Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Mobile Communication and its Security Analysis
by
K Gunjan
Agenda
•evolution of mobile communication
•1G technology
•2G technology
•GSM architecture
•GSM channels
•SIM
•Sharing Spec...
Evolution of Mobile Comm
Ancient time: light for comm... eg ship,becon..
150 BC: smoke signals...color/strength
1794: opti...
Evolution of Mobile Comm
1946: Mobile Telephone was introduced
System:MTS,
Device wt:36KG
In Bell System, used in St. Loui...
1960: Bell Labs -> Celular concept
1970: Mobile User M<=>PSTN
System: IMTS(improved mobile tele service)
Reduced size and ...
Other wireless systems:
Push to talk(PTT)
AMTS-Advance Mobile tele system
Etc
These were also called
mobile radio systems
1G technology
=>Deployed in early 1990s
1.AMPS-Advanced Mobile Phone System
Developed and deployed in USA
2.NMT-Nordic mob...
1G technology
All analog
FDMA + FM
Only voice
Poor Voice quality
Poor battery life
Large phone size
Poor handoff re...
1G technology
No security
 Analog Signals does not allow advance encryption methods
hence there is no security
 FM recei...
2G technology
Deployed in early 90s
Three popular systems: GSM, D-AMPS and CDMA One/IS-95
Digital systems
SMS
MMS-Mul...
GSM
GSM is the most popular 2G Technology
Developed in Europe and has European standards
Low data rate: 9.6 kbps
Higher da...
GSM
New network elements required to achieve higher data rate:
Serving GPRS Support Node (SGSN),
The SGSN handles all pack...
GSM ARCHITECHTURE
Service
Provisioning &
billing/CRM
CDR archive
CRBT system
USSD
gateways
STPMNP D/B
USAU
SMP
Voucher
Cen...
Architecture form network perspective
MPLS,
Routers
E1s
STP
GSM Links
Motivation
Understand it
&
Look for CIA
GSM ARCHITECHTURE
GSM Protocol stack
GSM Protocol stack
Sharing Spectrum
GSM uses TDMA & FDMA
Sharing Spectrum
GSM channels
GSM channels
31
Subscriber Identification Module (SIM)
Smart Card – a single chip computer containing
OS, File System, Applications
P...
32
Authentication and Encryption Scheme
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND 128b...
Authentication and Encryption Scheme
* A3 Input: 128-bit RAND random challenge, Ki 128- bit private key
• A3 Output: 32-bi...
GSM Basic Call Sequence
The process for calling MS and called MS are
two independent flow. The calling party begins
with c...
Mobile to Land Sequence
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
SIGNALING LINK
ESTABLISHED
PSTN
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
Mobile to Land Sequence
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
SIGNALING LINK
ESTABLISHED
PSTN
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
Mobile to Land Sequence
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
circuit<FACCH>
MS BSS MSC VLR HLR PSTN
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
circuit<FACCH>
Initial and Final Address
8 Message...
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>
9 Answer (ANS)Connect
circuit<FACCH>
Initi...
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>
9 Answer (ANS)Connect
10 Connect Acknowled...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
MS BSS MSC VLR HLR
1 CHANNEL REQUEST <RACH>
<AGCH>DCCH ASSIGN
<SDCCH>
SIGNALING LINK
ESTABLISHED
2 REQ. FOR SERVICE
CR
CC
...
Mobile to Land Sequence
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
circuit<FACCH>
MS BSS MSC VLR HLR PSTN
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
circuit<FACCH>
Initial and Final Address
8 Message...
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>
9 Answer (ANS)Connect
circuit<FACCH>
Initi...
7 ASSIG. COMMAND
<SDCCH>
ASSIG. COMPLETE
Address Complete(ACM)
Alerting
<FACCH>
9 Answer (ANS)Connect
10 Connect Acknowled...
GSM Basic Call Sequence
For the called party, the flow for the called party
begins when MSC sends paging command to the
ca...
MS BSS MSC VLR HLR GMSC
(MSISDN)
(MSISDN)(IMSI)
(MSRN)
(MSRN)
(LAI & TMSI)
(TMSI)(TMSI)
Initial and Final
1 Address Messag...
<FACCH>
(channel) (circuit)
<FACCH>
9 Assignment
Command
Assignment
Complete
Alert
<TCH>
<FACCH>10 Connect
Connect ACK ANS...
Attacks on GSM
OSMOCOMBB
sniffing
MIMT attack on call
MIMT attack on SMS
Attack using data card
………
…..
…
..
.
Twitter: @Gunjan_cn
Gunjan.cn@gmail.com
Kumar gunjan 20160213 mobile communication security
Upcoming SlideShare
Loading in …5
×

Kumar gunjan 20160213 mobile communication security

414 views

Published on

Mobile Communication Security

Published in: Technology
  • Be the first to comment

Kumar gunjan 20160213 mobile communication security

  1. 1. Mobile Communication and its Security Analysis by K Gunjan
  2. 2. Agenda •evolution of mobile communication •1G technology •2G technology •GSM architecture •GSM channels •SIM •Sharing Spectrum •Authentication and Encryption Scheme •GSM calling sequence •GSM called sequence •Security issues
  3. 3. Evolution of Mobile Comm Ancient time: light for comm... eg ship,becon.. 150 BC: smoke signals...color/strength 1794: optical telegraphy 1877: First wireline telephone 1895: wireless telegraphy 1915: wireless voice transmission(AM) 1928: TV broadcast 1933: FM patented.. radios in 1950s
  4. 4. Evolution of Mobile Comm 1946: Mobile Telephone was introduced System:MTS, Device wt:36KG In Bell System, used in St. Louis Setup by operator, Only 3 channels for whole metro
  5. 5. 1960: Bell Labs -> Celular concept 1970: Mobile User M<=>PSTN System: IMTS(improved mobile tele service) Reduced size and wt Eliminate setup by operator 32 channels across 3 bands 450-470MHz
  6. 6. Other wireless systems: Push to talk(PTT) AMTS-Advance Mobile tele system Etc These were also called mobile radio systems
  7. 7. 1G technology =>Deployed in early 1990s 1.AMPS-Advanced Mobile Phone System Developed and deployed in USA 2.NMT-Nordic mobile Tele System developed and deployed in Scandinavian countries 3.TACS-Total Access Communication System developed in UK, Deployed in Europe .
  8. 8. 1G technology All analog FDMA + FM Only voice Poor Voice quality Poor battery life Large phone size Poor handoff reliability No Roaming— even between two same technology
  9. 9. 1G technology No security  Analog Signals does not allow advance encryption methods hence there is no security  FM receivers can be used to listen in on any conversation  Anyone could collect a large database of identity etc by driving around and go into business by reprogramming stolen phones and reselling them.  Airtime thefts were also reported
  10. 10. 2G technology Deployed in early 90s Three popular systems: GSM, D-AMPS and CDMA One/IS-95 Digital systems SMS MMS-Multi Media Messages Data Service-GPRS-64kbps Roaming Voice encryption provision Better security
  11. 11. GSM GSM is the most popular 2G Technology Developed in Europe and has European standards Low data rate: 9.6 kbps Higher data rates using 2G: GPRS: General Packet Radio Service 2.5G 171kbps(50kbps) EDGE: Enhanced Data Rates for GSM Evolution 2.75G 473.6kbps(100kbps)
  12. 12. GSM New network elements required to achieve higher data rate: Serving GPRS Support Node (SGSN), The SGSN handles all packet switched data within the network and is responsible for the authentication and tracking of the users. The SGSN performs the same functions as the MSC for voice traffic Gateway GPRS Support Node (GGSN). The GGSN is the interface from the GSM/GPRS network to external networks. The GGSN is also responsible for the allocation of IP-addresses.
  13. 13. GSM ARCHITECHTURE Service Provisioning & billing/CRM CDR archive CRBT system USSD gateways STPMNP D/B USAU SMP Voucher Centers OMC
  14. 14. Architecture form network perspective MPLS, Routers E1s STP
  15. 15. GSM Links
  16. 16. Motivation Understand it & Look for CIA
  17. 17. GSM ARCHITECHTURE
  18. 18. GSM Protocol stack
  19. 19. GSM Protocol stack
  20. 20. Sharing Spectrum GSM uses TDMA & FDMA
  21. 21. Sharing Spectrum
  22. 22. GSM channels
  23. 23. GSM channels
  24. 24. 31 Subscriber Identification Module (SIM) Smart Card – a single chip computer containing OS, File System, Applications Protected by PIN Owned by operator (i.e. trusted) SIM applications can be written with SIM Toolkit Contains PIN, Ki and Kc Contains A3, A5 and A8 algos
  25. 25. 32 Authentication and Encryption Scheme A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 Ki Ki Challenge RAND 128bit KcKc 64 bit mi Encrypted Data mi SIM Signed response (SRES32 bit) SRESSRES Fn Fn Authentication: are SRES values equal?
  26. 26. Authentication and Encryption Scheme * A3 Input: 128-bit RAND random challenge, Ki 128- bit private key • A3 Output: 32-bit SRES signed response • A8 Input: 128-bit RAND random challenge, Ki 128-bit private key • A8 Output: 64-bit Kc Cipher Key, used for A5
  27. 27. GSM Basic Call Sequence The process for calling MS and called MS are two independent flow. The calling party begins with channel request and ends with TCH assignment competition. In general, the calling party includes following several stages: access process, authentication and ciphering process, TCH assignment process. So, we take the sequence from mobile to land as example, in this sequence, we mainly devote to the calling party.
  28. 28. Mobile to Land Sequence MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN SIGNALING LINK ESTABLISHED PSTN
  29. 29. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC PSTN Mobile to Land Sequence
  30. 30. Mobile to Land Sequence MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN SIGNALING LINK ESTABLISHED PSTN
  31. 31. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC PSTN Mobile to Land Sequence
  32. 32. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE PSTN Mobile to Land Sequence
  33. 33. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info PSTN SFOC Mobile to Land Sequence
  34. 34. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info 5 EQUIP. ID REQ. PSTN SFOC Mobile to Land Sequence
  35. 35. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info 5 EQUIP. ID REQ. 6 COMPLETE CALL CALL PROCEEDING <SDCCH> PSTN SFOC Mobile to Land Sequence
  36. 36. Mobile to Land Sequence 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE circuit<FACCH> MS BSS MSC VLR HLR PSTN
  37. 37. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting circuit<FACCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> MS BSS MSC VLR HLR PSTN Mobile to Land Sequence
  38. 38. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting <FACCH> 9 Answer (ANS)Connect circuit<FACCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> Ring tone stops MS BSS MSC VLR HLR PSTN Mobile to Land Sequence
  39. 39. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting <FACCH> 9 Answer (ANS)Connect 10 Connect Acknowledge <FACCH> circuit<FACCH> <TCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> Ring tone stops HELLO! MS BSS MSC VLR HLR PSTN BILLING STARTS Mobile to Land Sequence
  40. 40. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE PSTN Mobile to Land Sequence
  41. 41. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info PSTN SFOC Mobile to Land Sequence
  42. 42. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info 5 EQUIP. ID REQ. PSTN SFOC Mobile to Land Sequence
  43. 43. MS BSS MSC VLR HLR 1 CHANNEL REQUEST <RACH> <AGCH>DCCH ASSIGN <SDCCH> SIGNALING LINK ESTABLISHED 2 REQ. FOR SERVICE CR CC 3 AUTHENTICATION SET Cipher MODE 4 SET-UP <SDCCH> Call Info 5 EQUIP. ID REQ. 6 COMPLETE CALL CALL PROCEEDING <SDCCH> PSTN SFOC Mobile to Land Sequence
  44. 44. Mobile to Land Sequence 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE circuit<FACCH> MS BSS MSC VLR HLR PSTN
  45. 45. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting circuit<FACCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> MS BSS MSC VLR HLR PSTN Mobile to Land Sequence
  46. 46. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting <FACCH> 9 Answer (ANS)Connect circuit<FACCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> Ring tone stops MS BSS MSC VLR HLR PSTN Mobile to Land Sequence
  47. 47. 7 ASSIG. COMMAND <SDCCH> ASSIG. COMPLETE Address Complete(ACM) Alerting <FACCH> 9 Answer (ANS)Connect 10 Connect Acknowledge <FACCH> circuit<FACCH> <TCH> Initial and Final Address 8 Message (IFAM) MS hears ring tone from land phone <FACCH> Ring tone stops HELLO! MS BSS MSC VLR HLR PSTN BILLING STARTS Mobile to Land Sequence
  48. 48. GSM Basic Call Sequence For the called party, the flow for the called party begins when MSC sends paging command to the called party, ends when two party start talk. In general, this call flow includes several stages: access process, authentication and ciphering process, TCH assignment process, talk process, release process.
  49. 49. MS BSS MSC VLR HLR GMSC (MSISDN) (MSISDN)(IMSI) (MSRN) (MSRN) (LAI & TMSI) (TMSI)(TMSI) Initial and Final 1 Address Message PSTN (MSRN) (MSRN) 2 Send Routing Info 3 Routing Info Ack Initial and Final Address Message 4 Send Info For I/C Call Setup 5 Page Paging Request <PCH> Land to Mobile Sequence
  50. 50. <FACCH> (channel) (circuit) <FACCH> 9 Assignment Command Assignment Complete Alert <TCH> <FACCH>10 Connect Connect ACK ANS <TCH> Hello... Address Complete MS BSS MSC VLR HLR GMSC PSTN Billing starts Ring Tone at the land phone Ringing stops at land phoneSubscriber picks up Land to Mobile Sequence
  51. 51. Attacks on GSM OSMOCOMBB sniffing MIMT attack on call MIMT attack on SMS Attack using data card ……… ….. … .. .
  52. 52. Twitter: @Gunjan_cn Gunjan.cn@gmail.com

×