• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
gsmsso.ppt
 

gsmsso.ppt

on

  • 684 views

 

Statistics

Views

Total Views
684
Views on SlideShare
684
Embed Views
0

Actions

Likes
0
Downloads
10
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    gsmsso.ppt gsmsso.ppt Presentation Transcript

    • Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Why do we need SSO ?
      • Current Situation:
      • Network users interact with multiple service providers.
    • Why do we need SSO ?
      • Problems:
      • Usability, security, privacy…
    • What is SSO ?
      • A mechanism that allows users to authenticate themselves to multiple service providers, using only one identity.
    • SSO – How ?
      • Establish trust relationships, common security infrastructure (e.g. PKI), sign contractual agreements…
    • SSO – some examples
      • Kerberos
          • TTP = Kerberos server
          • 1) Authenticates user (password), issues “ticket”.
          • 2) User shows ticket to service provider.
      • Microsoft Passport
          • TTP = www.passport.com
          • 1) Authenticates user (password), installs encrypted cookie.
          • 2) Service Provider reads the cookie.
      • Liberty Alliance
          • TTP = “Identity Provider”
          • 1) Authenticates user, issues “assertion” (XML).
          • 2) Assertion is shown to service provider.
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security
    • Review of GSM Security Encrypted under K c If the visited network can decrypt, then the SIM is authentic (IMSI matches K i )
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Architecture - before
    • Architecture – after (1)
    • Architecture – after (2)
    • Architecture
    • Architecture Service providers form trust relationships with the home network.
    • Architecture Singe Sign-On using SIM (IMSI) !
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • SSO Protocol
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Replay Attack Attacker could capture this message and replay it later in order to impersonate the user identified by the IMSI.
    • Replay Attack At the time of replay another RAND will be selected by the service provider and the protocol will fail. fresh ! old ! X
    • Reflection Attack The service provider SP “A” is malicious . It wants to impersonate the user to SP “B”.
    • Reflection Attack
    • Reflection Attack
    • Reflection Attack
    • Reflection Attack
    • Reflection Attack
    • Reflection Attack
    • Reflection Attack X
    • Other Attacks
      • SIM theft / cloning
        • SIM PIN is optional!
        • Need two-factor user authentication.
      • Home network server is SPoF
        • Vulnerable to DoS attack.
        • It is assumed that it is well-protected.
      • Attacks on the SP-home network link
        • Link must be integrity-protected and encrypted.
        • SSL/TLS, VPN, IPSec, etc…
    • Agenda
        • Introduction to SSO.
        • Review of GSM security.
        • How to SSO using GSM.
        • Some Attacks.
        • Conclusions.
    • Advantages
      • no user interaction is required.
      • protocol can be repeated many times.
      • simple single logoff.
      • no sensitive information is sent.
      • no major computational overheads.
      • no changes in deployed GSM infrastructure.
      • fraud management extends to SSO.
      • can easily be extended to enable LBS.
    • Disadvantages
      • works only for GSM subscribers.
      • global identifier (IMSI).
      • might incur costs for service providers.
    • Extension for UMTS
    • Thanks! Questions?