•   GSM security architecture
Temporary identities                                         1G: identification with passwords
      • IMSI (15 digits) is...
GSM AKA Message Flow
                                                                                           A5/1: stre...
Limitations of GSM Security, 3                                 Specific GSM Security Problems

• Lack of confidence in cry...
GPRS (1)                                                                                      GPRS (2)

      Data solutio...
Authentication & Key Agreement (AKA)
       3GPP Security Architecture Overview
General Approach to Algorithm Design                                                                                  Kasu...

• Part on GSM: Klaus Vedder, Security Aspects of
  Mobile Communications, LNCS 741, Springer-
  Verlag, 1993.

• ...
Upcoming SlideShare
Loading in …5



Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Agenda • GSM security architecture • GSM weaknesses • UMTS security architecture • UMTS algorithms Bart Preneel • the future? Katholieke Universiteit Leuven Dept. Electrical Eng.-ESAT/COSIC • not: Bluetooth, IEEE WLAN (802.11) February 2004 1 2 GSM GSM Architecture (1) • 1982 CEPT: Groupe Speciale Mobile • 1989 ETSI: GSM PSTN PDN • GSM Association ( Q1/2004 ISDN BSC GMSC • 620 operators on air (includes 3G) BTS MS • 200 countries • > 1 billion subscribers MSC BTS BSC • Evolution towards 3GPP/3GSM: EIR MS • first services: 2002 in Japan and Q3/2003 in Europe AUC BTS HLR MS VLR 3 4 ME SIM Security threats GSM Architecture • User: MS = ME + SIM • Interception of data on the air interface • Mobile subscriber, Mobile Equiment, Subscriber • data confidentiality Identity Module • anonymity of user • SIM contains IMSI (International Mobile • Illegitimate access to a mobile service Subscriber Identity) • billing • Traffic channels and signalling channels • masquerading • Base station, Base station controller • Security services: • subscriber identity confidentiality • Visitor Location Register • subscriber identity authentication • Home Location Register • user data confidentiality • signalling information confidentiality • Goal: equivalent security to fixed network 5 6 1
  2. 2. Temporary identities 1G: identification with passwords • IMSI (15 digits) is used only for first call, or in exceptional circumstances Hello Bob, I am Alice. OK! My password P is • replaced by TIMSI (5 digits) Xur%9pLr • assigned by VLR, stored with IMSI and location info • sent encrypted to MS • replaced at each location update procedure • TIMSI is forwarded to new VLR Alice Xur%9pLr BUT IMSI •Eve can guess the password EK( TIMSI) •Eve can listen to the channel and learn Alice’s password •Bob needs to know Alice’s secret TIMSI 7 •Bob needs to store Alice’s secret in a secure way 8 Entity authentication in GSM Entity Authentication in GSM (2) challenge response RAND + Eve cannot guess the secret key Ki (128 bits) RAND Ki RAND Ki + Eavesdropping the channel does not help Eve: next time Bob will ask a different question A3 A3 (different challenge RAND) OK! – Bob needs to know Alice’s secret, and needs to SRES SRES store it securely =? – Eve can just wait till the end of the call setup and then….. A3 = MAC algorithm • how to address this problem? AKA e.g. COMP128 9 10 Session Key Derivation Parameter sizes • RAND: 128 bits RAND • Ki: 128 bits RAND RAND Ki Ki • Kc: 64 bits - 10 bits = 54 bits A8 A8 • SRES: 32 bits SRES • plaintext and ciphertext: 114-bit blocks Kc Kc frame frame • A5 (hardware in phone): number number A5 A5 • currently 2 versions A5/1, A5/2 • A5/3 will be deployed soon Ciphertext Plain Plain + • A3/A8 (software in SIM): operator dependent text + text 11 (example COMP128) 12 2
  3. 3. GSM AKA Message Flow A5/1: stream cipher (GSM) 18 0 SIM VLR AuC Distribution of auth. data request triples from Generate 21 0 HLR/AuC Triplets triplets to VLR/SGSN (RAND, XRES, K) RAND Over-the-air authentication 22 Derive K, SRES and key 0 SRES agreement XRES = SRES ? Start using K Start using K Clock control: registers agreeing with 13 majority are clocked (2 or 3) 14 A5/1 and A5/2: stream ciphers Key management A5/1 • exhaustive key search: 2 54 • User keys Ki stored in Authentication Centre • search 2 registers: 245 steps (AuC) • [BD00] 2 minutes of plaintext, 240 steps • generation of user keys Ki: • 238 precomputation, 64 GB storage • from master key, IMSI and some other data • [BWS00] 2 minutes of plaintext: 1 second • randomly, but then stored encrypted under storage key • 2 42 precomputation, 300 GB storage • VLR typically gets only a few triplets (RAND, • [BWS00] 2 seconds of plaintext: 1 minute SRES, Kc) - typically transmitted in clear from • 248 precomputation, 146 GB storage HLR A5/2: similar hardware to A5/2 but deliberately weak 216 steps, known plaintexts for 2 separate frames (6 sec. apart) 15 16 Limitations of GSM Security Limitations of GSM Security, 2 • Problems with GSM security stem by and large • Failure to acknowledge limitations from design limitations on what is protected rather • encryption needed to guard against radio channel hijack than on defects in the security mechanisms • the terminal is an unsecured environment - so trust in themselves the terminal identity is misplaced • only provides access security - communications and • Inadequate flexibility to upgrade and improve signalling in the fixed network portion aren’t protected security functions over time • does not address active attacks, whereby network • Lack of visibility that the security is being applied elements may be impersonated • no indication to the user that encryption is on • designed to be only as secure as the fixed networks to which they connect • no explicit confirmation to the home network that authentication is properly used when customers roam • lawful interception only considered as an after thought 17 18 3
  4. 4. Limitations of GSM Security, 3 Specific GSM Security Problems • Lack of confidence in cryptographic algorithms • Encryption terminated too soon • lack of openness in design and publication of A5/1 • user traffic and signalling in clear on microwave links • misplaced belief by regulators in the effectiveness of • Clear transmission of cipher keys & authentication controls on the export or (in some countries) the use of values within and between networks cryptography • signalling system vulnerable to interception and • key length too short, but some implementation faults impersonation make increase of encryption key length difficult • Confidence in strength of algorithms • need to replace A5/1, but poor design of support for simultaneous use of more than one encryption • failure to choose best authentication algorithms algorithm, is making replacement difficult • improvements in cryptanalysis of A5/1 • ill advised use of COMP 128 (A3) • Use of false base stations 19 20 Some SMS Issues False Base Stations • Used as IMSI Catcher • Early pre-pay phones had free SMS due to lack of for law enforcement billing system integration • Used to intercept • SMS Identity spoofing mobile originated calls • Faked “caller-ID” data • encryption controlled • SMS viruses … crash certain phones by network and user • Badly-formatted binary messages unaware if it is not on • Dynamic cloning risk in networks where encryption is not used 21 22 GSM+ or 2.5G GPRS Architecture • HSCSD High Speed Circuit Switched Data Other GPRS • GPRS General Packet Radio Service PLMN • EDGE Enhanced Data Rate for GSM Evolution Gp GGSN Gn SGSN Gb Gf BSC Gr Gs Gi BTS Gc GGSN PDN EIR D BTS HLR MS MSC/VLR 23 24 4
  5. 5. GPRS (1) GPRS (2) Data solution over GSM networks • GSM operators become ISPs • immature products Mobile devices are IP enabled • inadequate procedures • “Egg-shell”-type networks • device security not considered • no vendors are implementing handset lockout for GPRS-only • GGSN Gateway GPRS Support Node handsets • limited filtering/firewalls • no user segregation • standard UNIX variants without hardening • GPRS mobile equipment weaknesses • Operation & Management Network • risk for flawed SMS clients and PC clients • service both GPRS and bearer networks • storage of GPRS/WAP credentials in clear on the SIM • connect to corporate networks • no means of synchronization: problem for logs 25 26 UMTS: the terminals Principles for 3G Security • Build on the security of GSM • adopt the security features from GSM that have proved to be needed and robust • try to ensure compatibility with GSM in order to ease inter-working and handover • Correct the problems with GSM by addressing its real and perceived security weaknesses • Add new security features • as are necessary to secure new services offered by 3G • to take account of changes in network architecture 27 28 Building on GSM Security - Architecture Building on GSM Security, 2 UE AN CN External Networks MSC SCF • Remain compatible with GSM network E, G GMSC architecture BSS SIM MT Um BTS Abis BSC A MSC D • User authentication & radio interface encryption H ISDN HLR AUC Iu F PSTN PSPDN • SIM used as security module SMS- CSPDN EIR Gr GMSC PDN: • removable hardware -Intranet RNS Gb USIM Cu ME Uu BS Iub Gf SMS- IWMSC -Extranet -Internet • terminal independent RNC Iu SGSN Gn+ GGSN • management of all customer parameters Iur Gd, RNS Gp, • Operates without user assistance USIM Cu ME Uu BS Iub Gn+ Note: RNC SGSN Not all interfaces • Requires minimal trust in serving network shown and named UTRAN 29 30 5
  6. 6. Authentication & Key Agreement (AKA) 3GPP Security Architecture Overview Protocol Objectives Application • Authenticate user to network & network to user IV. stratum User Application Provider Application • Establish a cipher key CK (128 bit) & an integrity key IK (128 bit) I. I. Home III. TE USIM HE/AuC stratum/ • Assure user and network that CK/IK have not Serving I. I. SN/ II. Stratum been used before VLR/ I. SGSN Transport stratum I. Network access security • Authenticated management field HE ? USIM II. Provider domain security MT AN III. User domain security IV. Application security • authentication key and algorithm identifiers • limit CK/IK usage before USIM triggers a new AKA 31 32 AKA Prerequisites AKA Variables and Functions RAND = random challenge generated by AuC • AuC and USIM share XRES = f2K (RAND) = expected user response computed by AuC RES = f2K (RAND) = actual user response computed by USIM • user specific secret key K CK = f3K (RAND) = cipher key • message authentication functions f1, f1*, f2 IK = f4K (RAND) = integrity key • key generating functions f3, f4, f5 AK = f5K (RAND) = anonymity key • AuC has a random number generator SQN = sequence number AMF = authentication management field • AuC has scheme to generate fresh sequence MAC = f1K (SQN || RAND || AMF) = message authentication code numbers computed over SQN, RAND and AMF • USIM has scheme to verify freshness of received AUTN = SQN? AK || AMF || MAC = network authentication token, concealment of SQN with AK is optional sequence numbers Quintet = (RAND, XRES, CK, IK, AUTN) 33 34 UMTS AKA Message Flow Length of AKA Cryptographic Parameters VLR or USIM SGSN AuC • K 128 bits Distribution of auth. data request • RAND 128 bits quintets from Generate HLR/AuC Quintets quintets • RES 32-128 bits to VLR/SGSN (RAND, XRES, CK, IK, AUTN) • CK 128 bits RAND, AUTN Over-the-air • IK 128 bits Verify MAC, SQN authentication Derive CK, IK, RES RES and key • AUTN 128 bits agreement • SQN Sequence number 48 bits XRES = RES ? • AMF Authentication management field 16 bits Start using CK, IK Start using CK, IK • MAC Message authentication code 64 bits 35 36 6
  7. 7. General Approach to Algorithm Design Kasumi • Robust approach to exportability - full strength • Simpler key schedule than • Stream ciphering f8 uses algorithm and expect agencies to fall into line MISTY Kasumi in a form of • ETSI SAGE appointed as design authority • Additional functions to output feedback, but with: complicate cryptanalysis • BLKCNT added to prevent • Take existing algorithm as starting point cycling without affecting provable • Use block cipher as building block for both • initial extra encryption security aspects added to protect against algorithms - MISTY1 chosen (64-bit block) • Changes to improve chosen plaintext attack and • fairly well studied, some provable security aspects statistical properties collisions • parameter sizes suitable • Minor changes to speed up • Integrity f9 uses Kasumi • designed to be efficient in hardware and software or simplify hardware to form CBC MAC with: • goal: < 10.000 gates / 2 • non-standard addition of • offered by Mitsubishi free from royalty payments Mbit/s 2nd feedforward 37 38 Choice of algorithms Other Aspects of 3GPP Security • Options in AKA for sequence • User-USIM, USIM-terminal & • Mobile phone: KASUMI in hardware for management USIM - network (SAT) • Re-authentication during a • Terminal (identity) security encryption and MAC calculation (standard for all connection and periodic in-call • Lawful interception operators) • Failure procedures • Fraud information gathering • Interoperation with GSM • Network wide encryption (R00) • AKA+ and interoperation with • Location services security • USIM card: operator specific algorithm for f1 3GPP2 standards • Access to user profiles through f5 • Formal analysis of AKA • Mobile IP security (R00+) • example is MILENAGE, based on • User identity confidentiality • Provision of a standard and enhanced user identity authentication and key Rijndael/AES confidentiality (R00) generation algorithm for • operators inclined to design their own • User configurability and operators who do not wish to visibility of security features produce their own algorithms 39 40 Identification in future mobile systems References to 3GPP Security fixed public Principles, objectives and requirements Technical reports key ? y • TS 33.120 Security principles and objectives • TR 33.900 A guide to 3G security • TR 33.901 Criteria for cryptographic ?x • TS 21.133 Security threats and algorithm design process requirements • TR 33.902 Formal analysis of the 3G Architecture, mechanisms and algorithms authentication protocol • TS 33.102 Security architecture • TR 33.908 General report on the r || h2(K || r || B) || T B || certB • TS 33.103 Integration guidelines design, specification and evaluation of K := h1(? xy || r) 3GPP standard confidentiality and • TS 33.105 Cryptographic algorithm integrity algorithms requirements Algorithm specifications • TS 22.022 Personalisation of mobile equipment • Specification of the 3GPP EK{SigA (h3(? x || ? y || r || B|| T B ||)) || certA } confidentiality and integrity algorithms Lawful interception • Document 1: f8 & f9 • TS 33.106 Lawful interception ? SigA • Document 2: KASUMI requirements • Document 3: implementors’ test data • TS 33.107 Lawful interception • Document 4: design conformance test architecture and functions data [+] No need for Bob to know Alice’s secret 41 42 7
  8. 8. Credits • Part on GSM: Klaus Vedder, Security Aspects of Mobile Communications, LNCS 741, Springer- Verlag, 1993. • Part on 3GPP is based on: Mike Walker, On the security of 3GPP networks, invited talk at Eurocrypt 2000, May 2000, Bruges, Belgium. 43 8