Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intermediate: Security in Mobile Cellular Networks

11,529 views

Published on

A brief presentation looking at how Security has evolved in the mobile cellular networks from 2G to 4G. This is a very high level presentation but links are provided for anyone interested in studying this topic in detail.

Published in: Technology
  • Be the first to comment

Intermediate: Security in Mobile Cellular Networks

  1. 1. Security in Mobile Cellular Networks @3g4gUK
  2. 2. 3GPP Security Architecture ©3G4G • 3GPP TS 33.102: 3G Security; Security architecture • 3GPP TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture Five security feature groups are defined. Each of these feature groups meets certain threats and accomplishes certain security objectives: o Network access security (I): the set of security features that provide users with secure access to services, and which in particular protect against attacks on the (radio) access link. o Network domain security (II): the set of security features that enable nodes to securely exchange signalling data, user data (between AN and SN and within AN), and protect against attacks on the wireline network. o User domain security (III): the set of security features that secure access to mobile stations. o Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages. o Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.
  3. 3. Evolution of 3GPP Security (I) ©3G4G Source: 3GPP - Bengt Sahlin
  4. 4. Evolution of 3GPP Security (II) ©3G4G Source: 3GPP - Bengt Sahlin
  5. 5. Evolution of 3GPP Security in 5G ©3G4G Source: Huawei 5G Security Architecture White Paper
  6. 6. Scope of this Presentation ©3G4G • User Identity Confidentiality • Authentication • Ciphering (Confidentiality) • Integrity Protection • Signalling examples • Sample messages (where available) • Simple examples of hacking of the mobile network
  7. 7. Identities ©3G4G • Each Mobile device contain IMEI (International Mobile Equipment Identity) • The SIM card contains IMSI (International Mobile Subscriber Identity) • During the operation, IMSI has to be hidden with help of temporary identities in order to provide: • user identity confidentiality • user location confidentiality • user untraceability
  8. 8. Temporary Identities ©3G4G • In 2G/3G: • TMSI (Temporary Mobile Subscriber Identity) • P-TMSI (Packet TMSI) • In 4G/LTE: • GUTI (Globally Unique Temporary UE Identity) GUMMEI - Globally Unique MME Identifier MMEGI - MME Group ID MMEC - MME Code S-TMSI = SAE Temporary Mobile Subscriber Identity M-TMSI = MME Temporary Mobile Subscriber Identity More details: 3GPP TS 23.003
  9. 9. What is Authentication? ©3G4G • Authentication is to verify everyone is who they claim to be Hello, I am James Bond Hello, I am the Queen • Authentication is performed via AKA or Authentication and Key Agreement Procedure • In 2G, we only had Handset Authentication whereas in 3G & 4G, we perform Mutual Authentication to verify the handset as well as the base station.
  10. 10. 2G, 3G, 4G Simple Network Architecture ©3G4G BSC BTS MSC Voice (PSTN) Network SGSN Data (IP) Network RNC Node BeNodeB MME GGSN Access Network Core Network Air Interface MSUEUE BSSRNS S-GW P-GW 2G 2.5G 3G 4G EPC
  11. 11. HLR, HSS & AuC ©3G4G • HLR – Home Location Register • HSS – Home Subscriber Server • AuC – Authentication Center 4G PS Core Network 2G/3G PS Core Network 2G/3G CS Core Network HLR/HSS/AuC DATA Logic Further Reading: 3G4G Blog
  12. 12. UICC & SIM ©3G4G 2G SIM UMTS SIM (USIM) IMSI MSISDN SMS Data Address Book IMSI MSISDN MSISDN MSISDN Authentication Data and Keys Multimedia Messaging Config Data IMS SIM (ISIM) Security Keys Home Network Domain Name (URI) Private User Identity y Public User Identity Administrative Data Access Rule Reference Address of P-CSCF Ki
  13. 13. The Attach Procedure Signalling ©3G4G UE AN CS CN PS CN Access Network (AN) Core Network (CN) PS CN broadcast information CS CN broadcast information System information messages Hello, I am UE 1 Hello UE1, please use this channel <…> Thanks, I am all setup. Hello, I am UE 1. Want to Attach and let you know that I am now active Hello UE 1, please authenticate yourself against this vector <…> No problems, here is my authentication response <…>
  14. 14. The Attach Procedure Signalling ©3G4G UE AN CS CN PS CN I trust UE1, please establish security with it Establish Security using <…> Thanks, all done. Security Established Access Network (AN) Core Network (CN) UE1 is now connected to us Attach Accept. Please use this new temporary identity for now Attach Complete.
  15. 15. What is Ciphering? ©3G4G • Ciphering is the process of Encryption & Decryption • Its got nothing to do with compression / decompression • Example of 2G Ciphering
  16. 16. Actual Security Procedure in GSM ©3G4G UE BSC MSC/VLR Authentication Request (CKSN, RAND) Authentication Response (SRES) BTS Authentication Request (CKSN, RAND) Authentication Request (CKSN, RAND) Authentication Response (SRES) Authentication Response (SRES) Cipher Mode Command (Kc, A5x) Cipher Mode Complete Cipher Mode Complete Cipher Mode Complete Cipher Mode Command (Kc, A5x) Cipher Mode Command (A5x) CKSN – Cipher Key Sequence Number RAND – Random Number (128 bits) SRES – Signed Response (32 bits) XRES – Expected Response (32 bits) Kc – Ciphering Key (64 bit) A5 – Encryption Algorithm (A5/0 to A5/7) Access Network (AN) Core Network (CN)
  17. 17. Actual Security Procedure in GPRS ©3G4G UE BSC SGSN Authentication and Ciphering Request (RAND) Authentication and Ciphering Response (SRES) BTS Authentication and Ciphering Request (RAND) Authentication and Ciphering Request (RAND) Authentication and Ciphering Response (SRES) Authentication and Ciphering Response (SRES) CKSN – Cipher Key Sequence Number RAND – Random Number (128 bits) SRES – Signed Response (32 bits) XRES – Expected Response (32 bits) Kc – Ciphering Key (64 bit) A5 – Encryption Algorithm (A5/0 to A5/7) Access Network (AN) Core Network (CN)
  18. 18. Security Architecture Evolution ©3G4G Core Network MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC GSM Handset Authentication Ciphering (AN CP, UP) GPRS Handset Authentication + Ciphering (AN CP, UP) AN – Access Network AS – Access Stratum RRC – Radio Resource Control NAS – Non-Access Stratum CP – Control Plane UP – User Plane
  19. 19. Fake Cell Towers on Planes to Gather Data From Phones ©3G4G Source: MacRumors
  20. 20. What is Integrity Protection? ©3G4G • A 32 bit (4 octet) number is added to certain signalling messages in 3G & 4G to authenticate individual messages • In 3G, Integrity protection is done at RRC layer • In 4G, a Integrity protection happens at PDCP and in NAS.
  21. 21. Example of MAC-I in 3G / UMTS ©3G4G • Message Authentication Code MAC-I
  22. 22. Example of MAC-I in 4G / LTE ©3G4G
  23. 23. UMTS Security Overview ©3G4G Further Reading & References: UMTS Security: A Primer
  24. 24. UMTS Security Overview ©3G4G UE RNC VLR / SGSNNodeB Access Network (AN) Core Network (CN) RRC Connection Setup Procedure (Start Value, HFNs and the Security Capability is stored in RNC ) Initial L3 Message (user identity, KSI, etc) Authentication & Key Agreement (AKA) Procedure UIA, UEA decision Security Mode Command (UIAs, IK, UEAs, CK, etc) Select UIA, UEA Generate FRESH Start Integrity
  25. 25. UMTS Security Overview ©3G4G UE RNC VLR / SGSNNodeB Access Network (AN) Core Network (CN) Security Mode Complete Verify received message Security Mode Command (CN domain, UIA, UEA, FRESH, Security Capability, etc) Start Integrity Security Mode Complete (selected UIA, UEA)
  26. 26. Key things to remember in UMTS Security ©3G4G • Integrity protection is mandatory and Ciphering optional • The user plane (UP) for each domain is protected by its own Ciphering Key while the control plane (CP) is protected by Ciphering & Integrity Keys from the last domain • Ciphering for CS domain happens in MAC as RLC is in transparent mode (TM) • Ciphering for PS domain happens in RLC for acknowledged mode (AM) or unacknowledged mode (UM) • For the first domain • Authentication messages are not Integrity Protected or Ciphered • Security Mode Command is the first Integrity protected message
  27. 27. Key things to remember in UMTS Security ©3G4G • For the second domain • Authentication messages are Integrity Protected and optionally ciphered with the first domain keys • Security Mode Command requests modification of Integrity protection and Ciphering for the CP • The new integrity protection and ciphering takes place after the Security Procedure is complete • It is possible that ciphering is enabled for one domain and disabled for another
  28. 28. Actual Security Procedure in UMTS – PS ©3G4G UE RNC SGSN Authentication and Ciphering Request Authentication and Ciphering Response (SRES) Node B Authentication and Ciphering Request Authentication and Ciphering Request Authentication and Ciphering Response (SRES) Authentication and Ciphering Response (SRES) Security Mode Command Security Mode Complete Security Mode Complete Security Mode Complete Security Mode Command Security Mode Command Access Network (AN) Core Network (CN)
  29. 29. UMTS Security for PS Domain - Authentication ©3G4G DL-DCCH-Message -----> downlinkDirectTransfer DL-DCCH-Message = message = downlinkDirectTransfer = r3 = downlinkDirectTransfer-r3 = rrc-TransactionIdentifier = 0 cn-DomainIdentity = ps-domain nas-Message = 0812013021D5770C6D363E30C364A4078F1BF8ED3A8028106E323B36C46C5555D5760E6E323B6391 Authentication and Ciphering Request -----> Authentication and Ciphering Request PDU: Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ] Message Type [8 bits] = 0x12 - Authentication and Ciphering Request [ 18 ] IMEISV Request Spare Bits [1 bit] = 0x0 [ 0 ] value [3 bits] = 0x0 - IMEISV Not Requested [ 0 ] Ciphering Algorithm Spare Bits [1 bit] = 0x0 [ 0 ] Type of Algorithm [3 bits] = 0x1 [ 1 ] A & C Reference Number value [4 bits] = 0x3 [ 3 ] Force Standby Spare Bits [1 bit] = 0x0 [ 0 ] value [3 bits] = 0x0 - Force to Standby Not Indicated [ 0 ] Authentication Parameter Rand IE Identifier [8 bits] = 0x21 [ 33 ] Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3A Ciphering Key Sequence Number IE Identifier [4 bits] = 0x8 [ 8 ] Spare Bits [1 bit] = 0x0 [ 0 ] Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ] Authentication Parameter AUTN IE Identifier [8 bits] = 0x28 [ 40 ] IE Length [8 bits] = 0x10 [ 16 ] value = 0x6E323B36C46C5555D5760E6E323B6391 UL-DCCH-Message <----- uplinkDirectTransfer UL-DCCH-Message = message = uplinkDirectTransfer = cn-DomainIdentity = ps-domain nas-Message = 08130322D5760E6E290C323B36C46CAD0D8417F5E335 Authentication and Ciphering Response <----- Authentication and Ciphering Response PDU: Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ] Message Type [8 bits] = 0x13 - Authentication and Ciphering Response [ 19 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] A & C Reference Number value [4 bits] = 0x3 [ 3 ] Authentication Response Signature IE Identifier [8 bits] = 0x22 [ 34 ] Value = 0xD5760E6E [ 3581283950 ] Authentication Response Parameter IE Identifier [8 bits] = 0x29 [ 41 ] IE Length [8 bits] = 0xC [ 12 ] value = 0x323B36C46CAD0D8417F5E335 Source: 3GPP Conformance Test 8.1.7.1c
  30. 30. UMTS Security for PS Domain - Security ©3G4G DL-DCCH-Message -----> securityModeCommand DL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 01000111111001000001111101101001 rrc-MessageSequenceNumber = 0 message = securityModeCommand = r3 = securityModeCommand-r3 = rrc-TransactionIdentifier = 0 securityCapability = cipheringAlgorithmCap = 0000000000000011 integrityProtectionAlgorithmCap = 0000000000000010 cipheringModeInfo = cipheringModeCommand = startRestart = uea1 rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RB-ActivationTimeInfo(1) = rb-Identity = 1 rlc-SequenceNumber = 0 RB-ActivationTimeInfo(2) = rb-Identity = 2 rlc-SequenceNumber = 2 RB-ActivationTimeInfo(3) = rb-Identity = 3 rlc-SequenceNumber = 3 RB-ActivationTimeInfo(4) = rb-Identity = 4 rlc-SequenceNumber = 0 integrityProtectionModeInfo = integrityProtectionModeCommand = startIntegrityProtection = integrityProtInitNumber = 00000000000000000000000000000000 integrityProtectionAlgorithm = uia1 cn-DomainIdentity = ps-domain ue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability InterRAT-UE-SecurityCapability(1) = gsm = gsmSecurityCapability = 0000011 UL-DCCH-Message <----- securityModeComplete UL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 10000000110110110111011001011001 rrc-MessageSequenceNumber = 1 message = securityModeComplete = rrc-TransactionIdentifier = 0 ul-IntegProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber RRC-MessageSequenceNumber(1) = 0 RRC-MessageSequenceNumber(2) = 0 RRC-MessageSequenceNumber(3) = 0 RRC-MessageSequenceNumber(4) = 0 RRC-MessageSequenceNumber(5) = 0 rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RB-ActivationTimeInfo(1) = rb-Identity = 1 rlc-SequenceNumber = 0 RB-ActivationTimeInfo(2) = rb-Identity = 2 rlc-SequenceNumber = 8 RB-ActivationTimeInfo(3) = rb-Identity = 3 rlc-SequenceNumber = 5 RB-ActivationTimeInfo(4) = rb-Identity = 4 rlc-SequenceNumber = 0 Source: 3GPP Conformance Test 8.1.7.1c
  31. 31. Actual Security Procedure in UMTS - CS ©3G4G UE RNC MSC/VLR Authentication Request Authentication Response (SRES) Node B Authentication Request Authentication Request Authentication Response (SRES) Authentication Response (SRES) Security Mode Command Security Mode Complete Security Mode Complete Security Mode Complete Security Mode Command Security Mode Command Access Network (AN) Core Network (CN)
  32. 32. UMTS Security for CS Domain on top of PS domain - Authentication ©3G4G DL-DCCH-Message -----> downlinkDirectTransfer DL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 10001011101111001101101110110000 rrc-MessageSequenceNumber = 1 message = downlinkDirectTransfer = r3 = downlinkDirectTransfer-r3 = rrc-TransactionIdentifier = 0 cn-DomainIdentity = cs-domain nas-Message = 051200D5770C6D363E30C364A4078F1BF8ED3A20106E323B36C46C5555D5760E6E323B6391 Authentication Request -----> Authentication Request PDU: Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ] Message Type [8 bits] = 0x12 - Authentication Request [ 18 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] Ciphering Key Sequence Number Spare Bits [1 bit] = 0x0 [ 0 ] Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ] Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3A Authentication Parameter AUTN IE Identifier [8 bits] = 0x20 [ 32 ] IE Length [8 bits] = 0x10 [ 16 ] value = 0x6E323B36C46C5555D5760E6E323B6391 UL-DCCH-Message <----- uplinkDirectTransfer UL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 00101110010111100100100101111011 rrc-MessageSequenceNumber = 3 message = uplinkDirectTransfer = cn-DomainIdentity = cs-domain nas-Message = 0514D5760E6E210C323B36C46CAD0D8417F5E335 Authentication Response <----- Authentication Response PDU: Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ] Message Type [8 bits] = 0x14 - Authentication Response [ 20 ] Authentication Response Signature Value = 0xD5760E6E [ 3581283950 ] Authentication Response Parameter IE Identifier [8 bits] = 0x21 [ 33 ] IE Length [8 bits] = 0xC [ 12 ] value = 0x323B36C46CAD0D8417F5E335 Source: 3GPP Conformance Test 8.1.7.1c
  33. 33. UMTS Security for CS Domain on top of PS domain - Security ©3G4G DL-DCCH-Message -----> securityModeCommand DL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 11000100010100111100000101111100 rrc-MessageSequenceNumber = 3 message = securityModeCommand = r3 = securityModeCommand-r3 = rrc-TransactionIdentifier = 0 securityCapability = cipheringAlgorithmCap = 0000000000000011 integrityProtectionAlgorithmCap = 0000000000000010 cipheringModeInfo = cipheringModeCommand = startRestart = uea1 rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RB-ActivationTimeInfo(1) = rb-Identity = 1 rlc-SequenceNumber = 0 RB-ActivationTimeInfo(2) = rb-Identity = 2 rlc-SequenceNumber = 11 RB-ActivationTimeInfo(3) = rb-Identity = 3 rlc-SequenceNumber = 8 RB-ActivationTimeInfo(4) = rb-Identity = 4 rlc-SequenceNumber = 0 integrityProtectionModeInfo = integrityProtectionModeCommand = modify = dl-IntegrityProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber RRC-MessageSequenceNumber(1) = 0 RRC-MessageSequenceNumber(2) = 0 RRC-MessageSequenceNumber(3) = 3 RRC-MessageSequenceNumber(4) = 2 RRC-MessageSequenceNumber(5) = 0 integrityProtectionAlgorithm = uia1 cn-DomainIdentity = cs-domain ue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability InterRAT-UE-SecurityCapability(1) = gsm = gsmSecurityCapability = 0000011 UL-DCCH-Message <----- securityModeComplete UL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 01011001010010101011010110101100 rrc-MessageSequenceNumber = 3 message = securityModeComplete = rrc-TransactionIdentifier = 0 ul-IntegProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber RRC-MessageSequenceNumber(1) = 5 RRC-MessageSequenceNumber(2) = 1 RRC-MessageSequenceNumber(3) = 3 RRC-MessageSequenceNumber(4) = 4 RRC-MessageSequenceNumber(5) = 1 rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfo RB-ActivationTimeInfo(1) = rb-Identity = 1 rlc-SequenceNumber = 0 RB-ActivationTimeInfo(2) = rb-Identity = 2 rlc-SequenceNumber = 11 RB-ActivationTimeInfo(3) = rb-Identity = 3 rlc-SequenceNumber = 11 RB-ActivationTimeInfo(4) = rb-Identity = 4 rlc-SequenceNumber = 0 Source: 3GPP Conformance Test 8.1.7.1c
  34. 34. UMTS Security for CS Domain on top of PS domain – Voice Radio Bearers Setup ©3G4G DL-DCCH-Message -----> radioBearerSetup DL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 10100011001100001001101011010110 rrc-MessageSequenceNumber = 4 message = radioBearerSetup = r3 = radioBearerSetup-r3 = rrc-TransactionIdentifier = 0 activationTime = 184 rrc-StateIndicator = cell-DCH rab-InformationSetupList = SEQUENCE OF RAB-InformationSetup RAB-InformationSetup(1) = rab-Info = rab-Identity = gsm-MAP-RAB-Identity = 00000001 cn-DomainIdentity = cs-domain re-EstablishmentTimer = useT314 rb-InformationSetupList = SEQUENCE OF RB-InformationSetup RB-InformationSetup(1) = rb-Identity = 10 rlc-InfoChoice = rlc-Info = ul-RLC-Mode = ul-TM-RLC-Mode = segmentationIndication = FALSE dl-RLC-Mode = dl-TM-RLC-Mode = segmentationIndication = FALSE rb-MappingInfo = SEQUENCE OF RB-MappingOption RB-MappingOption(1) = ul-LogicalChannelMappings = oneLogicalChannel = ul-TransportChannelType = dch = 1 rlc-SizeList = configured = NULL mac-LogicalChannelPriority = 6 dl-LogicalChannelMappingList = SEQUENCE OF DL-LogicalChannelMapping DL-LogicalChannelMapping(1) = dl-TransportChannelType = dch = 6 RB-InformationSetup(2) = rb-Identity = 11 … UL-DCCH-Message <----- radioBearerSetupComplete UL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 10101010000100111100011111001010 rrc-MessageSequenceNumber = 4 message = radioBearerSetupComplete = rrc-TransactionIdentifier = 0 start-Value = 00000000000000000010 count-C-ActivationTime = 168 Source: 3GPP Conformance Test 8.1.7.1c
  35. 35. Security Architecture Evolution ©3G4G Core Network MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC GSM Handset Authentication Ciphering (AN CP, UP) GPRS Handset Authentication + Ciphering (AN CP, UP) UMTS Mutual Authentication Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) AN – Access Network AS – Access Stratum RRC – Radio Resource Control NAS – Non-Access Stratum CP – Control Plane UP – User Plane IPSec (Optional)
  36. 36. Hacking The Femtocells - UMTS ©3G4G More Info: Femto Hacking in UMTS and LTE
  37. 37. Hacking The Femtocells - LTE ©3G4G More Info: Femto Hacking in UMTS and LTE
  38. 38. Key Hierarchy in LTE / E-UTRAN ©3G4G Picture Source: RedYoda 3GPP Spec Reference: TS 33.401 K - Master key CK - Cipher Key IK - Integrity Key KASME - Key-Access Security Management Entity KNASenc - Key-NAS encryption KNASint - Key-NAS integrity KeNB - Key-eNodeB NH - Next Hop KUPint - Key-User Plane integrity KUPenc - Key-User Plane encryption KRRCint - Key-Radio Resource Control integrity KRRCenc - Key-Radio Resource Control encryption
  39. 39. EPS Authentication and Key Agreement (EPS-AKA) procedure ©3G4G Picture Source: RedYoda 3GPP Spec Reference: TS 33.401 AUTN - Authentication Token RAND - A 128 bit random number SQN - 48 bit sequence number RES - Response XRES - Expected Response KDF - Key Derivation Function KSI - Key Set Identifier SN Id - Serving Network Id K - Master key CK - Cipher Key IK - Integrity Key KASME - Key-Access Security Management Entity
  40. 40. Actual Security Procedure in LTE ©3G4G UE eNodeB MME Authentication Request Authentication Response (SRES) Authentication Request Authentication Response (SRES) Security Mode Command NAS: Security Mode Complete Security Mode Complete NAS: Security Mode Command Access Network (AN) Core Network (CN) RRC: Security Mode Complete RRC: Security Mode Command
  41. 41. LTE Security Signaling - Authentication ©3G4G Authentication Request PDU Security header type [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] Message Type [8 bits] = 0x52 - Authentication Request [ 82 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] NAS key set identifierASME Type of security context flag [1 bit] = 0x0 [ 0 ] ksi [3 bits] = 0x0 [ 0 ] Authentication Parameter Rand Authentication Parameter Rand = 0xA3DE0C6D363E30C364A4078F1BF8D577 Authentication Parameter AUTN IE Length [8 bits] = 0x10 [ 16 ] value = 0x6E323B36C46C5555A3DF0E6E323B6391 075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391 DL-DCCH-Message dlInformationTransfer DL-DCCH-Message = message = c1 = dlInformationTransfer = rrc-TransactionIdentifier = 0 criticalExtensions = c1 = dlInformationTransfer-r8 = dedicatedInfoType = dedicatedInfoNAS = 075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391 0801203A90051EF06369B1F1861B25203C78DFC6ABB8837191D9B62362AAAD1EF8737191DB1C88 UL-DCCH-Message ulInformationTransfer UL-DCCH-Message = message = c1 = ulInformationTransfer = criticalExtensions = c1 = ulInformationTransfer-r8 = dedicatedInformationType = dedicatedInfoNAS = 075308A3DF0E6E323B36C4 480160EA61147BE1CDC64766D880 Authentication Response Authentication Response PDU Security header type [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] Message Type [8 bits] = 0x53 - Authentication Response [ 83 ] Authentication response parameter IE Length [8 bits] = 0x8 [ 8 ] Authentication response parameter information = 0xA3DF0E6E323B36C4 075308A3DF0E6E323B36C4 Source: 3GPP Conformance Test 8.1.2.1
  42. 42. LTE Security Signaling – NAS Security 1 ©3G4G Security Mode Command Security Mode Command PDU Security Mode Command PDU [1]Security header type [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] Message Type [8 bits] = 0x5D - Security Mode Command [ 93 ] Selected NAS security algorithms Spare Bits [1 bit] = 0x0 [ 0 ] Type of ciphering algorithm [3 bits] = 0x0 [ 0 ] Spare Padding [1 bit] = 0x0 [ 0 ] Type of integrity protection algorithm [3 bits] = 0x1 [ 1 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] NAS key set identifierASME Type of security context flag [1 bit] = 0x0 [ 0 ] ksi [3 bits] = 0x0 [ 0 ] Replayed UE security capabilities IE Length [8 bits] = 0x2 [ 2 ] eea0_128 [1 bit] = 0x1 [ 1 ] eea1_128 [1 bit] = 0x1 [ 1 ] eea2_128 [1 bit] = 0x0 [ 0 ] eea3 [1 bit] = 0x0 [ 0 ] eea4 [1 bit] = 0x0 [ 0 ] eea5 [1 bit] = 0x0 [ 0 ] eea6 [1 bit] = 0x0 [ 0 ] eea7 [1 bit] = 0x0 [ 0 ] Spare Bits [1 bit] = 0x1 [ 1 ] eia1_128 [1 bit] = 0x1 [ 1 ] eia2_128 [1 bit] = 0x0 [ 0 ] eia3 [1 bit] = 0x0 [ 0 ] eia4 [1 bit] = 0x0 [ 0 ] eia5 [1 bit] = 0x0 [ 0 ] eia6 [1 bit] = 0x0 [ 0 ] eia7 [1 bit] = 0x0 [ 0 ] 075D010002C0C0 Continued… Security Protected NAS Message Security Protected NAS Message PDU Security header type [4 bits] = 0x3 [ 3 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] MAC = 0x0B4DAFA8 [ 189640616 ] Sequence Number = 0x00 [ 0 ] NAS message = 0x075D010002C0C0 370B4DAFA800075D010002C0C0 DL-DCCH-Message dlInformationTransfer DL-DCCH-Message = message = c1 = dlInformationTransfer = rrc-TransactionIdentifier = 0 criticalExtensions = c1 = dlInformationTransfer-r8 = dedicatedInfoType = dedicatedInfoNAS = 370B4DAFA800075D010002C0C0 080069B85A6D7D40003AE80800160600 Source: 3GPP Conformance Test 8.1.2.1
  43. 43. LTE Security Signaling – NAS Security 2 ©3G4G UL-DCCH-Message ulInformationTransfer UL-DCCH-Message = message = c1 = ulInformationTransfer = criticalExtensions = c1 = ulInformationTransfer-r8 = dedicatedInformationType = dedicatedInfoNAS = 4794E585C000075E 480108F29CB0B80000EBC0 Security Protected NAS Message Security Protected NAS Message PDU Security header type [4 bits] = 0x4 [ 4 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] MAC = 0x94E585C0 [ 2498069952 ] Sequence Number = 0x00 [ 0 ] NAS message = 0x075E [ 1886 ] 4794E585C000075E Security Mode Complete Security Mode Complete PDU Security header type [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x7 [ 7 ] Message Type [8 bits] = 0x5E - Security Mode Complete [ 94 ] 075E Security header type (octet 1) 8 7 6 5 0 0 0 0 Plain NAS message, not security protected Security protected NAS message: 0 0 0 1 Integrity protected 0 0 1 0 Integrity protected and ciphered 0 0 1 1 Integrity protected with new EPS security context (NOTE 1) 0 1 0 0 Integrity protected and ciphered with new EPS security context (NOTE 2) Non-standard L3 message: 1 1 0 0 Security header for the SERVICE REQUEST message 1 1 0 1 These values are not used in this version of the protocol. to If received they shall be interpreted as '1100'. (NOTE 3) 1 1 1 1 All other values are reserved. NOTE 1: This codepoint may be used only for a SECURITY MODE COMMAND message. NOTE 2: This codepoint may be used only for a SECURITY MODE COMPLETE message. NOTE 3: When bits 7 and 8 are set to '11', bits 5 and 6 can be used for future extensions of the SERVICE REQUEST message. Table 9.3.1: Security header type 3GPP TS 24.301 V10.10.0 (2013-03) Source: 3GPP Conformance Test 8.1.2.1
  44. 44. LTE Security Signaling – RRC Security ©3G4G DL-DCCH-Message securityModeCommand DL-DCCH-Message = message = c1 = securityModeCommand = rrc-TransactionIdentifier = 0 criticalExtensions = c1 = securityModeCommand-r8 = securityConfigSMC = securityAlgorithmConfig = cipheringAlgorithm = eea0 integrityProtAlgorithm = eia1 300010 PDCPDataReqPDU PLANE = 1 (Control) SeqNum = 3 Data Packet = 30 00 10 65 3E 8C... 03300010653E8C00 PDCPDataIndPDU PLANE = 1 (Control) SeqNum = 4 Data Packet = 28 00 CC E1 31 D1 042800CCE131D1 UL-DCCH-Message securityModeComplete UL-DCCH-Message = message = c1 = securityModeComplete = rrc-TransactionIdentifier = 0 criticalExtensions = securityModeComplete-r8 = 2800 Source: 3GPP Conformance Test 8.1.2.1
  45. 45. Mapped Security (Applicable for PS Only) ©3G4G 1. No need for Authentication 2. Map security keys from previous Authentication LTE2G/3G HLR/HSS/AuC DATA Logic 1. Performs Authentication 2. Performs security Handover or Cell Re-selection ‘Native’ UTRAN to ‘Mapped’ E-UTRAN
  46. 46. Mapped Security (Applicable for PS Only) ©3G4G ‘Native’ E-UTRAN to ‘Mapped’ UTRAN 1. No need for Authentication 2. Map security keys from previous Authentication LTE2G/3G HLR/HSS/AuC DATA Logic 1. Performs Authentication 2. Performs security Handover or Cell Re-selection More details
  47. 47. Security Architecture Evolution ©3G4G Core Network MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC GSM Handset Authentication Ciphering (AN CP, UP) GPRS Handset Authentication + Ciphering (AN CP, UP) UMTS Mutual Authentication Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) LTE Mutual Authentication Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) IPSec (Optional) Ciphering (NAS) + Signalling Integrity (NAS) AN – Access Network AS – Access Stratum RRC – Radio Resource Control NAS – Non-Access Stratum CP – Control Plane UP – User Plane IPSec (Optional)
  48. 48. Summary of Algorithms for 2G, 3G & 4G ©3G4G GSM GPRS UMTS LTE Authentication Algorithms GSM Milenage GSM Milenage Milenage TUAK Milenage TUAK Integrity Algorithms UIA0 – NULL UIA1 – Kasumi UIA2 – Snow3G EIA0 – NULL EIA1 – Snow3G EIA2 – AES EIA3 – ZUC Ciphering Algorithms A5/1 A5/2 A5/3 A5/4 GEA3 GEA4 UEA0 - NULL UEA1 – Kasumi UEA2 – Snow3G EEA0 – NULL EEA1 – Snow3G EEA2 – AES EEA3 – ZUC GSM Milenage - 3GPP TS 55.205, Milenage - 3GPP TS 35.206, TUAK - 3GPP TS 35.231, A5/3 & GEA3 - 3GPP TS 55.216, A5/4 & GE4 - 3GPP TS 55.226 For other specifications see GSMA Security Algorithms
  49. 49. Further Reading Material ©3G4G • 3GPP: Confidentiality Algorithms • GSMA: Security Algorithms • Netmanias • LTE Security I: Concept and Authentication • LTE Security II: NAS and AS Security • 3G4G Website • GSM, GPRS and EDGE • 3G/UMTS Tutorials • 3GPP LTE/SAE • Security in Mobile Cellular Systems • EventHelix: • GSM, LTE, UMTS and IMS Call Flows • LTE Security: Encryption and Integrity Protection Call Flows
  50. 50. Hacking: Papers, Talks, Materials ©3G4G • The SS7 flaws that allows hackers to snoop on your calls and SMS • Video: LTE & IMSI Catcher Myths - by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan & Valtteri Niemi & Jean-Pierre Seifert • Video: Understanding IMSI Privacy - By Ravishankar Borgaonkar and Swapnil Udar • Video: Femtocells: A Poisonous Needle in the Operator's Hay Stack - Ravishankar Borgaonkar, Kevin Redon and Nico Golde • Breaking Band - reverse engineering and exploiting the shannon baseband • Huawei: Security Advisory - UE Measurement Leak Vulnerability in Huawei P8 Phones • LTE protocol exploits – IMSI catchers, blocking devices and location leaks - Roger Piqueras Jover • WiFi-Based IMSI Catcher • ‘Small Cells’ and the City • Long Term Exploitation: “Baseband security? 4Get about it.”
  51. 51. 3GPP Specifications ©3G4G • 3GPP TS 33.102: 3G Security; Security architecture • 3GPP TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture • 3GPP TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access • 3GPP TS 36.323: E-UTRA; Packet Data Convergence Protocol (PDCP) specification • 3GPP TS 25.331: UTRA RRC Protocol Specification • 3GPP TS 36.331:E-UTRA RRC Protocol specification • 3GPP TS 24.008: Mobile Radio Interface Layer 3 specification; Core Network Protocols; Stage 3 • 3GPP TS 24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3
  52. 52. Thank You To learn more, visit: 3G4G Website – http://www.3g4g.co.uk/ 3G4G Blog – http://blog.3g4g.co.uk/ 3G4G Small Cells Blog – http://smallcells.3g4g.co.uk/ Operator Watch - http://operatorwatch.3g4g.co.uk/ Follow us on Twitter: https://twitter.com/3g4gUK Follow us on Facebook: https://www.facebook.com/3g4gUK/ Follow us on Linkedin: https://www.linkedin.com/company/3g4g Follow us on Slideshare: https://www.slideshare.net/3G4GLtd Follow us on Youtube: https://www.youtube.com/3G4G5G Follow us on Storify: https://storify.com/3g4gUK ©3G4G

×