Your SlideShare is downloading. ×
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
3G Security Overview
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

3G Security Overview

1,744

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,744
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
110
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. USEC USECA 3G Security Overview Peter Howard Research and Standards Engineer Communications Security and Advanced Development Vodafone Limited peter.howard@vf.vodafone.co.uk IIR Fraud and Security Conference, March 2000 -1- 3G Security Overview USECA Contents • Background and context • Principles and objectives for 3G security • 3G threat analysis and security requirements capture • Overview of 3G security features • The 3G security architecture • The USECA demonstrator IIR Fraud and Security Conference, March 2000 -2- 3G Security Overview 1
  • 2. USECA GSM security • One of the aspects of GSM that has played a significant part in its global appeal is its set of security features • GSM was the first public telephone system to use integrated cryptographic mechanisms • By virtue of GSM penetration, these mechanisms have achieved the status of being the most widespread household use of cryptography • GSM security model has been adopted, modified and extended for DECT, TETRA and now 3GPP IIR Fraud and Security Conference, March 2000 -3- 3G Security Overview USECA GSM security features • Secure user access to telecommunications services – Allows a network operator to authenticate the identity of a user in such a way that it is practically impossible for someone to make fraudulent calls by masquerading as a genuine user • User and signalling traffic confidentiality – Protects user traffic, both voice and data, and sensitive signalling data, such as dialled telephone numbers, against eavesdropping on the radio path • User anonymity – Designed to protect the user against someone, who knows the user’s IMSI, from using this information to track the location of the user or to identify calls made to or from that user by eavesdropping on the radio path IIR Fraud and Security Conference, March 2000 -4- 3G Security Overview 2
  • 3. USECA GSM security mechanisms • Cryptographic authentication verifies the subscription with the home network when service is requested – Challenge / response authentication protocol based on a subscriber specific secret authentication key • Radio interface encryption prevents eavesdropping and authenticates the use of the radio channel - the latter is often forgotten – The encryption mechanism is based on a symmetric stream cipher – The key for encryption is established as part of the authentication protocol • The allocation and use of temporary identities helps to provide user anonymity IIR Fraud and Security Conference, March 2000 -5- 3G Security Overview USECA Overview of the GSM security architecture • Authentication and key agreement • Encryption • Allocation and use of temporary identities IIR Fraud and Security Conference, March 2000 -6- 3G Security Overview 3
  • 4. USECA Authentication and key agreement protocol MS/SIM MSC/VLR HLR/AuC Ki: Subscriber authentication key RAND A3: Algorithm for calculating RES Ki A8: Algorithm for calculating Kc RAND: User challenge A3 A8 (X)RES: (Expected) user response Kc: Encryption key Authentication Data Request XRES Kc {RAND, XRES, Kc}: Security triplet {RAND, XRES, Kc} RAND RAND Ki MS/SIM Mobile Station / Subscriber Identity Module A3 A8 MSC/VLRMobile Switching Centre / Visitor Location Register RES HLR/AuC Home Location Register / RES Kc Authentication Centre IIR Fraud and Security Conference, March 2000 -7- 3G Security Overview USECA The encryption mechanism MS/SIM BS MSC/VLR Authentication and key agreement protocol Kc Kc Kc Kc: Encryption key A5: Algorithm for plaintext ciphertext ciphertext plaintext encryption / A5 A5 decryption Uplink traffic MS/SIM Mobile Station / Kc Kc Subscriber Identity Module plaintext ciphertext ciphertext plaintext BS Base Station A5 A5 MSC/VLR Mobile Switching Centre / Visitor Downlink traffic Location Register IIR Fraud and Security Conference, March 2000 -8- 3G Security Overview 4
  • 5. USECA Allocation and use of temporary identities MS/SIM MSC/VLR IMSI (for first time, or if data not available in current VLR) subscriber authentication and ciphering TMSI (encrypted) subsequent location updates: TMSI old (unencrypted) subscriber authentication and ciphering TMSI new (encrypted) MS/SIM Mobile Station / Subscriber Identity Module MSC/VLR Mobile Switching Centre / Visitor Location Register IIR Fraud and Security Conference, March 2000 -9- 3G Security Overview USECA Security for later GSM developments • GPRS security – Same architecture for authentication and key agreement – Encryption applied at LLC layer and extended further back into core network – New encryption algorithms • SIM toolkit security – Allows a secure channel to be established between the SIM and a network server – For applications which demand security features beyond those originally offered by GSM • applications in electronic commerce • secure remote management of SIMs or mobile stations IIR Fraud and Security Conference, March 2000 - 10 - 3G Security Overview 5
  • 6. USECA Limitations considered • COMP-128 • A5/1 • False base station attacks • Encryption key length • Terminated of encryption in the base station • Core network signalling security • Attacks are complex • This is not like analogue cloning or eavesdropping IIR Fraud and Security Conference, March 2000 - 11 - 3G Security Overview USECA 3GPP security principles • Ensure that 3G security builds on the security of GSM where features that have proved to be needed and that are robust shall be adopted for 3G • Ensure that 3G security improves on the security of second generation systems by correcting real and perceived weaknesses • Ensure that new 3G security features are defined as necessary to secure new services offered by 3G IIR Fraud and Security Conference, March 2000 - 12 - 3G Security Overview 6
  • 7. USECA 3G security objectives • Ensure that information generated by or relating to a user is adequately protected against misuse or misappropriation • Ensure that the resources and services provided are adequately protected against misuse or misappropriation • Ensure that the security features standardised are compatible with world-wide availability • Ensure that the security features are adequately standardised to ensure world-wide interoperability and roaming between different serving networks • Ensure that the level of protection afforded to users and providers of services is better than that provided in contemporary fixed and mobile networks (including GSM) • Ensure that the implementation of 3GPP security features and mechanisms can be extended and enhanced as required by new threats and services IIR Fraud and Security Conference, March 2000 - 13 - 3G Security Overview USECA 3G requirements capture • Based on the threat analysis, a comprehensive list of security requirements were captured and categorised • The security requirements help identify which security features need to be introduced in order to counteract the threats • The requirements capture has lead to the identification of additional security features beyond those retained from GSM IIR Fraud and Security Conference, March 2000 - 14 - 3G Security Overview 7
  • 8. USECA Development of 3G security architecture System Service Threat analysis assumptions requirements security requirements security features (confidentiality, integrity features instances etc...) (e.g.confidentiality on the air interface) security mechanisms security architecture system architecture IIR Fraud and Security Conference, March 2000 - 15 - 3G Security Overview USECA Summary of 3G R99 security features (beyond GSM) • Protection against active attacks on the radio interface – New integrity mechanism added to protect critical signalling information on the radio interface – Enhanced authentication protocol provides mutual authentication and freshness of cipher/integrity key towards the user • Enhanced encryption – Stronger algorithm, longer key – Encryption terminates in the radio network controller rather than the base station • Core network security – Some protection of signalling between network nodes • Potential for secure global roaming – Adoption of 3GPP authentication by TIA TR-45 / 3GPP2 IIR Fraud and Security Conference, March 2000 - 16 - 3G Security Overview 8
  • 9. USECA Overview of 3G security architecture Application (IV) stratum User Application Provider Application (I) (I) Home (III) stratum/ TE USIM HE Serving (II) Stratum (I) (I) SN Transport (I) stratum MT AN Network access security (I) Application domain security (IV) Network domain security (II) Visibility and configurability of security (V) User domain security (III) IIR Fraud and Security Conference, March 2000 - 17 - 3G Security Overview USECA Enhanced authentication protocol for 3G UE/USIM VLR HLR/AuC RAND SQNhe Differences from the GSM K protocol are highlighted in bold 3G algorithms XRES CK IK AUTN Authentication Data Request RAND AUTN SQNms {RAND, XRES, CK, IK, AUTN } K RAND, AUTN 3G algorithms XRES CK IK AUTN check RES or Auth Fail or Re-syn Fail IIR Fraud and Security Conference, March 2000 - 18 - 3G Security Overview 9
  • 10. USECA Abbreviations • K: Subscriber authentication key • RAND: User challenge • (X)RES: (Expected) user response • CK: Encryption key • IK: Integrity key • AUTN: Authentication token for network authentication • SQNms: Sequence number information at user • SQNhe: Sequence number information at home system • {RAND, XRES, CK, IK, AUTN}: Security quintet • UE/USIM: User Equipment / UMTS SIM • VLR: Visitor Location Register • HLR/AuC: Home Location Register / Authentication Centre IIR Fraud and Security Conference, March 2000 - 19 - 3G Security Overview USECA USECA demonstrator • Multi-application smart card: GSM SIM + 3G USIM • Built on G&D SIM card • File system and card commands in accordance with 3GPP and ISO/IEC standards • Two authentication and key agreement schemes implemented on the USIM – 3GPP protocol (April 99 release) – ASPeCT protocol (public key cryptography) • USIM commands – INTERNAL AUTHENTICATE – Response: RES or Re-synch fail or Authentication fail • Management of sequence numbers – USIM stores information to allow it to decide whether to accept a sequence number and to perform re-synch IIR Fraud and Security Conference, March 2000 - 20 - 3G Security Overview 10
  • 11. USECA Summary • 3G security builds on the security of GSM • Maximises compatibility with GSM • Corrects real and perceived weaknesses in 2G systems • Integrity and enhanced authentication added to protect against false base station attacks • Encryption is enhanced (longer key, stronger algorithm) • Some protection of signalling between network nodes • Potential for secure global roaming • Feasibility of USIM component tested in a demonstrator IIR Fraud and Security Conference, March 2000 - 21 - 3G Security Overview USECA 3G Security Overview Questions and Answers Peter Howard Research and Standards Engineer Communications Security and Advanced Development Vodafone Limited peter.howard@vf.vodafone.co.uk IIR Fraud and Security Conference, March 2000 - 22 - 3G Security Overview 11

×