Security model evaluation of 3 g wireless network1 paper presentation
SECURITY MODEL EVALUATION OF 3G WIRELESS NETWORKSMERCY J ABINAYA KB TECH-II , IT B TECH-II , ITB S ABDUR RAHMAN UNIVERSITY B S ABDUR RAHMAN UNIVERSITYsmartgalmercy@yahoo.com firstname.lastname@example.org generations of systems can be distinguished by theirABTRACT throughput capabilities: 2G networks provide throughput between 9.6 and 144 kb/ s, while 3GThird generation mobile phone networks (2G) are networks provide between 384 kb/s and 20 Mb/s . 3Gcurrently the most widely used wireless telephone are more than just phone networks – the standardsnetworks in the world. While being an improvement reflect the need for ubiquitous computing and linkover earlier analog systems, active acts, telephony, multimedia, high-speed wide areaauthentication, encryption, channel hijack, networking, Internet, and hardware and software toinflexibility.Third generation mobile phone standards support it. The technologies involved evolved over(3G) have been designed to address those issues and past two decades and while maintaining the requiredprovide a better security model.. To provide compatibility had to assimilate the systems whichbackground, this paper presents an overview of were designed without strong security considerations,security in 3G networks along with pointing out the vulnerable to many types of attacks. How vulnerableknown problems. Then, security features of 3G are 3G systems? This is the main question of thissystems are presented and solved .Finally, 3G research. To answer this main question, the first threesecurity model is evaluated according to availability generations of mobile phone networks are surveyedconfidentiality- integrity framework. with focus on security. Corresponding security- related protocols and their known weaknesses areKeywords – 3G security, mobile phone networks, reviewed and discussed. The merit of this paper isUMTS, CDMA2000, GSM, cdmaOne two-fold: first, it presents a survey of modern mobile phone technology from a security perspective;1.INTRODUCTION second, it evaluates 3G systems‟ security within the view of availability-confidentiality-integrityA recent (Q1 2007) market research by GSMA – a framework. This paper is organized as follows: first,global trade organization of 700 mobile phone related work is described; then the backgroundoperators and 200 manufacturers and vendors from section gives an overview of earlier generations of218 countries – reported 2.8 billion worldwide mobile phone technologies; after that, the section onsubscribers. Wireless telephony is part of daily life 3G systems looks at UMTS and CDMA2000for almost every third human, and the security of standards. The paper concludes with the discussion ofinformation exchanged through it has a direct impact security model of 3G systems. Due to the complexityon our personal security as well as the security of of 3G internetworking the following is a brief surveysociety as a whole – mobile phone security is an of 3G security – comprehensive analysis of theimportant issue. This paper presents the results of subject is beyond the scope of this paper.research on security in mobile telephone networkswith focus on the newest technologies/standards in 2. RELATED WORKuse today: GSM, cdmaOne, UMTS, and CDMA2000,together amounting to over 90% of worldwide mobile A significant amount of research was and continuesphone coverage (GSMA data). Most recent of them – to be devoted to mobile phone systems‟ security:UMTS and CDMA2000 – belong to a set of wireless integral components as well as complete systems arenetwork standards known as 3G, third generation described and analyzed. In addition to componentmobile telecommunication standards, which replaced specifications, very relevant to this paper are theor are replacing the older 2G networks. These two cryptanalyses of various algorithms used in mobile phone systems and the overviews of different mobile phone systems. This work takes a systems overview
approach; along the same line, perhaps the best provide elementary mobile phone networksecurity overview of a mobile phone system is “GSM functionality, however a few additional elements areInterception” by Lauri Personen; another useful normally used to support more than just basicsources are sections on security in such books as “3G features Home location registers (HLRs) storenetworks as GSM, cdmaOne and 3G Systems” by information about subscribers – at the very least theSteele, Lee, and Gould, and “WCDMA and type of service supported and current location of eachcdma2000 for 3G Mobile Networks” by Karim and user. When a user enters a cell this information isSarraff. A work similar to this, but with focus on copied to the respective visitor location registerCDMA2000 standard is “State-of-the-art on (VLR) for efficiency purposes. Each VLR mayCDMA2000 Security Support” by Luuk control one or more cells. When a subscriber leavesWeltevreden; another works that touch on the same the area controlled by a VLR their information istopic of 3G security are “UMTS Security” by Boman, moved to the new VLR. When a cellular networkHorn, Howard, and Niemi focusing on UMTS, supports security features, the necessary information“Evaluation of UMTS security architecture and is stored in authentication center (AuC).services” by Bais, Penzhorn, Palensky giving an Additionally, equipment identity register (EIR) mayoverview along with a look on how some of the be used to track MSs Using the terminologypotential threats are addressed, and “Access Security presented above it is possible to look at early mobilein CDMA2000, Including a Comparison with UMTS phone systems‟ security.Access Security” by Koien and Rose whichconcentrates on authentication, encryption andintegrity-checking in 3G systems.3.BACKGROUNDThis section provides an overview of the architectureand security aspects of mobile phone systems thatpreceded 3G.3.1 Mobile Phone Network ArchitectureDespite existence of many different types of mobilephone networks, they all share some basiccomponents necessary to provide elementaryfunctionality. This subsection describes thesecomponents and introduces the associated 3.2 1G Analog Networksterminology. The first mobile phone networkcomponent that a user comes in contact with is a First cellular telephone systems available on themobile phone typically referred to as mobile station market were deployed in early 1980s. Before then(MS). MS communicates with the rest of the network radio telephony was used for communication byvia a radio link to the nearest base station (BS), governments and militaries since 1940s, however theessentially an antenna with electronics and power invention of efficient handover mechanisms, whichequipment to support it; area covered by a single BS allowed moving from one cell to another, enabledis referred to as cell. The link between MS and BS mobile phone technology to be introduced toconsists of one or more traffic channels and one or consumers. The MSs in 1G systems transmitted radiomore signaling channels. Traffic channels carry signals inclear using FM over UHF . The onlysubscriber-generated data, while signaling channels security feature was authentication of an MS whenare used to transmit communication control data such initiating roaming – using a network of a givenas the MS location information, paging data to the provider – by checking the MS identification numberMS in case of incoming call, network access-related and the subscriber identification number againstdata in case of call origination, and other network and HLR. The security belief was that the price andoperator-dependent information. BSs in turn are complexity of equipment needed to receive andconnected to mobile switching centers (MSCs), create such transmissions was prohibitive for anusually via dedicated non-radio links. MSCs, intruder. This assumption was wrong, and resulted insimilarly to switches in land-line telephone networks, extensive exploits of 1G systems. Two major issuesare mainly concerned with routing data. MSs, BSs, were eavesdropping on conversations and phoneand MSCs are essentially all that is necessary to cloning. Eavesdropping could be accomplished by
simply picking up the FM signa ls using a radioscanner tuned to UHF; phone cloning involvedeavesdropping on authentication exchange betweenMS and the network and then reproducing thatexchange from another MS to gain fraudulent accessto the network3.3 2G Digital Networks – GSMBy mid-1980s the deployed disparate 1G networks inEurope began approaching their capacity limits andan international coordinating body – Groupe SpecialMobile (GSM) – was created to develop a newunified mobile phone system specification. It was 3.3.2 GSM Security Featuresrequired to support greater number of users, similaror lower operating costs, similar or better speech GSM networks provide a security enhancement overquality, and be able to coexist with older analog 1G by authenticating users and supportingsystems. To achieve these goals GSM committee confidentiality and anonymity features. However, theselected TDMA over UHF, a digital multiplexing related algorithms initially weren‟t open fortechnique which allowed a more economic and community review, which caused some serious flawsefficient use of UHF frequencies . Based on to be overlooked. Eventually GSM securityprevious experience with 1G networks, security- algorithms leaked and their flaws were discoveredrelated design goals of GSM were prevention of GSM security model is based on a 128-bit sharedphone cloning and making mobile phone secret Ki between the subscriber‟s SIM and theconversations no more vulnerable to eavesdropping network – if that key is compromised, the entirethan fixed phones. The standard addressed these account is compromised. When a MS first enters thestipulations by providing authentication, area of coverage of the network, HLR and AuCconfidentiality, and anonymity features Next provide the appropriate MSC with five triplets eachsubsection describes the network elements that were containing 128-bit RAND, 32-bit SRES, and 64-bitadded in GSM system to support the above security Kc. RAND is a random challenge used forfeatures, and the section following next describes authentication, SRES (signed response) is thethese features and their security in detail. expected response to that challenge based on RAND and subscriber‟s Ki, Kc is the session key also based3.3.1 GSM Network Architecture on RAND and Ki. Each triplet is used for one authentication, and after all the triplets have beenPerhaps the single most important GSM innovation is used up, the MSC is provided with another set of fivesubscriber identity module (SIM) – a removable Authentication is the first line of defense in GSM: itsmart card which contains the identification and allows subscribers to use the network and establishessecurityrelated information the subscriber needs to the encryption, if any. Authentication in GSMuse the network. Typically users are identified by proceeds as follows: MS receives the RAND fromtheir phone number, and use of SIMs enables MSC, calculates the SRES with A3 algorithm usingdecoupling of subscriber identities from the MSs and RAND and Ki, and sends it back to MSC. If SRESallows switching MSs while keeping the number. On matches the one stored at After the standard wasthe network side, AuC provides authentication and developed, Groupe Special Mobile was merged intoencryption functions. AuC and SIMs are European Telecommunications Standards Institutecomplimentary units in security sense - their (ETSI) and GSM has been renamed „Global Systemauthentication and encryption algorithms and for Mobile Communications‟ MSC, theassociated keys ultimately have to match for authentication succeeds and the corresponding Kc issuccessful communication. used to encrypt further over-the-air communications between MS and BS/MSC. According to GSM recommendation, most network operators use COMP128 algorithm for A3 implementation. COMP128 produces 128-bit output given two 128- bit inputs (in case of A3 those are Ki and RAND); SRES is the first 32 bits of that output . In 1998 ISAAC researchers demonstrated that COMP128 can
be broken with chosen-challenge attack: repeatedly similar CDMA built-in physical layer securityquerying SIM about 150,000 times with specially- properties. UMTS, as CDMA2000, uses varied sizechosen RANDs and analyzing the resulting SRES Walsh codes for generation of channeling codes tooutputs reveals Ki. Querying SIM can be allow for adjusting throughput on channelsaccomplished using an off-the-shelf smart card reader depending on network traffic; the size of Walshin about 8 hours as well as over the air in a longer, codes varies from 4 to 256 bits. A more significantbut not prohibitively long period of time (up to 13 security impact, as in cdmaOne, has the scramblinghours due to radio communication latency). Gaining key which can be also varied in length to changeknowledge of Ki effectively means cloning a SIM bandwidth on the link between MS and the networkand allows the attacker to eavesdrop on conversations based on network congestion. Maximum length ofas well as make calls billed to the SIM‟s owner. the scrambling key on both UMTS and CDMA2000Although GSM has a mechanism that detects is 42-bits.duplicate active SIMs thus alleviating the fraudulentbilling problem, eavesdropping is still an open issue.However, an attacker may not even need to break anyalgorithms to eavesdrop on a conversation: since onlythe radio link between MS and BS is encrypted, awiretap on the operator‟s network past the BS givesinstant access to all data going through . One lastpoint to make about GSM security is the fact that itsanonymity feature is somewhat inadequate. In aneffort to prevent anyone knowing the subscriber‟s The attack by Li, Ling, and Ren described inidentity (essentially their phone number) from subsection on physical layer security of cdmaOneeavesdropping on that subscriber and determining networks is applicable to UMTS and CDMA2000;their location, temporary identities are used during it has the same time complexity on CDMA2000 sincecommunication between a MS and the network. A the same characteristic polynomials are used as intemporary identity is assigned to each MS when it is cdmaOne, and on UMTS it actually has lowerauthenticated. However, the network can request the complexity due to dependencies among LFSRs usedMS to send to generate the scrambling key. Li, Ling, and Renthe real identity of its user at any time and that suggest using AES for secure scrambling; thisinformation is then transfered in the clear over the however has not been implemented [19, 24, 27].operator‟s network. Additionally, a rogue base station Overall, however, the transmission over air iscanexploit that part of the protocol to retrieve the real reasonably secured to protect from casualidentity of a user . A more adequate anonymity eavesdropping.provision would be never to send the true identity ofa subscriber over an unencrypted or unauthenticatedchannel . This section provided an overview of GSM, 4.1.2 Network Domain Securitythe system currently used by 80% of worldwidemobile phone users (Q1 2007 GSMA data), and Network domain security in UMTS and CDMA2000pointed out some of its known security problems. The networks relates to communication on and amongnext section surveys another widely deployed 2G operators‟ networks. A serious vulnerability of 2Gsystem – cdmaOne. networks is the absence of network domain security mechanisms – at the time of their design it was4.1 3G Mobile Telecommunication Networks – believed that limited access to core switchingUMTS, CDMA2000 networks would provide sufficient protection. This situation is changing with the advent of 3G systemsUMTS and CDMA2000 specifications are developed as more and more operators enter market.by separate, but collaborating organizations - Third Additionally, operators turn to IP-basedGeneration Partnership Project (3GPP) and Third communication on networks instead of SignalingGeneration Partnership Project 2 (3GPP2) System 7 (SS7) –based Mobile Application Partrespectively. The standards developed by 3GPP and (MAP) protocol or IS41-based protocols of earlier3GPP2 share a lot in common – that is not surprising mobile telecommunication systems. The networkgiven the fact that the systems have to coexist and domain standardization is necessary in order tocooperate to provide roaming services. A major shift achieve interoperability among different operators‟from 2G is the use of CDMA multiplexing across networks.both systems. That means that the two systems share
no support for non-repudiation and no clear access control model. So how secure are 3G systems? Availability-integrity-confidentiality framework may provide a useful tool in answering that question, which can be restated as how well the key security objectives of availability, integrity, and confidentiality are metby 3G telecommunications networks. Availability is critical for 3G: aside from the fact that an increasing number of emergency calls is placed from mobile phones [GSMA], availability underpins the other two security objectives. 3G addresses the availability concerns by authenticating users and securing operators‟ networks. AKA is considered to be secure with the algorithms used by UMTS and CDMA2000. IP-based operator network, on the other hand, is not and IPsec use isn‟t mandatory. This can be a potential vulnerability and IP-based DDoS attacks on 3G operator networks may prove to be real threats. Confidentiality, perhaps the Two models address network domain security: best achieved objective of the three, is, nonetheless,MAPsec and IPsec. MAPsec provides a security not completely realized – it is possible to gainwrapper for earlier-generation MAP messages. It can improper access to information on 3G networks byoperate in three modes: no protection, integrity exploiting AKA compatibility with GSMprotection only, and encryption authentication. As mentioned in subsection on GSMwith integrity protection. MAPsec uses 128-bit security features, Barkan, Biham, and Keller showedRijndael algorithm: in counter mode for encryption how an instant ciphertext only attack can be used toand in cipher block chaining message authentication recover the session key on GSM networks andcode mode for integrity protection . IPsec is a consequently on 3G. Another possible attack maysecurity protocol suite for secure communication involve eavesdropping on IMSI transmission whenover IP networks; it can be used to secure TMSI is unavailable and MSC requests IMSI to becommunication over an IP-based 3G operator sent in the clear. IMSI can also be retrieved by annetwork. Standards specify the use of Rijndael attacker who gained access to the operators‟ network.algorithm for encryption, which is, as In other words, despite theuse of strong encryptionmentioned before, considered to be cryptographically provided by 128-bit keys and Rijndael,secure. IPsec and MAPsec use Internet Key confidentiality objective isn‟t fully reached on 3GExchange protocol for key distribution. To sum up, networks. Integrity option in 3G is only provided for3G standards enable network operators to use signaling channels - this objective is perhaps the leastMAPsec or IPsec to provide network domain achieved in availability-confidentiality-integrityprotection – the use of those protocols, however, isn‟t framework. To sum up, from the point of view ofmandatory availability-confidentiality-integrity framework, 3G systems aren‟t secure. Having said that, 3G systems are also very open and perhaps do not require high5.TELECOMMUNICATION SECURITY levels of security – sensitive applications may beEVALUATION better off implementing necessary security features themselves according to theend-to-end principle;Previous section gave a brief overview of 3G security additionally, due to severe hardware constraints offeatures. Despite a somewhat blurry security the least common denominator on the 3G network – arequirements set out by ITU for 3G, the security of basic cell phone – the more advanced securitythe system is a definite improvement over 2G: phone features – for example longer keys, digital signatures,cloning and eavesdropping are much harder to carry public keys, key escrow for legitimateout due to the use of longer keys and more secure eavesdropping, or RBAC – aren‟t yet practical.algorithms; rogue base station attacks are countered Overall, 3G development is a step in the rightwith the mutual authentication; rogue shell attacks direction: only collaborative, evolving, openare handled by USIM authentication in CDMA2000. standards can provide adequate security for such aDespite addressing all ITUs requirements, not all the large and diverse system.expected security mechanisms are in place: there is
6.CONCLUSION 3G TS 33.120 Security Principles and Objectives http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_SpecThis paper presented a survey of three generations of s/33120-300.pdfmobile phone systems from a security perspective.3G networks‟ standards were evaluated within 3G TS 33.120 Security Threats andavailability confidentiality- integrity framework and Requirementshttp://www.arib.or.jp/IMT-2011/ARIB-found to not be secure. This fact, however, should be spec/ARIB/21133-310.PDFconsidered with realization that mobile phone Michael Walker “On the Security of 3GPPsystems first and foremost need to provide Networks”http://www.esat.kuleuven.ac.be/cosic/eurotelecommunication service to their subscribers and crypt2000/mike_walker.pdfhave certain limitations that prevent them fromachieving higher levels of security. Finally, some Redl, Weber, Oliphant “An Introduction tolimitations of this work are: omission of discussion of GSM”Artech House, 2010Joachim Tisalcurrently deployed 2.5G/2.75G systems (for exampleEDGE, GPRS) – the security aspects of these “GSM Cellular Radio Telephony”John Wiley &systems, however, are closely related to their 2G Sons, 2009predecessors;some the protocols/algorithms/attacksmentioned haven‟t been analyzed in much depth; Lauri Pesonen “GSM Interception”finally, there is no experimental data supporting theclaim that 3G systems aren‟t secure. Future work can http://www.dia.unisa.it/ads.dir/corso-be geared toward filling those gaps. security/www/CORSO-9900/a5/Netsec/netsec.html7.REERENCES 3G TR 33.900 A Guide to 3rd Generation 3GPP, 2010. TS 35.202 V7 (Specification of Securityftp://ftp.3gpp.org/TSG_SA/WG3_Security/_KASUMI). Specs/33900-120.pdf 3GPP, 2010. TS 35.206 V7 (Specification ofMILENAGE). 3G TS 33.102 Security Architecture Rose, G., Koien, G., 2009. Access Security in ftp://ftp.3gpp.org/Specs/2000-CDMA2000, Including a Comparison with UMTS 12/R1999/33_series/33102-370.zipAccess Security. IEEE Wireless Communications. 3G TR 21.905 Vocabulary for 3GPPFebruary 2004. Specifications Hawkes, P., Rose, G, 2009. Analysis of the http://www.quintillion.co.jp/3GPP/Specs/21905-Milenage Algorithm Set. Qualcomm Incorporated. 010.pdf CDMA Development Group. www.cdg.org (12-7-2007) ITU-T, 2006. Security in ORYX. Lecture Notes Millan, W., Gauravaram, P., 2007. Cryptanalysis In Computer Science; Vol. 1556.of the Cellular Authentication and Voice EncryptionAlgorithm. IEICE Electronics Exprss, Vol.1, No. 15. Goldberg, I., Briceno, M., 2007. GSM Cloning.www.isaac.cs.berkeley.edu/isaac/gsm-faq.html (12-7-2007) Wagner, D., Schenier, B., Kelsey, J., 1997.Cryptanalysis of the Cellular Message EncryptionAlgorithm. Proceedings of Crypto 1997. Frodigh, M., Parkvall, S., Roobol, C., Johansson,P., Larsson, P., 2001. Future-GenerationWireless Networks. IEEE Personal Communications.Vol. 8, Issue 5, October 2001. Barkan, E., Biham, E., Keller, N., 2003. InstantCiphertext-Only Cryptanalysis of GSM EncryptedCommunication. Proceedings of Crypto 2003.