Securing Wireless Cellular Systems

  • 8,086 views
Uploaded on

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
8,086
On Slideshare
0
From Embeds
0
Number of Embeds
26

Actions

Shares
Downloads
240
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009
  • 2. Contents
    • Scope
    • Cellular Basics
    • Security Goals
    • Elements of Security
    • Protocol Procedures
    • Algorithmic Background
    • GSM Flaws & Solutions
    • Implementation Challenges
    • Conclusion
    • References
  • 3. Scope
  • 4. Cellular Basics – Network Architecture GSM MS SS7 BTS BSC MSC VLR HLR AuC GMSC BSS PSTN NSS A E C D PSTN Abis B H MS IP GPRS MS PSDN Gi SGSN Gr Gb Gs GGSN Gc Gn UMTS UE Node B RNC RNS Iub IuCS ATM IuPS
  • 5. Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
  • 6. Cellular Basics – GPRS Protocol Stack Control Plane
  • 7. Cellular Basics – UMTS Protocol Stack Control Plane
  • 8. Security Threats
    • Eavesdropping
    • Spoofing – mobile phishing
    • Denial of service
    • Hacking into Core Network
    • Theft of SIM
    • Theft of mobile phone
    • Employees, partners, sub-contractors
    • Viruses, worms, trojans
  • 9. Security Goals
    • User identity confidentiality
    • User location confidentiality
    • User untraceability
    • User authentication
    • Network authentication
    • Data confidentiality
    • Data integrity
    • Algorithm and key agreement
    • Mobile equipment identification
    • User-to-USIM authentication
    • USIM-Terminal authentication
  • 10. Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context
  • 11. What is AKA?
    • AKA is also known as Authentication and Key Agreement
      • Network authenticates the subscriber
      • Subscriber authenticates the network (not in GSM)
      • Both parties agree on the keys to use for data confidentiality and data integrity
    USIM AuC
  • 12. GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
  • 13. AKA Overview
  • 14. Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange
  • 15. Incoming Call
  • 16. RRC Security Procedure
  • 17. Security Procedure at UE RRC
  • 18. Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
  • 19. Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.
  • 20. Updating the START Value
    • START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2
    • Once updated, it is saved into SIM/USIM and deleted from the mobile
  • 21. Counter Check Procedure
    • Check does not involve Core Network
    • Prevent “man-in-the-middle” attacks
    • RRC will query RLC for COUNT-C values
    • RRC will include mismatches in its response
    • UTRAM may release RRC connection
  • 22. Indicating Current CKSN/KSI
    • This field is indicated by UE MM/GMM in the following messages:
      • LOCATION UPDATING REQUEST
      • CM SERVICE REQUEST
      • PAGING RESPONSE
      • CM RE-ESTABLISHMENT REQUEST
    • This field is indicated by UE GMM in the following messages:
      • ROUTING AREA UPDATE REQUEST
      • SERVICE REQUEST
      • ATTACH REQUEST
  • 23. Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
  • 24. Ciphering Data
  • 25. Data Integrity Additional protection within the same authentication session
  • 26. Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message
  • 27. Integrity Exceptions
    • Integrity is not applied for:
        • HANDOVER TO UTRAN COMPLETE
        • PAGING TYPE 1
        • PUSCH CAPACITY REQUEST
        • PHYSICAL SHARED CHANNEL ALLOCATION
        • RRC CONNECTION REQUEST
        • RRC CONNECTION SETUP
        • RRC CONNECTION SETUP COMPLETE
        • RRC CONNECTION REJECT
        • RRC CONNECTION RELEASE (CCCH only)
        • SYSTEM INFORMATION
        • SYSTEM INFORMATION CHANGE INDICATION
        • TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)
  • 28. Generating the Quintet
  • 29. USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
  • 30. AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
  • 31. AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN
  • 32. Security Service Summary
  • 33. GSM Handover
    • Intra-BSC HO
      • Nothing to be done
    • Inter-BSC & Intra-MSC HO
      • BSC informs MSC that HO is required
      • MSC commands target BSC and passes on security context
    • Inter-MSC HO
      • Same as above except that current MSC informs target MSC to initiate HO to target cell
  • 34. UMTS to GPRS Cell Reselection
  • 35. Algorithmic Background – Cipher Types
    • Symmetric cipher: shared secret key
      • Stream cipher (OTP)
      • Block cipher (DES, Triple-DES, AES, RC2)
        • Block ciphers can be used as stream ciphers
        • Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR
    E/D E/D
  • 36. Algorithmic Background – Cipher Types
    • Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers)
      • Private key
      • Public key
    • One-way hash (MD5, SHA-1, SHA-2, Triple-DES)
    E D H
  • 37. GSM Security Flaws – 1
    • Weak algorithms – cracked long ago
      • COMP128 was used: this is a keyed hash function generating a 96 bit digest
      • Fault with operators in using COMP128
      • A3 and A8 based on COMP128
      • Kc is only 54 bits
      • COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work
      • Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI
      • In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries!
      • COMP128-4 is based on AES
  • 38. GSM Security Flaws – 2
    • Same basic algorithm is used to generate both SRES and Kc
    • No integrity on signalling data
    • No network authentication
    • Encryption does not extend far into the network
    • Microwave links not protected by operators – Kc could be read easily
  • 39. UMTS Algorithms
    • KASUMI
      • Design authority: ETSI SAGE
      • Based on the block cipher MISTY (Mitsubishi)
      • KASUMI is the Japanese for “MIST”
      • f8 and f9 are based on KASUMI
    • Changes made to aid hardware implementation
    • Keys are 128 bits long
    • No known hacks exist
  • 40. Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS
  • 41. Implementation Challenges
    • Hardware
    • Or
    • Software ?
    • Rarely matters at the network end.
    • Matters a lot to the mobile.
  • 42. Performance of f8 and f9 - 1
  • 43. Performance of f8 and f9 - 2
  • 44. SW Optimization of f8 and f9
    • Convert 16-bit to 32-bit operations on ARM
      • Single instruction instead of 2 or 4
      • 15% faster
    • Using non-static memory for sub-keys
      • Avoid ARM’s LDR instruction
      • Use structures and pass pointers to functions
      • 5% faster
    • Key scheduling only when CK and IK change
      • 3.5 KB increased memory
      • 60% faster
    • Optimizing FI with table lookups
      • Not recommended since memory usage increases by 256 KB
      • Estimated to give 50% improvement in the best case if tables are cached but not practical
  • 45. End-to-End Security
    • Beyond the scope of cellular systems
    • IPSec
    • Firewall
    • VPN
    • Public Key Infrastructure (PKI) & Digital Certificates
    • MAC on files for download
  • 46. Conclusion
    • Current GSM networks are far more secure than early ones
    • UMTS improves on GSM security
    • Inter-working between UMTS and GSM still has implementation issues
    • Constant innovation – anything secure today is not likely to be secure tomorrow
    • User has the responsibility to protect his/her SIM/USIM
  • 47. Standards (Release 99)
    • Technical specifications
      • TS 21.133 Security threats and requirements
      • TS 22.022 Personalisation of Mobile Equipment (ME)
      • TS 33.102 Security architecture
      • TS 33.103 Integration guidelines
      • TS 33.105 Cryptographic algorithm requirements
      • TS 33.106 Lawful interception requirements
      • TS 33.107 Lawful interception architecture
      • TS 33.120 Security principles and objectives
      • TS 35.20x Access network algorithm specifications
    • Technical reports
      • TR 33.900 Guidelines for 3G security
      • TR 33.901 Criteria for algorithm design
      • TR 33.902 Formal analysis of authentication