Securing Wireless Cellular Systems
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Securing Wireless Cellular Systems

  • 11,560 views
Uploaded on

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
11,560
On Slideshare
7,731
From Embeds
3,829
Number of Embeds
66

Actions

Shares
Downloads
239
Comments
0
Likes
1

Embeds 3,829

http://blog.3g4g.co.uk 1,207
http://3g4g.blogspot.com 1,044
http://acmbangalore.org 628
http://layers7.blogspot.com 211
http://www.acmbangalore.org 203
http://3g4g.blogspot.in 174
http://3g4g.blogspot.co.uk 73
http://layers7.blogspot.in 56
http://3g4g.blogspot.kr 19
http://www.slideshare.net 18
http://3g4g.blogspot.ca 15
http://3g4g.blogspot.fr 15
http://3g4g.blogspot.de 13
http://3g4g.blogspot.tw 12
http://3g4g.blogspot.com.au 11
http://layers7.blogspot.kr 9
http://layers7.blogspot.nl 7
http://3g4g.blogspot.nl 6
http://translate.googleusercontent.com 6
http://layers7.blogspot.tw 6
http://3g4g.blogspot.it 5
http://3g4g.blogspot.jp 5
http://layers7.blogspot.co.uk 5
http://layers7.blogspot.fr 4
http://layers7.blogspot.com.au 4
http://3g4g.blogspot.sg 4
http://layers7.blogspot.gr 4
http://layers7.blogspot.de 4
http://3g4g.blogspot.be 3
http://layers7.blogspot.se 3
http://3g4g.blogspot.no 3
http://layers7.blogspot.com.br 3
http://3g4g.blogspot.fi 3
http://www.layers7.blogspot.com 2
http://3g4g.blogspot.ie 2
http://layers7.blogspot.hk 2
http://3g4g.blogspot.ch 2
http://layers7.blogspot.hu 2
http://layers7.blogspot.ca 2
http://layers7.blogspot.com.es 2
http://3g4g.blogspot.pt 2
http://3g4g.blogspot.se 2
http://3g4g.blogspot.com.br 2
http://markwhiffen 2
http://layers7.blogspot.jp 2
http://3g4g.blogspot.com.es 2
http://3g4g.blogspot.ru 1
http://www.hanrss.com 1
http://layers7.blogspot.ie 1
http://webcache.googleusercontent.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009
  • 2. Contents
    • Scope
    • Cellular Basics
    • Security Goals
    • Elements of Security
    • Protocol Procedures
    • Algorithmic Background
    • GSM Flaws & Solutions
    • Implementation Challenges
    • Conclusion
    • References
  • 3. Scope
  • 4. Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS
  • 5. Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
  • 6. Cellular Basics – GPRS Protocol Stack Control Plane
  • 7. Cellular Basics – UMTS Protocol Stack Control Plane
  • 8. Security Threats
    • Eavesdropping
    • Spoofing – mobile phishing
    • Denial of service
    • Hacking into Core Network
    • Theft of SIM
    • Theft of mobile phone
    • Employees, partners, sub-contractors
    • Viruses, worms, trojans
  • 9. Security Goals
    • User identity confidentiality
    • User location confidentiality
    • User untraceability
    • User authentication
    • Network authentication
    • Data confidentiality
    • Data integrity
    • Algorithm and key agreement
    • Mobile equipment identification
    • User-to-USIM authentication
    • USIM-Terminal authentication
  • 10. Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context
  • 11. What is AKA?
    • AKA is also known as Authentication and Key Agreement
      • Network authenticates the subscriber
      • Subscriber authenticates the network (not in GSM)
      • Both parties agree on the keys to use for data confidentiality and data integrity
    USIM AuC
  • 12. GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
  • 13. AKA Overview
  • 14. Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange
  • 15. Incoming Call
  • 16. RRC Security Procedure
  • 17. Security Procedure at UE RRC
  • 18. Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
  • 19. Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.
  • 20. Updating the START Value
    • START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2
    • Once updated, it is saved into SIM/USIM and deleted from the mobile
  • 21. Counter Check Procedure
    • Check does not involve Core Network
    • Prevent “man-in-the-middle” attacks
    • RRC will query RLC for COUNT-C values
    • RRC will include mismatches in its response
    • UTRAM may release RRC connection
  • 22. Indicating Current CKSN/KSI
    • This field is indicated by UE MM/GMM in the following messages:
      • LOCATION UPDATING REQUEST
      • CM SERVICE REQUEST
      • PAGING RESPONSE
      • CM RE-ESTABLISHMENT REQUEST
    • This field is indicated by UE GMM in the following messages:
      • ROUTING AREA UPDATE REQUEST
      • SERVICE REQUEST
      • ATTACH REQUEST
  • 23. Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
  • 24. Ciphering Data
  • 25. Data Integrity Additional protection within the same authentication session
  • 26. Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message
  • 27. Integrity Exceptions
    • Integrity is not applied for:
        • HANDOVER TO UTRAN COMPLETE
        • PAGING TYPE 1
        • PUSCH CAPACITY REQUEST
        • PHYSICAL SHARED CHANNEL ALLOCATION
        • RRC CONNECTION REQUEST
        • RRC CONNECTION SETUP
        • RRC CONNECTION SETUP COMPLETE
        • RRC CONNECTION REJECT
        • RRC CONNECTION RELEASE (CCCH only)
        • SYSTEM INFORMATION
        • SYSTEM INFORMATION CHANGE INDICATION
        • TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)
  • 28. Generating the Quintet
  • 29. USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
  • 30. AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
  • 31. AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN
  • 32. Security Service Summary
  • 33. GSM Handover
    • Intra-BSC HO
      • Nothing to be done
    • Inter-BSC & Intra-MSC HO
      • BSC informs MSC that HO is required
      • MSC commands target BSC and passes on security context
    • Inter-MSC HO
      • Same as above except that current MSC informs target MSC to initiate HO to target cell
  • 34. UMTS to GPRS Cell Reselection
  • 35. Algorithmic Background – Cipher Types
    • Symmetric cipher: shared secret key
      • Stream cipher (OTP)
      • Block cipher (DES, Triple-DES, AES, RC2)
        • Block ciphers can be used as stream ciphers
        • Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR
    E/D E/D
  • 36. Algorithmic Background – Cipher Types
    • Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers)
      • Private key
      • Public key
    • One-way hash (MD5, SHA-1, SHA-2, Triple-DES)
    E D H
  • 37. GSM Security Flaws – 1
    • Weak algorithms – cracked long ago
      • COMP128 was used: this is a keyed hash function generating a 96 bit digest
      • Fault with operators in using COMP128
      • A3 and A8 based on COMP128
      • Kc is only 54 bits
      • COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work
      • Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI
      • In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries!
      • COMP128-4 is based on AES
  • 38. GSM Security Flaws – 2
    • Same basic algorithm is used to generate both SRES and Kc
    • No integrity on signalling data
    • No network authentication
    • Encryption does not extend far into the network
    • Microwave links not protected by operators – Kc could be read easily
  • 39. UMTS Algorithms
    • KASUMI
      • Design authority: ETSI SAGE
      • Based on the block cipher MISTY (Mitsubishi)
      • KASUMI is the Japanese for “MIST”
      • f8 and f9 are based on KASUMI
    • Changes made to aid hardware implementation
    • Keys are 128 bits long
    • No known hacks exist
  • 40. Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS
  • 41. Implementation Challenges
    • Hardware
    • Or
    • Software ?
    • Rarely matters at the network end.
    • Matters a lot to the mobile.
  • 42. Performance of f8 and f9 - 1
  • 43. Performance of f8 and f9 - 2
  • 44. SW Optimization of f8 and f9
    • Convert 16-bit to 32-bit operations on ARM
      • Single instruction instead of 2 or 4
      • 15% faster
    • Using non-static memory for sub-keys
      • Avoid ARM’s LDR instruction
      • Use structures and pass pointers to functions
      • 5% faster
    • Key scheduling only when CK and IK change
      • 3.5 KB increased memory
      • 60% faster
    • Optimizing FI with table lookups
      • Not recommended since memory usage increases by 256 KB
      • Estimated to give 50% improvement in the best case if tables are cached but not practical
  • 45. End-to-End Security
    • Beyond the scope of cellular systems
    • IPSec
    • Firewall
    • VPN
    • Public Key Infrastructure (PKI) & Digital Certificates
    • MAC on files for download
  • 46. Conclusion
    • Current GSM networks are far more secure than early ones
    • UMTS improves on GSM security
    • Inter-working between UMTS and GSM still has implementation issues
    • Constant innovation – anything secure today is not likely to be secure tomorrow
    • User has the responsibility to protect his/her SIM/USIM
  • 47. Standards (Release 99)
    • Technical specifications
      • TS 21.133 Security threats and requirements
      • TS 22.022 Personalisation of Mobile Equipment (ME)
      • TS 33.102 Security architecture
      • TS 33.103 Integration guidelines
      • TS 33.105 Cryptographic algorithm requirements
      • TS 33.106 Lawful interception requirements
      • TS 33.107 Lawful interception architecture
      • TS 33.120 Security principles and objectives
      • TS 35.20x Access network algorithm specifications
    • Technical reports
      • TR 33.900 Guidelines for 3G security
      • TR 33.901 Criteria for algorithm design
      • TR 33.902 Formal analysis of authentication