Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Wireless Cellular Systems


Published on

ACM Bangalore Tech Talk - Securing Wireless Cellular Systems

Published in: Technology
  • Be the first to comment

Securing Wireless Cellular Systems

  1. 1. Securing Wireless Cellular Systems Arvind Padmanabhan [email_address] 9 th May 2009
  2. 2. Contents <ul><li>Scope </li></ul><ul><li>Cellular Basics </li></ul><ul><li>Security Goals </li></ul><ul><li>Elements of Security </li></ul><ul><li>Protocol Procedures </li></ul><ul><li>Algorithmic Background </li></ul><ul><li>GSM Flaws & Solutions </li></ul><ul><li>Implementation Challenges </li></ul><ul><li>Conclusion </li></ul><ul><li>References </li></ul>
  3. 3. Scope
  5. 5. Cellular Basics – GSM Protocol Stack Control Plane MS BTS BSC MSC/VLR
  6. 6. Cellular Basics – GPRS Protocol Stack Control Plane
  7. 7. Cellular Basics – UMTS Protocol Stack Control Plane
  8. 8. Security Threats <ul><li>Eavesdropping </li></ul><ul><li>Spoofing – mobile phishing </li></ul><ul><li>Denial of service </li></ul><ul><li>Hacking into Core Network </li></ul><ul><li>Theft of SIM </li></ul><ul><li>Theft of mobile phone </li></ul><ul><li>Employees, partners, sub-contractors </li></ul><ul><li>Viruses, worms, trojans </li></ul>
  9. 9. Security Goals <ul><li>User identity confidentiality </li></ul><ul><li>User location confidentiality </li></ul><ul><li>User untraceability </li></ul><ul><li>User authentication </li></ul><ul><li>Network authentication </li></ul><ul><li>Data confidentiality </li></ul><ul><li>Data integrity </li></ul><ul><li>Algorithm and key agreement </li></ul><ul><li>Mobile equipment identification </li></ul><ul><li>User-to-USIM authentication </li></ul><ul><li>USIM-Terminal authentication </li></ul>
  10. 10. Security Contexts User-SIM context Air interface context RAN-CN context CN context Authentication context Application context
  11. 11. What is AKA? <ul><li>AKA is also known as Authentication and Key Agreement </li></ul><ul><ul><li>Network authenticates the subscriber </li></ul></ul><ul><ul><li>Subscriber authenticates the network (not in GSM) </li></ul></ul><ul><ul><li>Both parties agree on the keys to use for data confidentiality and data integrity </li></ul></ul>USIM AuC
  12. 12. GSM AKA A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 K i K i K c K c SIM Authentication: are SRES values equal? Challenge RAND m i Encrypted Data m i Signed response (SRES) SRES SRES F n F n
  13. 13. AKA Overview
  14. 14. Location Update Procedure Get CKSN from SIM Get Auth Vector from AuC Invoke SIM calculations Secure data exchange
  15. 15. Incoming Call
  16. 16. RRC Security Procedure
  17. 17. Security Procedure at UE RRC
  18. 18. Change of Location Area User Identity Request User Identity Response Security context is transferred from the old VLR/SGSN to the new VLR/SGSN
  19. 19. Authenticated Session Lifetime START < Yes Session is valid. Keys can be re-used. THRESHOLD No Keys have reached their end of life. Set START as invalid. Set CKSN/KSI as invalid. Updated when RRC connection is released. Fixed by the operator. Stored on SIM/USIM.
  20. 20. Updating the START Value <ul><li>START' = MSB20 ( MAX {COUNT-C, COUNT-I | radio bearers and signalling radio bearers using the most recently configured CK and IK}) + 2 </li></ul><ul><li>Once updated, it is saved into SIM/USIM and deleted from the mobile </li></ul>
  21. 21. Counter Check Procedure <ul><li>Check does not involve Core Network </li></ul><ul><li>Prevent “man-in-the-middle” attacks </li></ul><ul><li>RRC will query RLC for COUNT-C values </li></ul><ul><li>RRC will include mismatches in its response </li></ul><ul><li>UTRAM may release RRC connection </li></ul>
  22. 22. Indicating Current CKSN/KSI <ul><li>This field is indicated by UE MM/GMM in the following messages: </li></ul><ul><ul><li>LOCATION UPDATING REQUEST </li></ul></ul><ul><ul><li>CM SERVICE REQUEST </li></ul></ul><ul><ul><li>PAGING RESPONSE </li></ul></ul><ul><ul><li>CM RE-ESTABLISHMENT REQUEST </li></ul></ul><ul><li>This field is indicated by UE GMM in the following messages: </li></ul><ul><ul><li>ROUTING AREA UPDATE REQUEST </li></ul></ul><ul><ul><li>SERVICE REQUEST </li></ul></ul><ul><ul><li>ATTACH REQUEST </li></ul></ul>
  23. 23. Deriving Ciphering and Integrity Counters START (20 bits) USIM RRC RLC-TM RLC-UM RLC-AM
  24. 24. Ciphering Data
  25. 25. Data Integrity Additional protection within the same authentication session
  26. 26. Transmission of Signalling Content Signalling Content RRC SN MAC Message f9 MAC Signalling Content RRC SN RB ID Message f8 Signalling Content RRC SN MAC Message
  27. 27. Integrity Exceptions <ul><li>Integrity is not applied for: </li></ul><ul><ul><ul><li>HANDOVER TO UTRAN COMPLETE </li></ul></ul></ul><ul><ul><ul><li>PAGING TYPE 1 </li></ul></ul></ul><ul><ul><ul><li>PUSCH CAPACITY REQUEST </li></ul></ul></ul><ul><ul><ul><li>PHYSICAL SHARED CHANNEL ALLOCATION </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION REQUEST </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION SETUP </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION SETUP COMPLETE </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION REJECT </li></ul></ul></ul><ul><ul><ul><li>RRC CONNECTION RELEASE (CCCH only) </li></ul></ul></ul><ul><ul><ul><li>SYSTEM INFORMATION </li></ul></ul></ul><ul><ul><ul><li>SYSTEM INFORMATION CHANGE INDICATION </li></ul></ul></ul><ul><ul><ul><li>TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only) </li></ul></ul></ul>
  28. 28. Generating the Quintet
  29. 29. USIM Security Execution Resynchronization procedure exists in the USIM and HLR/AuC Secret Key
  30. 30. AKA for GSM Subscribers 3G phone with GSM SIM connecting to UTRAN 3G phone with GSM SIM connecting to GSM
  31. 31. AKA for UMTS Subscribers 2G phone with USIM connecting to GSM & R98- VLR/SGSN 3G phone with USIM connecting to GSM & R98- VLR/SGSN
  32. 32. Security Service Summary
  33. 33. GSM Handover <ul><li>Intra-BSC HO </li></ul><ul><ul><li>Nothing to be done </li></ul></ul><ul><li>Inter-BSC & Intra-MSC HO </li></ul><ul><ul><li>BSC informs MSC that HO is required </li></ul></ul><ul><ul><li>MSC commands target BSC and passes on security context </li></ul></ul><ul><li>Inter-MSC HO </li></ul><ul><ul><li>Same as above except that current MSC informs target MSC to initiate HO to target cell </li></ul></ul>
  34. 34. UMTS to GPRS Cell Reselection
  35. 35. Algorithmic Background – Cipher Types <ul><li>Symmetric cipher: shared secret key </li></ul><ul><ul><li>Stream cipher (OTP) </li></ul></ul><ul><ul><li>Block cipher (DES, Triple-DES, AES, RC2) </li></ul></ul><ul><ul><ul><li>Block ciphers can be used as stream ciphers </li></ul></ul></ul><ul><ul><ul><li>Modes of operation: ECB, CBC, PCBC, CFB, OFB, CTR </li></ul></ul></ul>E/D E/D
  36. 36. Algorithmic Background – Cipher Types <ul><li>Asymmetric cipher (Diffie-Hellman, RSA, DSA, ECC-based ciphers) </li></ul><ul><ul><li>Private key </li></ul></ul><ul><ul><li>Public key </li></ul></ul><ul><li>One-way hash (MD5, SHA-1, SHA-2, Triple-DES) </li></ul>E D H
  37. 37. GSM Security Flaws – 1 <ul><li>Weak algorithms – cracked long ago </li></ul><ul><ul><li>COMP128 was used: this is a keyed hash function generating a 96 bit digest </li></ul></ul><ul><ul><li>Fault with operators in using COMP128 </li></ul></ul><ul><ul><li>A3 and A8 based on COMP128 </li></ul></ul><ul><ul><li>Kc is only 54 bits </li></ul></ul><ul><ul><li>COMP128-2, COMP128-3 developed but these are not public: Security Through Obscurity just doesn’t work </li></ul></ul><ul><ul><li>Stream ciphers A5/1 and A5/2 cracked in 1999 in hours: A5/3 used KASUMI </li></ul></ul><ul><ul><li>In 2002, IBM developed new methods to crack Kc: using side channels, can crack in only 8 queries! </li></ul></ul><ul><ul><li>COMP128-4 is based on AES </li></ul></ul>
  38. 38. GSM Security Flaws – 2 <ul><li>Same basic algorithm is used to generate both SRES and Kc </li></ul><ul><li>No integrity on signalling data </li></ul><ul><li>No network authentication </li></ul><ul><li>Encryption does not extend far into the network </li></ul><ul><li>Microwave links not protected by operators – Kc could be read easily </li></ul>
  39. 39. UMTS Algorithms <ul><li>KASUMI </li></ul><ul><ul><li>Design authority: ETSI SAGE </li></ul></ul><ul><ul><li>Based on the block cipher MISTY (Mitsubishi) </li></ul></ul><ul><ul><li>KASUMI is the Japanese for “MIST” </li></ul></ul><ul><ul><li>f8 and f9 are based on KASUMI </li></ul></ul><ul><li>Changes made to aid hardware implementation </li></ul><ul><li>Keys are 128 bits long </li></ul><ul><li>No known hacks exist </li></ul>
  40. 40. Comparing GSM & UMTS 1. A5/3 AND GEA3 are based on KASUMI Yes No Integrity Synchronization & Key Reuse Activation Ciphering inputs Algorithms & Converters AuC Generated Vectors KSI, START CKSN ActivationTime Immediate/ Handshaking CK, RB ID, COUNT-C, DIRECTION GSM: Kc, COUNT, slot number GPRS: Kc, LLC-based INPUT, DIRECTION VBS/VGCS: group key no. f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f1*, f5*, c1, c2, c3 A3, A5/[1,2,3] 1 , GEA[1,2,3] 1 , A8, c4, c5 (RAND,XRES,CK,IK,AUTN): quintet (RAND,SRES,Kc): triplet 3G GSM/GPRS
  41. 41. Implementation Challenges <ul><li>Hardware </li></ul><ul><li>Or </li></ul><ul><li>Software ? </li></ul><ul><li>Rarely matters at the network end. </li></ul><ul><li>Matters a lot to the mobile. </li></ul>
  42. 42. Performance of f8 and f9 - 1
  43. 43. Performance of f8 and f9 - 2
  44. 44. SW Optimization of f8 and f9 <ul><li>Convert 16-bit to 32-bit operations on ARM </li></ul><ul><ul><li>Single instruction instead of 2 or 4 </li></ul></ul><ul><ul><li>15% faster </li></ul></ul><ul><li>Using non-static memory for sub-keys </li></ul><ul><ul><li>Avoid ARM’s LDR instruction </li></ul></ul><ul><ul><li>Use structures and pass pointers to functions </li></ul></ul><ul><ul><li>5% faster </li></ul></ul><ul><li>Key scheduling only when CK and IK change </li></ul><ul><ul><li>3.5 KB increased memory </li></ul></ul><ul><ul><li>60% faster </li></ul></ul><ul><li>Optimizing FI with table lookups </li></ul><ul><ul><li>Not recommended since memory usage increases by 256 KB </li></ul></ul><ul><ul><li>Estimated to give 50% improvement in the best case if tables are cached but not practical </li></ul></ul>
  45. 45. End-to-End Security <ul><li>Beyond the scope of cellular systems </li></ul><ul><li>IPSec </li></ul><ul><li>Firewall </li></ul><ul><li>VPN </li></ul><ul><li>Public Key Infrastructure (PKI) & Digital Certificates </li></ul><ul><li>MAC on files for download </li></ul>
  46. 46. Conclusion <ul><li>Current GSM networks are far more secure than early ones </li></ul><ul><li>UMTS improves on GSM security </li></ul><ul><li>Inter-working between UMTS and GSM still has implementation issues </li></ul><ul><li>Constant innovation – anything secure today is not likely to be secure tomorrow </li></ul><ul><li>User has the responsibility to protect his/her SIM/USIM </li></ul>
  47. 47. Standards (Release 99) <ul><li>Technical specifications </li></ul><ul><ul><li>TS 21.133 Security threats and requirements </li></ul></ul><ul><ul><li>TS 22.022 Personalisation of Mobile Equipment (ME) </li></ul></ul><ul><ul><li>TS 33.102 Security architecture </li></ul></ul><ul><ul><li>TS 33.103 Integration guidelines </li></ul></ul><ul><ul><li>TS 33.105 Cryptographic algorithm requirements </li></ul></ul><ul><ul><li>TS 33.106 Lawful interception requirements </li></ul></ul><ul><ul><li>TS 33.107 Lawful interception architecture </li></ul></ul><ul><ul><li>TS 33.120 Security principles and objectives </li></ul></ul><ul><ul><li>TS 35.20x Access network algorithm specifications </li></ul></ul><ul><li>Technical reports </li></ul><ul><ul><li>TR 33.900 Guidelines for 3G security </li></ul></ul><ul><ul><li>TR 33.901 Criteria for algorithm design </li></ul></ul><ul><ul><li>TR 33.902 Formal analysis of authentication </li></ul></ul>