0
Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th  May 2009
Contents <ul><li>Scope </li></ul><ul><li>Cellular Basics </li></ul><ul><li>Security Goals </li></ul><ul><li>Elements of Se...
Scope
Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GP...
Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
Cellular Basics – GPRS Protocol Stack Control Plane
Cellular Basics – UMTS Protocol Stack Control Plane
Security Threats <ul><li>Eavesdropping </li></ul><ul><li>Spoofing – mobile phishing </li></ul><ul><li>Denial of service </...
Security Goals <ul><li>User identity confidentiality </li></ul><ul><li>User location confidentiality </li></ul><ul><li>Use...
Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application cont...
What is AKA? <ul><li>AKA is  also known as   Authentication and Key Agreement </li></ul><ul><ul><li>Network authenticates ...
GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal...
AKA Overview
Location Update Procedure Get CKSN  from SIM Get Auth Vector from AuC Invoke SIM  calculations Secure data exchange
Incoming Call
RRC Security Procedure
Security Procedure at UE RRC
Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN...
Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end...
Updating the START Value <ul><li>START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using...
Counter Check Procedure <ul><li>Check does not involve Core Network </li></ul><ul><li>Prevent “man-in-the-middle” attacks ...
Indicating Current CKSN/KSI <ul><li>This field is indicated by UE MM/GMM in the following messages: </li></ul><ul><ul><li>...
Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
Ciphering Data
Data Integrity Additional protection within the same authentication session
Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8...
Integrity Exceptions <ul><li>Integrity is not applied for: </li></ul><ul><ul><ul><li>HANDOVER TO UTRAN COMPLETE </li></ul>...
Generating the Quintet
USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- ...
Security Service Summary
GSM Handover <ul><li>Intra-BSC HO </li></ul><ul><ul><li>Nothing to be done </li></ul></ul><ul><li>Inter-BSC & Intra-MSC HO...
UMTS to GPRS Cell Reselection
Algorithmic Background – Cipher Types <ul><li>Symmetric cipher: shared secret key </li></ul><ul><ul><li>Stream cipher (OTP...
Algorithmic Background – Cipher Types <ul><li>Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) </li></ul><u...
GSM Security Flaws – 1 <ul><li>Weak algorithms – cracked long ago </li></ul><ul><ul><li>COMP128 was used: this is a keyed ...
GSM Security Flaws – 2 <ul><li>Same basic algorithm is used to generate both SRES and Kc </li></ul><ul><li>No integrity on...
UMTS Algorithms <ul><li>KASUMI </li></ul><ul><ul><li>Design authority: ETSI SAGE </li></ul></ul><ul><ul><li>Based on the b...
Comparing GSM & UMTS 1.  A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Cipheri...
Implementation Challenges <ul><li>Hardware </li></ul><ul><li>Or </li></ul><ul><li>Software ? </li></ul><ul><li>Rarely matt...
Performance of f8 and f9 - 1
Performance of f8 and f9 - 2
SW Optimization of f8 and f9 <ul><li>Convert 16-bit to 32-bit operations on ARM </li></ul><ul><ul><li>Single instruction i...
End-to-End Security <ul><li>Beyond the scope of cellular systems </li></ul><ul><li>IPSec </li></ul><ul><li>Firewall </li><...
Conclusion <ul><li>Current GSM networks are far more secure than early ones </li></ul><ul><li>UMTS improves on GSM securit...
Standards (Release 99) <ul><li>Technical specifications </li></ul><ul><ul><li>TS 21.133 Security threats and requirements ...
Upcoming SlideShare
Loading in...5
×

Securing Wireless Cellular Systems

8,657

Published on

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,657
On Slideshare
0
From Embeds
0
Number of Embeds
26
Actions
Shares
0
Downloads
254
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Transcript of "Securing Wireless Cellular Systems"

    1. 1. Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009
    2. 2. Contents <ul><li>Scope </li></ul><ul><li>Cellular Basics </li></ul><ul><li>Security Goals </li></ul><ul><li>Elements of Security </li></ul><ul><li>Protocol Procedures </li></ul><ul><li>Algorithmic Background </li></ul><ul><li>GSM Flaws & Solutions </li></ul><ul><li>Implementation Challenges </li></ul><ul><li>Conclusion </li></ul><ul><li>References </li></ul>
    3. 3. Scope
    4. 4. Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS
    5. 5. Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
    6. 6. Cellular Basics – GPRS Protocol Stack Control Plane
    7. 7. Cellular Basics – UMTS Protocol Stack Control Plane
    8. 8. Security Threats <ul><li>Eavesdropping </li></ul><ul><li>Spoofing – mobile phishing </li></ul><ul><li>Denial of service </li></ul><ul><li>Hacking into Core Network </li></ul><ul><li>Theft of SIM </li></ul><ul><li>Theft of mobile phone </li></ul><ul><li>Employees, partners, sub-contractors </li></ul><ul><li>Viruses, worms, trojans </li></ul>
    9. 9. Security Goals <ul><li>User identity confidentiality </li></ul><ul><li>User location confidentiality </li></ul><ul><li>User untraceability </li></ul><ul><li>User authentication </li></ul><ul><li>Network authentication </li></ul><ul><li>Data confidentiality </li></ul><ul><li>Data integrity </li></ul><ul><li>Algorithm and key agreement </li></ul><ul><li>Mobile equipment identification </li></ul><ul><li>User-to-USIM authentication </li></ul><ul><li>USIM-Terminal authentication </li></ul>
    10. 10. Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context
    11. 11. What is AKA? <ul><li>AKA is also known as Authentication and Key Agreement </li></ul><ul><ul><li>Network authenticates the subscriber </li></ul></ul><ul><ul><li>Subscriber authenticates the network (not in GSM) </li></ul></ul><ul><ul><li>Both parties agree on the keys to use for data confidentiality and data integrity </li></ul></ul>USIM AuC
    12. 12. GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
    13. 13. AKA Overview
    14. 14. Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange
    15. 15. Incoming Call
    16. 16. RRC Security Procedure
    17. 17. Security Procedure at UE RRC
    18. 18. Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
    19. 19. Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.
    20. 20. Updating the START Value <ul><li>START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2 </li></ul><ul><li>Once updated, it is saved into SIM/USIM and deleted from the mobile </li></ul>
    21. 21. Counter Check Procedure <ul><li>Check does not involve Core Network </li></ul><ul><li>Prevent “man-in-the-middle” attacks </li></ul><ul><li>RRC will query RLC for COUNT-C values </li></ul><ul><li>RRC will include mismatches in its response </li></ul><ul><li>UTRAM may release RRC connection </li></ul>
    22. 22. Indicating Current CKSN/KSI <ul><li>This field is indicated by UE MM/GMM in the following messages: </li></ul><ul><ul><li>LOCATION UPDATING REQUEST </li></ul></ul><ul><ul><li>CM SERVICE REQUEST </li></ul></ul><ul><ul><li>PAGING RESPONSE </li></ul></ul><ul><ul><li>CM RE-ESTABLISHMENT REQUEST </li></ul></ul><ul><li>This field is indicated by UE GMM in the following messages: </li></ul><ul><ul><li>ROUTING AREA UPDATE REQUEST </li></ul></ul><ul><ul><li>SERVICE REQUEST </li></ul></ul><ul><ul><li>ATTACH REQUEST </li></ul></ul>
    23. 23. Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
    24. 24. Ciphering Data
    25. 25. Data Integrity Additional protection within the same authentication session
    26. 26. Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message
    27. 27. Integrity Exceptions <ul><li>Integrity is not applied for: </li></ul><ul><ul><ul><li>HANDOVER TO UTRAN COMPLETE </li></ul></ul></ul><ul><ul><ul><li>PAGING TYPE 1 </li></ul></ul></ul><ul><ul><ul><li>PUSCH CAPACITY REQUEST </li></ul></ul></ul><ul><ul><ul><li>PHYSICAL SHARED CHANNEL ALLOCATION </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION REQUEST </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION SETUP </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION SETUP COMPLETE </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION REJECT </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION RELEASE (CCCH only) </li></ul></ul></ul><ul><ul><ul><li>SYSTEM INFORMATION </li></ul></ul></ul><ul><ul><ul><li>SYSTEM INFORMATION CHANGE INDICATION </li></ul></ul></ul><ul><ul><ul><li>TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only) </li></ul></ul></ul>
    28. 28. Generating the Quintet
    29. 29. USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
    30. 30. AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
    31. 31. AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN
    32. 32. Security Service Summary
    33. 33. GSM Handover <ul><li>Intra-BSC HO </li></ul><ul><ul><li>Nothing to be done </li></ul></ul><ul><li>Inter-BSC & Intra-MSC HO </li></ul><ul><ul><li>BSC informs MSC that HO is required </li></ul></ul><ul><ul><li>MSC commands target BSC and passes on security context </li></ul></ul><ul><li>Inter-MSC HO </li></ul><ul><ul><li>Same as above except that current MSC informs target MSC to initiate HO to target cell </li></ul></ul>
    34. 34. UMTS to GPRS Cell Reselection
    35. 35. Algorithmic Background – Cipher Types <ul><li>Symmetric cipher: shared secret key </li></ul><ul><ul><li>Stream cipher (OTP) </li></ul></ul><ul><ul><li>Block cipher (DES, Triple-DES, AES, RC2) </li></ul></ul><ul><ul><ul><li>Block ciphers can be used as stream ciphers </li></ul></ul></ul><ul><ul><ul><li>Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR </li></ul></ul></ul>E/D E/D
    36. 36. Algorithmic Background – Cipher Types <ul><li>Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) </li></ul><ul><ul><li>Private key </li></ul></ul><ul><ul><li>Public key </li></ul></ul><ul><li>One-way hash (MD5, SHA-1, SHA-2, Triple-DES) </li></ul>E D H
    37. 37. GSM Security Flaws – 1 <ul><li>Weak algorithms – cracked long ago </li></ul><ul><ul><li>COMP128 was used: this is a keyed hash function generating a 96 bit digest </li></ul></ul><ul><ul><li>Fault with operators in using COMP128 </li></ul></ul><ul><ul><li>A3 and A8 based on COMP128 </li></ul></ul><ul><ul><li>Kc is only 54 bits </li></ul></ul><ul><ul><li>COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work </li></ul></ul><ul><ul><li>Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI </li></ul></ul><ul><ul><li>In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries! </li></ul></ul><ul><ul><li>COMP128-4 is based on AES </li></ul></ul>
    38. 38. GSM Security Flaws – 2 <ul><li>Same basic algorithm is used to generate both SRES and Kc </li></ul><ul><li>No integrity on signalling data </li></ul><ul><li>No network authentication </li></ul><ul><li>Encryption does not extend far into the network </li></ul><ul><li>Microwave links not protected by operators – Kc could be read easily </li></ul>
    39. 39. UMTS Algorithms <ul><li>KASUMI </li></ul><ul><ul><li>Design authority: ETSI SAGE </li></ul></ul><ul><ul><li>Based on the block cipher MISTY (Mitsubishi) </li></ul></ul><ul><ul><li>KASUMI is the Japanese for “MIST” </li></ul></ul><ul><ul><li>f8 and f9 are based on KASUMI </li></ul></ul><ul><li>Changes made to aid hardware implementation </li></ul><ul><li>Keys are 128 bits long </li></ul><ul><li>No known hacks exist </li></ul>
    40. 40. Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS
    41. 41. Implementation Challenges <ul><li>Hardware </li></ul><ul><li>Or </li></ul><ul><li>Software ? </li></ul><ul><li>Rarely matters at the network end. </li></ul><ul><li>Matters a lot to the mobile. </li></ul>
    42. 42. Performance of f8 and f9 - 1
    43. 43. Performance of f8 and f9 - 2
    44. 44. SW Optimization of f8 and f9 <ul><li>Convert 16-bit to 32-bit operations on ARM </li></ul><ul><ul><li>Single instruction instead of 2 or 4 </li></ul></ul><ul><ul><li>15% faster </li></ul></ul><ul><li>Using non-static memory for sub-keys </li></ul><ul><ul><li>Avoid ARM’s LDR instruction </li></ul></ul><ul><ul><li>Use structures and pass pointers to functions </li></ul></ul><ul><ul><li>5% faster </li></ul></ul><ul><li>Key scheduling only when CK and IK change </li></ul><ul><ul><li>3.5 KB increased memory </li></ul></ul><ul><ul><li>60% faster </li></ul></ul><ul><li>Optimizing FI with table lookups </li></ul><ul><ul><li>Not recommended since memory usage increases by 256 KB </li></ul></ul><ul><ul><li>Estimated to give 50% improvement in the best case if tables are cached but not practical </li></ul></ul>
    45. 45. End-to-End Security <ul><li>Beyond the scope of cellular systems </li></ul><ul><li>IPSec </li></ul><ul><li>Firewall </li></ul><ul><li>VPN </li></ul><ul><li>Public Key Infrastructure (PKI) & Digital Certificates </li></ul><ul><li>MAC on files for download </li></ul>
    46. 46. Conclusion <ul><li>Current GSM networks are far more secure than early ones </li></ul><ul><li>UMTS improves on GSM security </li></ul><ul><li>Inter-working between UMTS and GSM still has implementation issues </li></ul><ul><li>Constant innovation – anything secure today is not likely to be secure tomorrow </li></ul><ul><li>User has the responsibility to protect his/her SIM/USIM </li></ul>
    47. 47. Standards (Release 99) <ul><li>Technical specifications </li></ul><ul><ul><li>TS 21.133 Security threats and requirements </li></ul></ul><ul><ul><li>TS 22.022 Personalisation of Mobile Equipment (ME) </li></ul></ul><ul><ul><li>TS 33.102 Security architecture </li></ul></ul><ul><ul><li>TS 33.103 Integration guidelines </li></ul></ul><ul><ul><li>TS 33.105 Cryptographic algorithm requirements </li></ul></ul><ul><ul><li>TS 33.106 Lawful interception requirements </li></ul></ul><ul><ul><li>TS 33.107 Lawful interception architecture </li></ul></ul><ul><ul><li>TS 33.120 Security principles and objectives </li></ul></ul><ul><ul><li>TS 35.20x Access network algorithm specifications </li></ul></ul><ul><li>Technical reports </li></ul><ul><ul><li>TR 33.900 Guidelines for 3G security </li></ul></ul><ul><ul><li>TR 33.901 Criteria for algorithm design </li></ul></ul><ul><ul><li>TR 33.902 Formal analysis of authentication </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×