1 Security in Wide Area Networks
“Confound a telephone, anyway. It is the very demon for conveying similarities of sound
that are miracles of divergence from similarity of sense.” – A Connecticut Yankee in
King Arthur’s Court, Mark Twain.
Wireless Wide Area Networks (WWANs) are very large scale wireless networks. 802.16
provided coverage in a metropolitan area, say 10 miles, to a fixed location. A WWAN
must provide continuous coverage across a much larger area, such as an entire state or
country. And nodes in a WWAN can move and must remain connected. Currently, the
only technology that provides this type of coverage is satellite and cell phones. Though
satellite technology provides truly global coverage, the current cost makes it impractical
for common use. Cell phone technology, on the other hand, is practically ubiquitous and
much more affordable. Therefore, we will focus on cell-based WWANs for this chapter.
1.1 Basic idea
Low power cells, shared frequencies, use spread spectrum technology to allow for many
multiple users per channel per cell. High redundancy allows voice quality to be
maintained. Handoffs from one cell to another occur as the mobile unit passes out of one
cell’s coverage area and into another’s. (Actually, multiple base stations will be received
at once, and the strongest will be used.) While there are many locations with poor or no
coverage, cellular wireless networks provide the closest approximation to ubiquitous
connectivity this side of satellite phones. And in large metropolitan areas, cell coverage
is ubiquitous, including base stations located in underground public transportation
stations, so connectivity is maintained even on a moving train.
Initially, cellular networks just carried voice. The next step was to use these networks to
carry data, say to provide Internet connectivity through the cell phone. The first
incarnation was cellular modems, which converted a digital signal to an analog signal
(modulating a carrier) which converted it to a digital signal, sent it across the air, then
through the wires, then converted it to an analog signal into the modem, and then back to
a digital signal. This connects to some sort of dial-up which, presumably, connects to the
Internet. Obviously, the results are suboptimal as performance is lost with each
[Make a figure to show the number of hops and conversions.]
A more direct approach now available takes the digital information from the computer
and transmits it directly over the air to the cellular provider. The cellular provider
functions directly as an ISP and provides Internet connectivity. The cellular provider
gives the device connecting to the phone a direct IP number.
[Make a figure to show the more direct approach.]
The United States uses three wireless network standards, TDMA, CDMA, and GSM.
Time Domain Multiple Access (TDMA) uses differential quadrature phase shift keying
(DQPSK) for time multiplexing information to archive a data rate of 48.6 Kbps. Code
division multiple access (CDMA) is a spread spectrum technique, similar to direct
sequence spread spectrum (DSSS) used in 802.11b [reference CDMA].
CMDA is a spread spectrum technique. The transmitter uses a code, shared by both end-
points, to send each bit of data across a large frequency range. The receiver uses the code
to reconstruct the original data from the spread spectrum signal. This frequency
spreading technique makes it very difficult to intercept the signal unless the code is
known. While CDMA had been originally developed for military applications, its
commercial goal was its larger capacity over TDMA-based systems, rather than security.
CDMA’s relatively strong security property comes from the low probability of
interception (LPI) of the data, as compared to GSM’s weak(er) encryption of its data
Global Systems for Mobile communication (GSM) is one type of cellular phone network
and has security mechanisms that provide authentication and encryption. GSM is based
on TDMA, thus intercepting the signals is much easier than in CDMA. Therefore, GSM
has separate security mechanisms to encrypt the data it transmits. GSM security
mechanisms are based on a shared secret between the Home Location Register (HLR)
and the Subscriber Identity Module (SIM); in other words, the security module in the
phone and the central station.
The shared secret, Ki, is a 128 bit key. Authentication is performed when the HLS or
base station sends a 128 bit random number called a challenge to the mobile station (MS),
i.e., the phone. The MS calculates the response, a 32 bit signed response (SRES), by
using the A3 algorithm feeding the challenge and the shared secret as input. The base
station then compares the SRES received from the MS. Figure [figure below] shows the
[insert figure of base station and phone; BS sends challenge,
phone calculates SRES = A5(challenge, Ki), sends SRES]
The MS and base station use a 64-bit session key, Kc, for data encryption of the over-the-
air channel. They calculate Kc in the same way as SRES, by passing Ki and a 128 bit
random number into a hashing algorithm, but in the case of the encryption key, they use
the A8 algorithm instead of the A3 algorithm.
The session key is not used to directly encrypt the data. Instead, it is used to generate the
keystream that encrypts the data. In Chapter [cross reference appropriate place, 25??],
we showed that a basic stream encryption algorithm works by XORing the datastream
with a keystream generated by a pseudo-random number generator (PRNG) provided an
initial seed. In this case, the seed is Kc and the PRNG is the A5 algorithm. Actually, the
seed is Kc and the frame number (which is 22 bits).
[include a figure showing the encryption]
The frame numbers are generated implicitly, and can be guessed. Thus, if an adversary
determines Kc, the traffic can be decrypted. The mobile station can authenticate itself at
the beginning of each call, but this is not generally done in practice. Thus, a mobile
station can retain the same Kc for days. In addition, once the frames are received by the
base station (base transceiver station, BTS), it decrypts the data and sends it in plaintext
to the backbone network.
1.4 Problems with GSM Security
GSM security has several shortcomings, including session life, weaknesses in the
COMP128 algorithm, and encryption used only between the MH and BS. We discuss
these limitations and others below.
The first problem is the long life of authenticated sessions. While the mobile station may
be requested to re-authenticated at the beginning of each call, typically this is not done.
This means that the same session key, Kc, may be used for days. The longer a session
key is used, the weaker it becomes.
Weak Encryption Algorithm:
Traffic is encrypted via the A5 algorithm only over-the-air, between the mobile and base
stations. The data is decrypted when it arrives at the base station and is sent from the
base station to the operator’s backbone network in plaintext.
Almost all GSM implementations use the COMP128 algorithm for both A3 and A8
algorithms. The session key, Kc, generated by COMP128, is actually 54 bits, with ten
zero-bits added to pad it to 64 bits. This, obviously, reduces the key space. Even non-
COMP128 algorithms only use 54 bits for Kc.
While real-time interception and decryption of over-the-air transmissions is (currently
thought of to be) not possible, there are other attacks to GSM security. In [reference
GSM Interception], Pesonen calculates that a brute force attack on a 254 bit key using a
600 MHz Pentium III would take about 250 hours using one chip. “Modern” computers
are easily 5 times faster, dropping the time to 50 hours. He also mentions a technique to
reduce the time by one third, thus, reducing the time to, roughly, 30 hours. By using
multiple CPUs and distributed computing, the time can be further reduced. Therefore,
what was, a few years ago, infeasible, quickly becomes very possible and affordable.
Additional approaches, such as divide-and-conquer, can be used to further reduce the
search space. [Reference WirelessSecurityA5] describes the cryptanalysis of the A5
algorithm. In [Golic], Golic published an attack on the A5 algorithm with a complexity
of O(240), as well as time and space tradeoffs to further reduce the computation time.
Encryption Only Between Mobile Host and Base Station:
Gaining access to the signaling network allows an eavesdropper to listen to unencrypted
data traffic, as well as all of the authentication data (RAND, SRES, and Kc). Networks
commonly use microwave or satellite links, for which eavesdropping equipment does
Limits to the Secret Key:
If the secret key, Ki, is compromised by an attacker, the entire security scheme is
compromised. While the GSM network can detect if two phones with the same IDs are
operating simultaneous and close the account, they network cannot detect a passive
eavesdropper silently decrypting the data. In addition, it is possible to retrieve Ki from a
SIM due to a flaw in COMP128. By sending selected challenges, the COMP128
algorithm responds in a way that reveals information about Ki. This attack takes hours to
complete and requires physical access to the SIM.
Two variants of the A5 algorithm exist: A5/1 and A5/2, with the former more secure than
the latter. In 2000, approximately 230 customers in Europe and elsewhere were using
these two algorithms. Biryukov et al propose two attacks on A5/1, which can be
performed in real time on a PC, after a one-time data initialization step is completed. The
first attack requires eavesdropping on the output of the algorithm for the first two minutes
of the conversation and computes the key in approximately one second. The second
attack requires two seconds of the conversation and computes the key in several minutes
The main problem with GSM security is that it relied upon the secrecy of the A5
algorithm which was not publicly scrutinized. Once the algorithm leaked out in the mid
to late 1990s, serious flaws were discovered. This is an example of the fallacy of
“security by obscurity.”
There are several other GSM problems. No data integrity algorithm is used, therefore
data could be modified and the receiver could not detect it. Authentication is only
performed in one direction, the user to the network. No mechanism exists to identify the
network to the user. Also, there is no indication to the user that encryption is being used.
1.5 The four generations of wireless: 1G – 4G
The first generation of wireless wide area communications, referred to as 1G, present in
the 1970s and 1980s, used analog signals to transmit voice signals only. The second
generation, 2G, started in the 1990s, used digital signals for voice and data. GSM and
TDMA are 2G. 2.5G represents improvements in the technologies between 2G and 3G.
The third generation, 3G, support higher data rates, from 144Kbps to 2Mbps and beyond,
and are typically packet-switched using CDMA. 3G examples include EDGE, GPRS,
and W-CDMA. The fourth generation, 4G, will provide much higher data rates, in excess
of 20Mbps, and are expected to be deployed around 2006-2010 [reference:
http://www.netmotionwireless.com/resource/glossary.asp]. At this point, it is still unclear
what will be in 4G vs. 3G, but mostly likely, 4G will be integrated with WPANs and
3G security is based on GSM [reference MyagmarGupta, 3GSecurity] but is designed to
fix their shortcomings. The security mechanisms of 3G provide Authentication,
Confidentiality, and Encryption.
GSM authentication protects from unauthorized service access and is based on the A3
algorithm which is known to have limitations. Encryption is used to protect both the user
data and the signaling data. The A8 and A5 algorithms are used, but are not strong
In the Authentication and Key Agreement (AKA) phase, the user and network
authenticate each other and agree on a cipher key (CK) and integrity key (IK). The keys
expire after a specified time limit.
Confidentiality is provided by identifying users with a permanent identity, called the
International Mobile Subscriber Identity (IMSI), and a temporary Mobile Subscriber
Identity (TMSI). The transmission of the IMSI is not protected; it is sent as plaintext.
Therefore, a more secure mechanism is needed. [include the figure from page 12 of
Myagmar and Gupta]
The user and network agree on the cipher key and algorithm during the AKA phase.
A Subscriber Identity Module (SIM) is a removable hardware device that provides
security, is managed by network operators, and is independent of the terminal device in
which it resides. In addition, the phones indicated when encryption is being used and
what level is available (2G or 3G).
3GPP Security provides some changes and enhancements of GSM security. Security
mechanisms include sequence numbers to defeat false base station attacks. Key lengths
were increased so stronger algorithms can be used for encryption and integrity. New
mechanisms provide security support within and between networks. Links between the
base station and switch are now protected, as security is based within the switch.
Integrity mechanisms for the terminal identity, the International Mobile Equipment
Identity (IMEI), were designed into the system from the beginning, rather than added on
as an afterthought.
The authentication algorithm is not defined, but guidance is given as to what to use.
When roaming, only the level of protection supported by the smart card is used, so a
GSM card will not be protected against the false base station attack when using a 3GPP
network. [reference 3GSecurity]
The International Mobile Equipment Identifier (IMEI), which identifies the phone, is not
protected either; but it is not a security feature.
Users can unwittingly “camp” on a false base station and will no longer receive paging
signals from the serving network (SN).
If encryption is disabled, an intruder can hijack incoming and outgoing calls by posing as
a man-in-the-middle and then taking over once the call is connected.
Attacker capabilities: In order to perform an attack, an attacker must have one or more
of the following capabilities: eavesdropping, impersonation of a user, impersonation of a
network, man-in-the-middle, compromising authentication vectors in the network. The
capabilities are listed in increasing order of effort to obtain and complexity. Therefore, a
given capability implies possessing all capabilities listed above it. We describe each
capability in more detail below.
Eavesdropping: This capability allows the intruder to receive signaling, data, and control
information associated with other users. This requires a modified mobile station.
Impersonation of a user: This capability allows the intruder to send signaling, control,
and data information such that it appears to originate from a different user. This requires
a modified mobile station.
Impersonation of a network: This capability allows the intruder to send signaling, control,
and data information such that it appears to originate from a different network or system
component. This requires a modified base station.
Man-in-the-middle: This capability allows the intruder to place himself between the
target user and the network. Being a man-in-the-middle allows the intruder to eavesdrop,
modify, delete, reorder, replay, and fake signaling, control, and data messages between
the user and the network. This requires a modified base station in conjunction with a
modified mobile station.
Compromising authentication vectors in the network: This capability allows an intruder
to possess a “compromised authentication vector” including challenge/response pairs, and
cipher and integrity keys. The intruder can obtain this information by compromising
network nodes or eavesdropping on signaling messages on network links.
In addition, there are several types of Denial of Service (DoS) attacks. An attacker can
send a fake (spoofed) user de-registration request, rendering the victim unreachable. An
attacker can fake a location update request which causes the network to register the
victim in a new (wrong) location, causing the victim to be unreachable since they will be
paged in the wrong location. An attacker with a modified base station can entice a user to
“camp” on (connect to) the false base station, rendering the victim out of reach of paging
signals of the real network.
2G data rates are on the order of 9.6Kbps to 28.8Kbps. 3G currently goes up to 140Kbps.
Within a few years, it should support speeds in the megabit per second range, with plans
to support speeds in the tens, if not hundreds, of Mbps. While the envisioned rates are,
relatively speaking, “fast,” they will always be orders of magnitude slower than other
network types. The 802 wireless networks (802.11, 802.15, 802.16) support speeds from
50 – 200 Mbps now. Ethernet (802.3) supports gigabit and faster now. There will
always be tradeoffs to consider when using the cellular networks. The speed will be
slower than other types of wireless, or wired, networks, but the mobility and
ubiquitousness coverage of the network will support highly mobile applications and
In this section, we presented the security features of, and the threats to, wireless wide area
networks based on cellular technology, specifically GSM and 3G. 3G is based on
CDMA, which has a low probability of interception that provides data security. 3G
security extends features in GSM and has identified weaknesses in GSM and attempts to
address them. As part of this, 3G has identified the major threats it faces in terms of
Cellular wireless wide area networks are rapidly evolving, with bandwidth moving from
Kbps to Mbps. Although these networks have limitations, they offer continuous wide
area coverage across large areas. While total global coverage is unlikely for terrestrial-
based technology, 3G, and 4G in the next few years, will play a major role in providing
the infrastructure for ubiquitous, mobile computing.