INFORMATION
          • SYSTEM INFORMATION CHANGE INDICATION
          • TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)
    • 28. Generating the Quintet
    • 29. USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
    • 30. AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
    • 31. AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN
    • 32. Security Service Summary
    • 33. GSM Handover
      • Intra-BSC HO
        • Nothing to be done
      • Inter-BSC & Intra-MSC HO
        • BSC informs MSC that HO is required
        • MSC commands target BSC and passes on security context
      • Inter-MSC HO
        • Same as above except that current MSC informs target MSC to initiate HO to target cell
    • 34. UMTS to GPRS Cell Reselection
    • 35. Algorithmic Background – Cipher Types
      • Symmetric cipher: shared secret key
        • Stream cipher (OTP)
        • Block cipher (DES, Triple-DES, AES, RC2)
          • Block ciphers can be used as stream ciphers
          • Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR
      E/D E/D
    • 36. Algorithmic Background – Cipher Types
      • Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers)
        • Private key
        • Public key
      • One-way hash (MD5, SHA-1, SHA-2, Triple-DES)
      E D H
    • 37. GSM Security Flaws – 1
      • Weak algorithms – cracked long ago
        • COMP128 was used: this is a keyed hash function generating a 96 bit digest
        • Fault with operators in using COMP128
        • A3 and A8 based on COMP128
        • Kc is only 54 bits
        • COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work
        • Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI
        • In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries!
        • COMP128-4 is based on AES
    • 38. GSM Security Flaws – 2
      • Same basic algorithm is used to generate both SRES and Kc
      • No integrity on signalling data
      • No network authentication
      • Encryption does not extend far into the network
      • Microwave links not protected by operators – Kc could be read easily
    • 39. UMTS Algorithms
      • KASUMI
        • Design authority: ETSI SAGE
        • Based on the block cipher MISTY (Mitsubishi)
        • KASUMI is the Japanese for “MIST”
        • f8 and f9 are based on KASUMI
      • Changes made to aid hardware implementation
      • Keys are 128 bits long
      • No known hacks exist
    • 40. Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS
    • 41. Implementation Challenges
      • Hardware
      • Or
      • Software ?
      • Rarely matters at the network end.
      • Matters a lot to the mobile.
    • 42. Performance of f8 and f9 - 1
    • 43. Performance of f8 and f9 - 2
    • 44. SW Optimization of f8 and f9
      • Convert 16-bit to 32-bit operations on ARM
        • Single instruction instead of 2 or 4
        • 15% faster
      • Using non-static memory for sub-keys
        • Avoid ARM’s LDR instruction
        • Use structures and pass pointers to functions
        • 5% faster
      • Key scheduling only when CK and IK change
        • 3.5 KB increased memory
        • 60% faster
      • Optimizing FI with table lookups
        • Not recommended since memory usage increases by 256 KB
        • Estimated to give 50% improvement in the best case if tables are cached but not practical
    • 45. End-to-End Security
      • Beyond the scope of cellular systems
      • IPSec
      • Firewall
      • VPN
      • Public Key Infrastructure (PKI) & Digital Certificates
      • MAC on files for download
    • 46. Conclusion
      • Current GSM networks are far more secure than early ones
      • UMTS improves on GSM security
      • Inter-working between UMTS and GSM still has implementation issues
      • Constant innovation – anything secure today is not likely to be secure tomorrow
      • User has the responsibility to protect his/her SIM/USIM
    • 47. Standards (Release 99)
      • Technical specifications
        • TS 21.133 Security threats and requirements
        • TS 22.022 Personalisation of Mobile Equipment (ME)
        • TS 33.102 Security architecture
        • TS 33.103 Integration guidelines
        • TS 33.105 Cryptographic algorithm requirements
        • TS 33.106 Lawful interception requirements
        • TS 33.107 Lawful interception architecture
        • TS 33.120 Security principles and objectives
        • TS 35.20x Access network algorithm specifications
      • Technical reports
        • TR 33.900 Guidelines for 3G security
        • TR 33.901 Criteria for algorithm design
        • TR 33.902 Formal analysis of authentication

    ×