Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
529
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Early 1980’s analog cellular phones became increasingly popular, especially in Northern Europe. Everybody had own system incompatible with others. Requirements for GSM: Good speech quality, ISDN compatibility , Support for international roaming, etc 1991 first commercial services (Finnish Radiolinja established world’s first GSM call)
  • With GSM no open design criteria in fashion Especially security development in secret undesirable.
  • Rough division: Mobile Station (MS) in control of user Base Station Subsystem (BSS) controls radio connection to MS Network Switching Subsystem (NSS) connects calls between mobile users and between mobile user and wired network user MSC = Mobile Switching Center main part of NSS communicates with BSS and other phone networks BSS communicates with MS and NSS MS the mobile terminal Invisible – Operations and Maintenance Center, oversees proper operation and setup of network – belongs to OSS (Operation Subsystem) Controlling and administration system for network operator Interface specified precisely, implementation free Notice the internal interfaces (to every link in picture also an interface specified). PLMN = Public Land Mobile Network PSTN = Public Switched Telephone Network
  • SIM provides personal mobility, SIM can be used with any phone. MSISDN one for speech one for data – IMSI connects service specific numbers. MSISDN defined by E.164 numbering plan. IMEI structure: Type Approval Code (TAC 6 bytes), Final Assembly Code (FAC 2 bytes, gives manufacturer), Serial number (6 bytes), Reserved 1 byte IMEI and IMSI are independent allowing personal mobility. Puhelinliittymä = telephone subscription
  • BTS contains radio transceiver that defines cell. (Actually possible that one BTS controls more than one cell). BTS and BSC communicate through cable or radio link. BSC manages the radio resources for one or more BTS’s.
  • MSC central to security. Mobility: location updating, handovers, call routing
  • Logically only one HLR, may be physically distributed. HLR + VLR (+ MSC) provide the call routing and roaming capabilities. VLR contains administrative information from HLR, necessary for call control and providing subscribed services. Each mobile currently located in the area controlled by VLR. EIR and AuC for security. Secret key in AuC base for all security.
  • TDMA = Time Division Multiple Access Time divided between users as time slots FDMA = Frequency Division Multiple Access Frequencies divided between users Behaviour of radio interface is not very relevant to our purposes. Fundamental unit of time is burst period. Burst contains at most 147 bits of data.
  • Why technically demanding? Simple downstream (from base station to phone) because then phones can pick their share from the stream. Upstream traffic: phone must know exactly when to transmit so that BTS can collect information and no collisions between data from two phones occur. Difficult because must know timing advance, i.e. delay of signal caused by distance of phone from BTS.
  • Describe briefly how call is actually established in GSM network. When call is made to a mobile phone it must be located at first. Only home network known in advance. Network must keep track of the locations of phones.
  • Subscriber’s operator identified by MSISDN Link between MSISDN <-> HLR. HLR stores the current SS7 (Signalling System 7) address of current VLR SS7 = signaling system between the entities of NSS After this mobile paged in the current area Call routing 1. Request phone’s HLR its location (location network VLR address) 2. HLR requests VLR location network MSC 3. HLR returns information to home network MSC 4. Call routed to location network MSC 5. MSC requests VLR phone status 6. MSC transmits connection request to BSS (to BSC that transmits to all its base stations)
  • In the beginning, subscriber must be identified. IMSI = International Mobile Subscriber Identity MCC according to ITU E.212, Finland 244 MNC operator, e.g. Sonera 91 perhaps changed with Telia, Radiolinja 05 TMSI enhances security
  • Authentication: purpose to ensure that subscriber is actually claimed one. Prevent attacker calling with somebody else charged. Also user authenticated by PIN to SIM. Challenge – response: subscriber proves the knowledge of Ki. Most networks use the same algorithm
  • RAND (the challenge) is also called nonce. Note key never transmitted (usual procedure by authentication) Note that authentication is one-sided. User can not be sure that he is communicating with appropriate base station. Progress of authentication (Ki subscriber’s key) AuC generates authentication triplet (RAND,SRES,Kc) -> MSC SRES = A3(RAND,Ki) RAND sent to mobile device Device computes SRES = A3(RAND,Ki) SRES sent back to MSC MSC checks response Kc air interface encryption key Usually several triplets generated at time, new ones requested when all used
  • Algorithms “secret”, were distributed by need-to-know basis to operators. Common algorithm, because otherwise roaming would be impossible. At least two versions. Attacker must know Kc and frame number Frame number (easily) obtainable
  • At time 228 bits cipher stream produced. First 114 upstream, 114 downsream.
  • SAGE — the "Security Algorithms Group of Experts“ Originally algorithms secret but leaked and are commonly known. COMP128 was German proposal for authentication algorithm
  • There is nothing stopping an operator using own algorithms as A3 and A8 as long as they satisfy ionterface. However almost invariably COMP128 used.
  • Implementation verified with a Pacific Bell Schlumberger SIM Found out some deviations (errors) in specification Implementation in C.
  • A5 was French proposal for cipher. Chosen because hardware implementation fast. Note: registers total only 64 bits One frame contains 114 bits upstream and downstream. Details given on site given.
  • Initialization: Kc mixed with frame number. First 64 cycles of rotations with Kc XORed bit by bit to registrers. Then 22 cycles with frame number. No majority rule here, registers always rotated. Then clock registers 100 times without output. Then produce bit stream 228 bits.
  • A5/2 original motivation: A5/1 too strong to be exported to Middle East. A5/2 used at least by 100 million customers. Note you can not know whether your phone uses A5/1 2 or 0! Nowadays with 3G A5/3 appeared, based on Kasumi algorithm. Can be used with GPRS and EDGE.
  • Fake base station builder must know signaling protocol of GSM. Talk later about algorithm weaknesses. IMEI code usage as security entity problematic IMEI transmitted in clear
  • Relied on physical security of operator networks. Lack of visibility may cause security problems even when user’s home operator is reliable
  • It should be mentioned that even with cryptanalysis of A5 it is far from easy to break air interface encryption in practice. Usually breaking requires guessing at least some plaintext related to encrypted text. Implementation in C also found on the web, finding left to audience as an exercise. Time and memory trade-off stored 2 pow32 internal states in advance and as many key streams 2 pow 32 bits of actual keystream observed -> collision. Complexity O(2 pow 40) -> Almost practical
  • Assumption: “The attacker is assumed to know some pseudo random bits generated by A5/1 in some of the frames. This is the standard assumption in the cryptanalysis of stream ciphers, and we do not consider in this paper the crucial issue of how one can obtain these bits in fielded GSM systems. For the sake of simplicity, we assume that the attacker has complete knowledge of the outputs of the A5/1 algorithm during some initial period of the conversation, and his goal is to find the key in order to decrypt the remaining part of the conversation. Since GSM telephones send a new frame every 4.6 milliseconds, each second of the conversation contains about 2 pow 8 frames.
  • For backtracking, a tree of states must be explored.
  • Idea by Ron Rivest: Keep on hard disk only special states that produce particular bit pattern alpha in the beginning. Access to disk only when such a prefix in data encountered.
  • There are some technical details interested students can read in the paper. From 71 it follows that collision occurs with probability 0.61. Probability 1 would require whole space of states stored.
  • Basic idea feed SIM with suitable authentication challenges and study responses. The attack exploits a lack of diffusion: there's a narrow ‘pipe’ inside COMP128. ISAAC in University of California, Berkeley.
  • Test attack time due to slowness of SIM. Note that described attack is more or less standard -> GSM designers did not do their homework From the inventors of attack: Note that there is a significant amount of literature on the design of cryptographic hash functions out of a FFT-like structure (as COMP128 is designed). “For instance, Serge Vaudenay's work on a theory of black-box cryptanalysis (as well as his other work, e.g. ``FFT-Hash II is not yet secure'') is more than sufficient to uncover this weakness in COMP128. In other words, our attack techniques are not particularly novel.” Criminal GSM –merchant can clone SIM –cards Encryption keys to eavesdrop certain subscriber can be revealed
  • Attack logically same as by physical contact.
  • Perhaps subscriber can detect faster draining of battery According to ISAAC over-the-air cloning must be considered a very real threat.
  • ISAAC: Esperts “Such a fake base station does not need to support the full GSM protocol, and it may be possible to build one with an investment of approximately $10k.” Other attacks e.g. Denial-of-Service
  • Describe cell change to understand how fake base station can hook up phones. Note that command to cell change comes from the network, phone just obeys.
  • GPRS = General Packet Radio Service GEA specified and tested in secret under ETSI. Since established, export control regulation changed -> GEA2 created.
  • UMTS = Universal Mobile Telecommunications System European 3G network system With a little effort possible to download specs from the site. ETSI finishes 3GPP specifications -> UMTS –standard
  • Note that there is also local authentication, not covered here. It is established by integrity protection functionality. This means that local authentication mechanism uses the integrity key established in the previous authentication and key agreement. Method was chosen for maximal compatibility with GSM. Authentication source: TTAE.3G-33.102 specification.

Transcript

  • 1. CELLULAR TELEPHONE NETWORK SECURITY Ari Vesanen, [email_address] Department of Information Processing Sciences, University of Oulu
  • 2. Contents
    • Introduction to GSM
    • GSM network structure and properties
    • GSM network security model
    • GSM network security threats
    • GPRS vs. GSM Security
    • UMTS vs. GSM Security
  • 3. Introduction to GSM
    • GSM world’s most widely used cellular phone system
      • About 1000 million users
      • First digital cellular phone standard
      • 1982 GSM (Groupe Special Mobile) –committee to create sta n dard
      • 1989 ETSI (European Telecommunications Standards Institute) responsible for development
      • 1990 first specifications frozen
  • 4.
    • GSM specifications developed secretly
      • No public evaluation according to scientific procedure
      • Kerckhoff’s principle violated: Algorithm strength should depend on secrecy of key and not on the secrecy of the algorithm itself
      • GSM specifications and encryption algorithms have leaked and been subject to criticism
  • 5. GSM Network Structure Mobile station MS SIM PHONE BTS BTS BSC BSC HLR AuC EIR VLR Base Station subsystem BSS Network Switching Subsystem NSS MSC PLMN, PSTN, ... A bis U m A
  • 6.
    • Mobile Station = phone + SIM
      • SIM = Subscriber Identity Module
      • User identity IMSI (International Mobile Subscriber Identity) on SIM
      • MSISDN (Mobile Subscriber International Integrated Services Digital Network) –number = Phone number on SIM
      • Phone identity IMEI (International Mobile Equipment Identity) in phone
        • Got from phone: type *#06#
  • 7.
    • BSS components: Base Transceiver Station (BTS) and Base Station Controller (BSC)
      • BTS controls radio communication with phone, encrypts calls and does decryption
      • BSC can control several BTS’s, tasks
        • Initialization of radio channel
        • Frequency hopping
        • Handover (transferring user between cells)
        • Traffic between BSS and MSC
  • 8.
    • NSS = MSC + SMSC + Registers (+ OSS)
    • Mobile Services Switching Cent re (MSC)
      • Main component of NSS
      • Works as link to wired network
      • Services for registering and authenticating mobile user
      • Services related to mobility
    • Short Message Service Cent re (SMSC)
      • Transmission of short messages
      • Needs routing information -> works in co-operation with HLR
  • 9.
    • HLR (Home Location Register)
      • Information on subscribers registered in this GSM network
      • Current location of users (location network’s VLR address)
      • One network can contain only one HLR
    • VLR (Visitor Location Register)
      • Relevant information on all active users in GSM network
    • AuC (Authentication Center)
      • User secret key information by IMSI
    • EIR (Equipment Identity Register)
      • Valid equipments by their IMEI code
  • 10. GSM Network Radio Interface
    • Band control: combined TDMA/FDMA
      • FDMA divides band into 200 kHz wide channels
        • GSM 900 – 124 channels
        • GSM 1800 – 374 channels
        • Channels grouped and distributed to operators
      • Carrier frequency into time frames according to TDMA model
      • TDMA frame = eight time intervals (slots)
        • Message in one slot = burst
      • Logical channel = one slot in one frame
  • 11.
    • Frequency hopping
      • 216,7 hops/second
      • After each burst frequency changed according to predefined pattern
      • Spreads disturbances
      • Makes eavesdropping more difficult
    • TDMA/FDMA model technically challenging
  • 12. Establishing Call
    • Updating location
      • Uses MSC, HLR and VLR
      • When MS moves to new location area or to new operator area -> must register for update
      • Location update message to new MSC/VLR –pair that registers new information and sends it to subscribers HLR. HLR sends the previous VLR information that subscriber left its area
  • 13. Phone’s home MSC Phone’s location MSC Incoming call HLR VLR BTS BSC MS Call Routing 1 6 2 3 4 5
  • 14. GSM Network Security Model
    • Identification of subscriber – IMSI
      • IMSI consists of three components:
      • Mobile Country Code (MCC)
      • Mobile Network Code (MNC)
      • Mobile Subscriber Identity Number (MSIN)
      • TMSI temporary identifier, used instead of IMSI in communication
        • Changed when location changed
        • Makes IMSI capturing and subscriber communication monitoring more difficult
  • 15.
    • Authentication
      • Actors: SIM card and (home network’s) Authentication Center (AuC)
      • Authenticates user to network (not vice versa)
      • Based on secret 128 –bit key Ki (resides only on SIM and in AuC)
      • Authentication always in home network!
        • Authentication algorithm may be changed, yet works in visited networks
    • Authentication method challenge-response
      • Algorithm A3
  • 16. MSC HLR AuC MS
    • Register to network
    6. Check SRES 4. RAND 5. SRES 2. Request authentication triplet 3. Authentication triplet (RAND,SRES,Kc) Authentication in GSM Network SRES = A3(RAND,Ki) Kc = Air interface encryption key
  • 17.
    • Air interface encryption
      • Encryption algorithm A5 must reside in phone, for all network operators common algorithm
      • Key generated using algorithm A8 – on SIM, hence may be operator specific
      • Uses (64 –bit) session key Kc = A8(RAND, Ki) and (22 –bit) TDMA frame number
      • A5 stream cipher, re-synchronized for each frame
      • Kc rarely updated (in connection with authentication)
      • Only air interface encrypted in GSM network, no encryption in operator network
        • Relied on physical security
  • 18. MS (A) BTS (B) Air Interface Encryption in GSM Network A 5 A 5 Kc (64 bit) Frame no (22 bit) Kc (64 bit) CIPHER A->B XOR XOR PLAIN A->B CIPHER B->A PLAIN B->A XOR XOR PLAIN B->A PLAIN A->B Frame no (22 bit) 114 bit 114 bit 114 bit 114 bit
  • 19. Algorithms
    • SAGE –group under ETSI designed algorithms
      • Composition secret
    • A3, Device authentication algorithm
      • Takes as parameters 128 –bit key Ki and random number RAND, computes 32 –bit fingerprint, SRES.
      • Almost without exception: COMP128 –algorithm used both as A3 and A8
      • COMP128 proposed in GSM specification
  • 20.
    • A8 air interface encryption key generation algorithm
      • Mostly COMP128
      • Takes as parameters 128 –bit key Ki and random number RAND, computes 64 –bit session key Kc
      • Kc used until MSC decides to re-authenticate device
    • Both A3 and A8 on SIM card
      • Operator can decide algorithms
      • Authentication done in subscriber’s home network -> local network does not have to know algorithms, yet authentication works also when user roams
  • 21.
    • COMP128 not public, found out using SIM cards and leaked specifications
      • http://www.iol.ie/~kooltek/a3a8.txt (Marc Briceno, Ian Goldberg and David Wagner) implementation
      • Published in April 1998
      • Produces both SRES and Kc in one run
        • Upper 32 bits SRES
        • Lowest 54 bits + 10 zeros Kc -> effectively Kc is 54 –bit!
  • 22. A5 – Air Interface Encryption Algorithm
    • Stream cipher algorithm
    • ” Original” European algorithm A5 leaked in general already in 1994, details in May 1999 (Briceno from GSM phone)
    • Initialized each sent frame
      • Key Kc used during call, but 22-bit frame number changed
  • 23.
    • European A5
      • Three feedback shift registers (LFSR = Linear Feedback Shift Register) of different lengths
      • Register lengths 19, 22 and 23 bits
      • Register values XORed and obtained bit XORed with plaintext bit
      • Registers initialized using session key Kc and frame number
      • After initialization 228 bits pseudo random bit stream formed: 114 first bits to encrypt frame from device to base station, rest 114 bits from base station to device
      • Cf. http://cryptome.org/a51-bsw.htm
  • 24. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | XOR XOR XOR XOR R1 (19) R2 (22) R3 (23) A5 - cipher 18 13 C1 C2 21 22 C3 7 Rotation: Majority of C1,C2 and C3 0 0 0
  • 25.
    • Algorithm in many forms, original A5/1
      • Stronger than other A5/x ’s
      • A5/0 = No encryption
      • A5/2 decidedly weakened form (used e.g. in USA)
        • Published and analyzed in August 1999 (very weak)
      • Other A5/x ’s not become public (if any)
  • 26. GSM Network Security Defects
    • Network not authenticated
      • Faking base station principally possible
    • Algorithm weaknesses
      • Both A5 and COMP128 defective
    • Data integrity not checked
      • Makes alteration of data possible
  • 27.
    • Authentication data transmitted in clear both inside and between networks
      • Contains also air interface encryption key
    • Lack of visibility
      • User can not know whether encryption used or not
      • No confirmation to home network, whether serving network uses correctly authentication parameters when user roams
  • 28. Threats
    • Attacks against A5
      • A5 –implementation (Mike Roe): http://www.hackcanada.com/blackcrawl/cell/gsm/gsm_security.html
      • Breaking air interface encryption -> call eavesdropping
      • Many methods proposed for breaking A5:
      • Almost practical attack by Golic:
      • ” Cryptanalysis of Alleged A5 Stream Cipher” cf. http://downloads.securityfocus.com/library/a5-hack.html
        • Birthday attack type time/memory -optimization
  • 29.
      • Attack applicable in real time:
      • Biryukov, Shamir and Wagner (cf. http://cryptome.org/a51-bsw.htm): Real time break algorithm on PC against the strong algorithm A5/1
      • Basic assumption: Attacker knows or guesses part of bit stream produced by cipher
      • Basic idea: Great number of pre-computed states stored (possible, since feedback registers can only be in 2 64 different states)
        • Idea by Golic
  • 30.
      • Key can be deduced from initial state of each frame
      • A5/1 can be effectively implemented on PC (each register small enough to store their states in computer’s memory as three cyclic arrays)
      • A5/1 can be run backwards effectively
      • However, backward computation not entirely deterministic: one state can be arrived at from several states
  • 31.
      • Suitable 16-bit number alpha in advance chosen and only frames that include alpha considered
      • The number of register states producing alpha is about 2 48
      • States computed in advance and stored on disk
      • -> attack demands large amount of space
      • Three different attacks (all require at least two 73GB hard drives)
  • 32.
      • Estimate: First type attack (”biased birthday attack” –two versions), needs about 2 minutes of call data
        • Alpha appears sufficiently many times (ca. 71) in data
          • Direct collision with disk data and cipher data
        • Encryption broken in one second
      • Third type attack (”random subgraph attack”): call data 2 seconds
        • Performing attack takes minutes
      • No crypto attack carried out in practice (presumably)
  • 33.
    • SIM card cloning (by physical contact)
      • Subscriber’s secret key on SIM and security depends on this key -> if attacker obtains SIM security can be broken
      • An identical copy of SIM can be made
        • If card noticed missing, it can quickly be shut out of services
        • If copy and original simultaneously used, network notices and invalidates both
        • In principal cloned card can be used such that subscriber is billed
  • 34.
      • Revealing key Ki from SIM
        • Based on weakness of COMP128
        • Inventors: SDA (Smartcard Developer Association) and ISAAC (Internet Security, Applications, Authentication and Cryptography)
          • Cf. http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html
        • Flaw in algorithm -> information on Ki obtained by giving suitable random number inputs RAND as an argument to A8
          • Input RAND slightly changed and observed when identical answer obtained
          • 2 17.5 inputs enough to deduce Ki
  • 35.
        • Test attack: SIM in card reader attached to PC; PC generated 150 000 challenges, using which SIM computed SRES –response and session key Kc -> based on information Ki computed. Took ca. 8 hours
          • April 1998
        • Used attack technique standard -like
          • Cf. e.g. Serge Vaudenay ”FFT-Hash-II is not yet Collision-Free” http://lasecwww.epfl.ch/pub/lasec/doc/liens-92-17.A4.ps
  • 36.
    • SIM cloning over-the-air
      • ISAAC: According to experts possible in practice (faking base station)
        • Cf. http://www.isaac.cs.berkeley.edu/isaac/ gsm.html
      • Type 1: Attacker builds fake base station, covering subscriber’s valid BTS -> Subscriber’s SIM may be bombed with self-generated authentication requests
  • 37.
        • Estimate: Attack duration 8 – 13 hours, victim device has to be in operating area of fake base station (not necessarily continuously)
        • Subscriber can not detect attack
      • Enhanced version of COMP128 exists (COMP128-2)
        • Some operators use
        • Not (known to be) broken
      • Type 2: Attack from legal network
        • Client outside home network (e.g. abroad)
        • Attacker inside location network
  • 38.
    • Building fake (rogue) base station
      • Cost estimate 10 000 euros
      • Can capture IMSI
      • Gathered information might be used in networks with more loose authentication
      • Counter: Temporary identifier TMSI, changed when subscriber location updated
        • TMSI not entirely prevents IMSI capture since IMSI has to be sent once
      • Also other attacks (e.g. mentioned SIM –cloning)
  • 39.
    • Cell change in GSM network
      • Phone sends audibility reports to BTS
      • BTS adds own information and sends to BSC
      • BSC cell change request to MSC (if necessary)
      • MSC resource allocation request to new BSC, that waits for MS to arrive
      • New BSC send acknowledgement to MSC that sends cell change command to old BSC, this forwards it to MS
      • MS breaks connection to old base station and continues with new one
  • 40.
    • How to hook up a phone to my fake base station?
    • Item 5: Cell change command from the network -> Attacker may simulate command and force the phone to change
      • No authentication for base stations -> Device can not know communicating with a rogue base station
  • 41. GPRS vs. GSM Security
    • GPRS transition phase to 3G, supports packet switched traffic
      • Voice (circuit switched traffic) as in GSM
      • GPRS data uses multiple slots
    • Air interface encryption (differences with GSM)
      • New A5 –algorithm GEA
        • Yet secret
      • GPRS traffic encryption extends further (base stations cannot cope with traffic using several slots)
  • 42.
    • Authentication (differences with GSM)
      • Separate authentication for circuit switched and packet switched traffic
    • Packet switched backbone has own security features
      • Not considered here
  • 43.
    • UMTS design applies open standardization
    • Specs: 3GPP ( 3rd Generation Partnership Project)
      • WWW –site http://www.3gpp.org, contains specifications etc.
      • Cf. TTAE.3G-33.102 ”3G Security; Security Architecture”
      • UMTS network constructed on (and parallel to) existing GSM networks -> Security model constructed on GSM security model
    UMTS vs. GSM Security
  • 44.
    • Authentication method as in GSM
      • Based on a secret key K, residing only on USIM and in home network AuC
    • Comparison: in GSM network authentication vectors triplets
    • (RAND, SRES ,Kc)
    • in UMTS network quintets
    • (RAND, XRES, CK, IK, AUTN)
      • IK integrity key for data integrity
      • AUTN authentication token for network authentication
  • 45.
    • Improvements to GSM security
      • Encryption algorithms use longer keys
      • Network also authenticated
      • Signaling data authenticated and integrity checked
    • UMTS GSM –compatible
      • GSM users have GSM context
      • GSM users have practically GSM security in UMTS network