Uploaded bymaicuong8
PPT, PDF170 views

Gsm security

This document provides an overview of GSM security, including its objectives, mechanisms, and algorithms. It discusses the security concerns for operators and customers that GSM aims to address. The key goals of GSM security are confidentiality, anonymity, and authentication. The document then describes the specific security features and components of GSM, including the SIM card, authentication process, encryption algorithms like A3, A8, and A5, and the COMP128 algorithm. It also discusses attacks against GSM security like the partitioning attack against COMP128 that exploits side channels.

Embed presentation

Download to read offline
11 GSM Security OverviewGSM Security Overview (Part 2)(Part 2) Max StepanovMax Stepanov
2 AgendaAgenda GSM Security ObjectivesGSM Security Objectives  Concerns, Goals, RequirementsConcerns, Goals, Requirements GSM Security MechanismsGSM Security Mechanisms SIM AnatomySIM Anatomy Algorithms and AttacksAlgorithms and Attacks  COMP128COMP128  Partitioning Attack on COMP128Partitioning Attack on COMP128 ((J. Rao, P. Rohantgi, H. Scherzer, S. TunguelyJ. Rao, P. Rohantgi, H. Scherzer, S. Tunguely))
3 GSM Security ConcernsGSM Security Concerns OperatorsOperators  Bills right peopleBills right people  Avoid fraudAvoid fraud  Protect ServicesProtect Services CustomersCustomers  PrivacyPrivacy  AnonymityAnonymity Make a system at least secure as PSTNMake a system at least secure as PSTN
4 GSM Security GoalsGSM Security Goals Confidentiality and Anonymity on the radioConfidentiality and Anonymity on the radio pathpath Strong client authentication to protect theStrong client authentication to protect the operator against the billing fraudoperator against the billing fraud Prevention of operators fromPrevention of operators from compromising of each others’ securitycompromising of each others’ security  InadvertentlyInadvertently  Competition pressureCompetition pressure
5 GSM Security DesignGSM Security Design RequirementsRequirements The security mechanismThe security mechanism  MUST NOTMUST NOT Add significant overhead on call set upAdd significant overhead on call set up Increase bandwidth of the channelIncrease bandwidth of the channel Increase error rateIncrease error rate Add expensive complexity to the systemAdd expensive complexity to the system  MUSTMUST Cost effective schemeCost effective scheme  Define security proceduresDefine security procedures Generation and distribution of keysGeneration and distribution of keys Exchange information between operatorsExchange information between operators Confidentiality of algorithmsConfidentiality of algorithms
6 GSM Security FeaturesGSM Security Features Key management is independent of equipmentKey management is independent of equipment  Subscribers can change handsets without compromisingSubscribers can change handsets without compromising securitysecurity Subscriber identity protectionSubscriber identity protection  not easy to identify the user of the system intercepting a usernot easy to identify the user of the system intercepting a user datadata Detection of compromised equipmentDetection of compromised equipment  Detection mechanism whether a mobile device wasDetection mechanism whether a mobile device was compromised or notcompromised or not Subscriber authenticationSubscriber authentication  The operator knows for billing purposes who is using the systemThe operator knows for billing purposes who is using the system Signaling and user data protectionSignaling and user data protection  Signaling and data channels are protected over the radio pathSignaling and data channels are protected over the radio path
7 GSM Mobile StationGSM Mobile Station Mobile StationMobile Station  Mobile Equipment (ME)Mobile Equipment (ME) Physical mobile devicePhysical mobile device IdentifiersIdentifiers  IMEI – International Mobile Equipment IdentityIMEI – International Mobile Equipment Identity  Subscriber Identity Module (SIM)Subscriber Identity Module (SIM) Smart Card containing keys, identifiers and algorithmsSmart Card containing keys, identifiers and algorithms IdentifiersIdentifiers  KKii – Subscriber Authentication Key– Subscriber Authentication Key  IMSI – International Mobile Subscriber IdentityIMSI – International Mobile Subscriber Identity  TMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber Identity  MSISDN – Mobile Station International Service DigitalMSISDN – Mobile Station International Service Digital NetworkNetwork  PIN – Personal Identity Number protecting a SIMPIN – Personal Identity Number protecting a SIM  LAI – location area identityLAI – location area identity
8 GSM ArchitectureGSM Architecture Mobile Stations Base Station Subsystem Exchange System Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS
9 Subscriber Identity ProtectionSubscriber Identity Protection TMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber Identity  GoalsGoals TMSI is used instead of IMSI as an a temporary subscriber identifierTMSI is used instead of IMSI as an a temporary subscriber identifier TMSI prevents an eavesdropper from identifying of subscriberTMSI prevents an eavesdropper from identifying of subscriber  UsageUsage TMSI is assigned when IMSI is transmitted to AuC on the first phoneTMSI is assigned when IMSI is transmitted to AuC on the first phone switch onswitch on Every time a location update (new MSC) occur the networks assignsEvery time a location update (new MSC) occur the networks assigns a new TMSIa new TMSI TMSI is used by the MS to report to the network or during a callTMSI is used by the MS to report to the network or during a call initializationinitialization Network uses TMSI to communicate with MSNetwork uses TMSI to communicate with MS On MS switch off TMSI is stored on SIM card to be reused next timeOn MS switch off TMSI is stored on SIM card to be reused next time  The Visitor Location Register (VLR) performs assignment,The Visitor Location Register (VLR) performs assignment, administration and update of the TMSIadministration and update of the TMSI
10 Key Management SchemeKey Management Scheme KKii – Subscriber Authentication Key– Subscriber Authentication Key  Shared 128 bit key used for authentication of subscriber byShared 128 bit key used for authentication of subscriber by the operatorthe operator  Key StorageKey Storage Subscriber’s SIM (owned by operator, i.e. trusted)Subscriber’s SIM (owned by operator, i.e. trusted) Operator’s Home Locator Register (HLR) of the subscriber’sOperator’s Home Locator Register (HLR) of the subscriber’s home networkhome network SIM can be used with different equipmentSIM can be used with different equipment
11 Detection of CompromisedDetection of Compromised EquipmentEquipment International Mobile Equipment Identifier (IMEI)International Mobile Equipment Identifier (IMEI)  Identifier allowing to identify mobilesIdentifier allowing to identify mobiles  IMEI is independent of SIMIMEI is independent of SIM  Used to identify stolen or compromised equipmentUsed to identify stolen or compromised equipment Equipment Identity Register (EIR)Equipment Identity Register (EIR)  Black list – stolen or non-type mobilesBlack list – stolen or non-type mobiles  White list - valid mobilesWhite list - valid mobiles  Gray list – local tracking mobilesGray list – local tracking mobiles Central Equipment Identity Register (CEIR)Central Equipment Identity Register (CEIR)  Approved mobile type (type approval authorities)Approved mobile type (type approval authorities)  Consolidated black list (posted by operators)Consolidated black list (posted by operators)
12 AuthenticationAuthentication Authentication GoalsAuthentication Goals  Subscriber (SIM holder) authenticationSubscriber (SIM holder) authentication  Protection of the network againstProtection of the network against unauthorized useunauthorized use  Create a session keyCreate a session key Authentication SchemeAuthentication Scheme  Subscriber identification: IMSI or TMSISubscriber identification: IMSI or TMSI  Challenge-Response authentication of theChallenge-Response authentication of the subscriber by the operatorsubscriber by the operator
13 Authentication and EncryptionAuthentication and Encryption SchemeScheme A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 Ki Ki Challenge RAND KcKc mi Encrypted Data mi SIM Signed response (SRES) SRESSRES Fn Fn Authentication: are SRES values equal?
14 AuthenticationAuthentication AuC – Authentication CenterAuC – Authentication Center  Provides parameters for authentication andProvides parameters for authentication and encryption functions (RAND, SRES, Kencryption functions (RAND, SRES, Kcc)) HLR – Home Location RegisterHLR – Home Location Register  Provides MSC (Mobile Switching Center) with triplesProvides MSC (Mobile Switching Center) with triples (RAND, SRES, K(RAND, SRES, Kcc))  Handles MS locationHandles MS location VLR – Visitor Location RegisterVLR – Visitor Location Register  Stores generated triples by the HLR when aStores generated triples by the HLR when a subscriber is not in his home networksubscriber is not in his home network  One operator doesn’t have access to subscriber keysOne operator doesn’t have access to subscriber keys of the another operator.of the another operator.
15 A3 – MS Authentication AlgorithmA3 – MS Authentication Algorithm GoalGoal  Generation of SRES response to MSC’sGeneration of SRES response to MSC’s random challenge RANDrandom challenge RAND A3 RAND (128 bit) Ki (128 bit) SRES (32 bit)
16 A8 – Voice Privacy Key GenerationA8 – Voice Privacy Key Generation AlgorithmAlgorithm GoalGoal  Generation of session key KGeneration of session key Kss A8 specification was never made publicA8 specification was never made public A8 RAND (128 bit) Ki (128 bit) KC (64 bit)
17 Logical ImplementationLogical Implementation of A3 and A8of A3 and A8 Both A3 and A8 algorithms areBoth A3 and A8 algorithms are implemented on the SIMimplemented on the SIM  Operator can decide, which algorithm to use.Operator can decide, which algorithm to use.  Algorithms implementation is independent ofAlgorithms implementation is independent of hardware manufacturers and networkhardware manufacturers and network operators.operators.
18 Logical ImplementationLogical Implementation of A3 and A8of A3 and A8 COMP128 is used for both A3 and A8 inCOMP128 is used for both A3 and A8 in most GSM networks.most GSM networks.  COMP128 is a keyed hash functionCOMP128 is a keyed hash function COMP128 RAND (128 bit) Ki (128 bit) 128 bit output SRES 32 bit and Kc 54 bit
19 A5 – Encryption AlgorithmA5 – Encryption Algorithm  A5 is a stream cipherA5 is a stream cipher Implemented very efficiently on hardwareImplemented very efficiently on hardware Design was never made publicDesign was never made public Leaked to Ross Anderson and Bruce SchneierLeaked to Ross Anderson and Bruce Schneier  VariantsVariants A5/1 – the strong versionA5/1 – the strong version A5/2 – the weak versionA5/2 – the weak version A5/3A5/3  GSM Association Security Group and 3GPP designGSM Association Security Group and 3GPP design  Based on Kasumi algorithm used in 3G mobile systemsBased on Kasumi algorithm used in 3G mobile systems
20 Logical A5 ImplementationLogical A5 Implementation A5 Kc (64 bit)Fn (22 bit) 114 bit XOR Data (114 bit) A5 Kc (64 bit)Fn (22 bit) 114 bit XOR Ciphertext (114 bit) Data (114 bit) Mobile Station BTS Real A5 output is 228 bit for both directionsReal A5 output is 228 bit for both directions
21 A5 EncryptionA5 Encryption Mobile Stations Base Station Subsystem Exchange System Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS A5 Encryption
22 SIM AnatomySIM Anatomy  Subscriber Identification Module (SIM)Subscriber Identification Module (SIM) Smart Card – a single chip computer containing OS, FileSmart Card – a single chip computer containing OS, File System, ApplicationsSystem, Applications Protected by PINProtected by PIN Owned by operator (i.e. trusted)Owned by operator (i.e. trusted) SIM applications can be written with SIM ToolkitSIM applications can be written with SIM Toolkit
23 Smart Card AnatomySmart Card Anatomy
24 Microprocessor CardsMicroprocessor Cards Typical specificationTypical specification  8 bit CPU8 bit CPU  16 K ROM16 K ROM  256 bytes RAM256 bytes RAM  4K EEPROM4K EEPROM  Cost: $5-50Cost: $5-50 Smart Card TechnologySmart Card Technology  Based on ISO 7816 definingBased on ISO 7816 defining Card size, contact layout, electrical characteristicsCard size, contact layout, electrical characteristics I/O Protocols:I/O Protocols: byte/block basedbyte/block based File StructureFile Structure
2525 Algorithm ImplementationsAlgorithm Implementations and Attacksand Attacks
26 Attack CategoriesAttack Categories SIM AttacksSIM Attacks Radio-link interception attacksRadio-link interception attacks Operator network attacksOperator network attacks  GSM does not protect an operator’s networkGSM does not protect an operator’s network
27 Attack HistoryAttack History 19911991  First GSM implementation.First GSM implementation. April 1998April 1998  The Smartcard Developer Association (SDA) together with U.C.The Smartcard Developer Association (SDA) together with U.C. Berkeley researches cracked the COMP128 algorithm stored in SIM andBerkeley researches cracked the COMP128 algorithm stored in SIM and succeeded to get Ksucceeded to get Kii within several hours. They discovered that Kc useswithin several hours. They discovered that Kc uses only 54 bits.only 54 bits. August 1999August 1999  The week A5/2 was cracked using a single PC within seconds.The week A5/2 was cracked using a single PC within seconds. December 1999December 1999  Alex Biryukov, Adi Shamir and David Wagner have published theAlex Biryukov, Adi Shamir and David Wagner have published the scheme breaking the strong A5/1 algorithm. Within two minutes ofscheme breaking the strong A5/1 algorithm. Within two minutes of intercepted call the attack time was only 1 second.intercepted call the attack time was only 1 second. May 2002May 2002  The IBM Research group discovered a new way to quickly extract theThe IBM Research group discovered a new way to quickly extract the COMP128 keys using side channels.COMP128 keys using side channels.
2828 COMP128COMP128 Keyed hash functionKeyed hash function
29 COMP128COMP128 Pseudo-code of the compression in COMP128 algorithm •X[0..15] = Ki; X[16..31] = RAND; •Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
30 Traditional CryptographicTraditional Cryptographic AssumptionsAssumptions Traditional Cryptographic Attacks Input Crypto Processing Sensitive Information Output Smart CardSmart Card
31 Actual Information AvailableActual Information Available Side Channels •Power Consumption •Electromagnetic radiation •Timing •Errors •Etc. Side Channel Attacks Input Crypto Processing Sensitive Information Output Smart CardSmart Card
32 Simple Power DES AnalysisSimple Power DES Analysis SPA of DES operation performed by a typical Smart CardSPA of DES operation performed by a typical Smart Card  Above: initial permutation, 16 DES rounds, final permutationAbove: initial permutation, 16 DES rounds, final permutation  Below: detailed view of the second and third roundsBelow: detailed view of the second and third rounds
33 Partitioning Attack on COMP128Partitioning Attack on COMP128 Attack GoalAttack Goal  KKii stored on SIM cardstored on SIM card  KnowingKnowing KKii it’s possible to clone SIMit’s possible to clone SIM Cardinal PrincipleCardinal Principle  Relevant bits of all intermediate cycles and their values shouldRelevant bits of all intermediate cycles and their values should be statistically independent of the inputs, outputs, and sensitivebe statistically independent of the inputs, outputs, and sensitive information.information. Attack IdeaAttack Idea  Find a violation of theFind a violation of the Cardinal PrincipleCardinal Principle, i.e. side channels with, i.e. side channels with signals does depend on input, outputs and sensitive informationsignals does depend on input, outputs and sensitive information  Try to exploit theTry to exploit the statistical dependencystatistical dependency in signals to extract ain signals to extract a sensitive informationsensitive information
34 Partitioning Attack on COMP128Partitioning Attack on COMP128 How to implement 512 element THow to implement 512 element T00 table ontable on 8 bit Smart Card (i.e. index is 0..255)?8 bit Smart Card (i.e. index is 0..255)? Split 512 element table into two 256 element tablesSplit 512 element table into two 256 element tables It’s possible to detect access ofIt’s possible to detect access of different tables via side channels!different tables via side channels!  Power Consumption  Electromagnetic radiation
35 Partitioning Attack on COMP128Partitioning Attack on COMP128 Pseudo-code of the compression in COMP128 algorithm •X[0..15] = Ki; X[16..31] = RAND; •Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
36 Partitioning Attack on COMP128Partitioning Attack on COMP128 K[0]K[0] K[1]K[1] K[15]K[15] R[0]R[0] R[15]R[15]…… ……R[0]R[0] TT00[y][y] K[1]K[1] K[15]K[15] TT00[z][z] R[15]R[15]…… ……R[0]R[0] y = K[0] + 2R[0]y = K[0] + 2R[0] z = 2K[0] + R[0]z = 2K[0] + R[0] 0 15 16 32 X Values ofValues of yy andand zz depend on the first bytes ofdepend on the first bytes of KK andand RR It’s possible to detect via side channels whether valuesIt’s possible to detect via side channels whether values ofof yy andand zz are within [0..255] or [256..511].are within [0..255] or [256..511].
37 Partitioning Attack on COMP128Partitioning Attack on COMP128 All we need is…All we need is…  A) FindA) Find R[0]R[0] such thatsuch that K[0] + 2R[0] (mod 512) < 256K[0] + 2R[0] (mod 512) < 256 K[0] + 2(R[0]+1) (mod 512) >= 256K[0] + 2(R[0]+1) (mod 512) >= 256 (There are only two options)(There are only two options)  B) Find R’[0] such thatB) Find R’[0] such that 2K[0] + R’[0] (mod 512) < 2562K[0] + R’[0] (mod 512) < 256 2K[0] + R’[0] + 1 (mod 512) >= 2562K[0] + R’[0] + 1 (mod 512) >= 256  C) One ofC) One of K[0]K[0] from A) will match B)from A) will match B) The key byte is always uniquely determined fromThe key byte is always uniquely determined from partitioning information.partitioning information. Computation of the others bytes ofComputation of the others bytes of KK is similar.is similar.
38 SummarySummary GSM Security ObjectivesGSM Security Objectives  Concerns, Goals, RequirementsConcerns, Goals, Requirements GSM Security MechanismsGSM Security Mechanisms SIM AnatomySIM Anatomy Algorithms and AttacksAlgorithms and Attacks  COMP128COMP128  Partitioning Attack on COMP128Partitioning Attack on COMP128

More Related Content

PPT
Gsm security
byAli Kamil
 
PPTX
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
bySaikiran Panjala
 
PPTX
Gsm security and encryption
byRK Nayak
 
PPT
Cryptography in GSM
byTharindu Weerasinghe
 
PPTX
Presentation one-gsm
byAbu Sadat Mohammed Yasin
 
PPTX
Gsm security algorithms A3 , A5 , A8
byRUpaliLohar
 
PPT
Gsm security final
bySanket Yavalkar
 
PPTX
Gsm security by usman zulfqar
byusman zulfqar
 
Gsm security
byAli Kamil
 
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
bySaikiran Panjala
 
Gsm security and encryption
byRK Nayak
 
Cryptography in GSM
byTharindu Weerasinghe
 
Presentation one-gsm
byAbu Sadat Mohammed Yasin
 
Gsm security algorithms A3 , A5 , A8
byRUpaliLohar
 
Gsm security final
bySanket Yavalkar
 
Gsm security by usman zulfqar
byusman zulfqar
 

What's hot

PDF
Gsm for-dummies
byHeni Sutadi
 
PPT
Final gsm1
byArun Kumar
 
PDF
Introduction to SIM and USIM
byNaveen Jakhar, I.T.S
 
PDF
GSM Security 101 by Sushil Singh and Dheeraj Verma
byOWASP Delhi
 
PPT
Security in GSM(2G) and UMTS(3G) Networks
byNaveen Kumar
 
PDF
Worldwide attacks on SS7/SIGTRAN network
byP1Security
 
PDF
IRJET- ATM Security using GSM and MEMS Sensor
byIRJET Journal
 
PPTX
GSM Security
bysmita gupta
 
PDF
Research paper_Anshul _Ankita_RSG
byAnshul Sahu
 
PDF
Security in GSM
byDr. Ramchandra Mangrulkar
 
PPT
Security in bluetooth, cdma and umts
byAnkit Gupta
 
PDF
Diameter Penetration Test Lab
byfrcarlson
 
PPTX
Gsm Security and Attacks
byAbdullah Mohamed
 
PDF
new Algorithm1
byasmita satpute
 
PPT
GSM security solution by FINETUNE Technologies
byEngr.MEESHU SHARKER
 
PDF
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
byPROIDEA
 
PDF
Iirdem smart gun with rfid gps and gsm modules for remote enabling disabling ...
byIaetsd Iaetsd
 
PDF
Global System for Mobile Communication Based Smart Home Security System
byIJERA Editor
 
Gsm for-dummies
byHeni Sutadi
 
Final gsm1
byArun Kumar
 
Introduction to SIM and USIM
byNaveen Jakhar, I.T.S
 
GSM Security 101 by Sushil Singh and Dheeraj Verma
byOWASP Delhi
 
Security in GSM(2G) and UMTS(3G) Networks
byNaveen Kumar
 
Worldwide attacks on SS7/SIGTRAN network
byP1Security
 
IRJET- ATM Security using GSM and MEMS Sensor
byIRJET Journal
 
GSM Security
bysmita gupta
 
Research paper_Anshul _Ankita_RSG
byAnshul Sahu
 
Security in GSM
byDr. Ramchandra Mangrulkar
 
Security in bluetooth, cdma and umts
byAnkit Gupta
 
Diameter Penetration Test Lab
byfrcarlson
 
Gsm Security and Attacks
byAbdullah Mohamed
 
new Algorithm1
byasmita satpute
 
GSM security solution by FINETUNE Technologies
byEngr.MEESHU SHARKER
 
PLNOG20 - Piotr Gruszczyński - Bezpieczeństwo sieci komórkowej
byPROIDEA
 
Iirdem smart gun with rfid gps and gsm modules for remote enabling disabling ...
byIaetsd Iaetsd
 
Global System for Mobile Communication Based Smart Home Security System
byIJERA Editor
 

Similar to Gsm security

PPTX
Gsm
byNur Islam
 
PDF
Telecom Security
byPriyanka Aash
 
PPT
Gsm fundamentals
byMohamed Sewailam
 
PPT
GSM
byJAI MCA-STUDENT
 
PDF
GSM lecture mobile package telecommunication .pdf
byhossamsexegy
 
PPT
GSM Architecture.ppt
byDanish Mahmood
 
PDF
gsm-pt-130414104636-phpapp02.pdf
byhazhamina
 
PPTX
GSM
byAnimesh Lochan
 
PPTX
MOBILE COMPUTING ppt2 covering Unit 1 and Unit concepts.pptx
byTejaswini79997
 
DOCX
2G...All about second generation of cellular networks.
byMuhammad Ahad
 
PPTX
Gsm1
byVikran Kottaisamy
 
PPTX
Mob. comp . prst
byBhanu Pratap
 
PPTX
System Architecture & Addressing UNit 3.
bymd4228787
 
PDF
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
byIJCSES Journal
 
PPTX
report
byPrateek Bansal
 
PDF
This chapter gives an outline of the security.
byRoshniIsrani1
 
PDF
Gsm presntation
byTECOS
 
PDF
Gsm presntation
byTECOS
 
PPT
Class 1
by5strikers
 
PPTX
Gsm & mnp(1)
byUnique003
 
Gsm
byNur Islam
 
Telecom Security
byPriyanka Aash
 
Gsm fundamentals
byMohamed Sewailam
 
GSM
byJAI MCA-STUDENT
 
GSM lecture mobile package telecommunication .pdf
byhossamsexegy
 
GSM Architecture.ppt
byDanish Mahmood
 
gsm-pt-130414104636-phpapp02.pdf
byhazhamina
 
GSM
byAnimesh Lochan
 
MOBILE COMPUTING ppt2 covering Unit 1 and Unit concepts.pptx
byTejaswini79997
 
2G...All about second generation of cellular networks.
byMuhammad Ahad
 
Gsm1
byVikran Kottaisamy
 
Mob. comp . prst
byBhanu Pratap
 
System Architecture & Addressing UNit 3.
bymd4228787
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
byIJCSES Journal
 
report
byPrateek Bansal
 
This chapter gives an outline of the security.
byRoshniIsrani1
 
Gsm presntation
byTECOS
 
Gsm presntation
byTECOS
 
Class 1
by5strikers
 
Gsm & mnp(1)
byUnique003
 

Recently uploaded

PDF
ACI 318-2205_American Concrete Institute.pdf
byericaguilerasoto1
 
PDF
Albert Pintoy - Specializing In Low-Latency
byAlbert Pintoy
 
PDF
Presentation-on-Energy-Transition-in-Bangladesh-Employment-and-Skills.pdf
bysyedSajib8
 
PDF
Hybrid Anomaly Detection Mechanism for IOT Networks
byIJCNCJournal
 
PPTX
UnrealGameplayAbilitySystemPresentation.pptx
byBenHowenstein
 
PPTX
How to Use Mobile CMMS to Improve Maintenance Operations & Field Productivity
byMaintWiz Technologies Private Limited
 
PPTX
Revolutionizing Facilities Management with MaintWiz — AI CMMS for Smart FMaaS
byMaintWiz Technologies Private Limited
 
PDF
Surveillance_Partner_Product_Training_20240120_KSA.pdf
byHamadaZayed1
 
PPTX
Salesforce Bulk Connector V1 and V2 Deep Dive!
byRajeevRanjan368982
 
PDF
Engineering Properties of Agricultural Food Materials-.pdf and ppt
byASHWANI VERMA
 
PPTX
How to Create an Effective Monthly Maintenance Plan for Reliable Plant Operat...
byMaintWiz Technologies Private Limited
 
PPTX
Shutdown Maintenance Explained — Full Plant Turnaround & Best Practices with ...
byMaintWiz Technologies Private Limited
 
PPTX
Role of In Vitro and In Vivo Testing biomedical engineering
bymarisudha1
 
PDF
Handheld_Laser_Welding_Presentation 2.pdf
bysinezioveluz
 
PPTX
22304_BCO_CO3_LO4_PPT MSBTE Building construction.pptx
byPrasadBahekar4
 
PPTX
Power point presentation on introduction of software engineering
bys6050748
 
PPTX
Takt Time vs Cycle Time vs Lead Time.pptx
byE Concepts
 
PDF
Narrows Planning Collective Transportation Capstone.pdf
bycj2392
 
PPTX
Optimizing Operations: Key Elements of a Successful Plant Maintenance Plan — ...
byMaintWiz Technologies Private Limited
 
PPTX
Vertical turbine pump explains installed in power plants
bysadanandyadav25
 
ACI 318-2205_American Concrete Institute.pdf
byericaguilerasoto1
 
Albert Pintoy - Specializing In Low-Latency
byAlbert Pintoy
 
Presentation-on-Energy-Transition-in-Bangladesh-Employment-and-Skills.pdf
bysyedSajib8
 
Hybrid Anomaly Detection Mechanism for IOT Networks
byIJCNCJournal
 
UnrealGameplayAbilitySystemPresentation.pptx
byBenHowenstein
 
How to Use Mobile CMMS to Improve Maintenance Operations & Field Productivity
byMaintWiz Technologies Private Limited
 
Revolutionizing Facilities Management with MaintWiz — AI CMMS for Smart FMaaS
byMaintWiz Technologies Private Limited
 
Surveillance_Partner_Product_Training_20240120_KSA.pdf
byHamadaZayed1
 
Salesforce Bulk Connector V1 and V2 Deep Dive!
byRajeevRanjan368982
 
Engineering Properties of Agricultural Food Materials-.pdf and ppt
byASHWANI VERMA
 
How to Create an Effective Monthly Maintenance Plan for Reliable Plant Operat...
byMaintWiz Technologies Private Limited
 
Shutdown Maintenance Explained — Full Plant Turnaround & Best Practices with ...
byMaintWiz Technologies Private Limited
 
Role of In Vitro and In Vivo Testing biomedical engineering
bymarisudha1
 
Handheld_Laser_Welding_Presentation 2.pdf
bysinezioveluz
 
22304_BCO_CO3_LO4_PPT MSBTE Building construction.pptx
byPrasadBahekar4
 
Power point presentation on introduction of software engineering
bys6050748
 
Takt Time vs Cycle Time vs Lead Time.pptx
byE Concepts
 
Narrows Planning Collective Transportation Capstone.pdf
bycj2392
 
Optimizing Operations: Key Elements of a Successful Plant Maintenance Plan — ...
byMaintWiz Technologies Private Limited
 
Vertical turbine pump explains installed in power plants
bysadanandyadav25
 

Gsm security

  • 1.
    11 GSM Security OverviewGSMSecurity Overview (Part 2)(Part 2) Max StepanovMax Stepanov
  • 2.
    2 AgendaAgenda GSM Security ObjectivesGSMSecurity Objectives  Concerns, Goals, RequirementsConcerns, Goals, Requirements GSM Security MechanismsGSM Security Mechanisms SIM AnatomySIM Anatomy Algorithms and AttacksAlgorithms and Attacks  COMP128COMP128  Partitioning Attack on COMP128Partitioning Attack on COMP128 ((J. Rao, P. Rohantgi, H. Scherzer, S. TunguelyJ. Rao, P. Rohantgi, H. Scherzer, S. Tunguely))
  • 3.
    3 GSM Security ConcernsGSMSecurity Concerns OperatorsOperators  Bills right peopleBills right people  Avoid fraudAvoid fraud  Protect ServicesProtect Services CustomersCustomers  PrivacyPrivacy  AnonymityAnonymity Make a system at least secure as PSTNMake a system at least secure as PSTN
  • 4.
    4 GSM Security GoalsGSMSecurity Goals Confidentiality and Anonymity on the radioConfidentiality and Anonymity on the radio pathpath Strong client authentication to protect theStrong client authentication to protect the operator against the billing fraudoperator against the billing fraud Prevention of operators fromPrevention of operators from compromising of each others’ securitycompromising of each others’ security  InadvertentlyInadvertently  Competition pressureCompetition pressure
  • 5.
    5 GSM Security DesignGSMSecurity Design RequirementsRequirements The security mechanismThe security mechanism  MUST NOTMUST NOT Add significant overhead on call set upAdd significant overhead on call set up Increase bandwidth of the channelIncrease bandwidth of the channel Increase error rateIncrease error rate Add expensive complexity to the systemAdd expensive complexity to the system  MUSTMUST Cost effective schemeCost effective scheme  Define security proceduresDefine security procedures Generation and distribution of keysGeneration and distribution of keys Exchange information between operatorsExchange information between operators Confidentiality of algorithmsConfidentiality of algorithms
  • 6.
    6 GSM Security FeaturesGSMSecurity Features Key management is independent of equipmentKey management is independent of equipment  Subscribers can change handsets without compromisingSubscribers can change handsets without compromising securitysecurity Subscriber identity protectionSubscriber identity protection  not easy to identify the user of the system intercepting a usernot easy to identify the user of the system intercepting a user datadata Detection of compromised equipmentDetection of compromised equipment  Detection mechanism whether a mobile device wasDetection mechanism whether a mobile device was compromised or notcompromised or not Subscriber authenticationSubscriber authentication  The operator knows for billing purposes who is using the systemThe operator knows for billing purposes who is using the system Signaling and user data protectionSignaling and user data protection  Signaling and data channels are protected over the radio pathSignaling and data channels are protected over the radio path
  • 7.
    7 GSM Mobile StationGSMMobile Station Mobile StationMobile Station  Mobile Equipment (ME)Mobile Equipment (ME) Physical mobile devicePhysical mobile device IdentifiersIdentifiers  IMEI – International Mobile Equipment IdentityIMEI – International Mobile Equipment Identity  Subscriber Identity Module (SIM)Subscriber Identity Module (SIM) Smart Card containing keys, identifiers and algorithmsSmart Card containing keys, identifiers and algorithms IdentifiersIdentifiers  KKii – Subscriber Authentication Key– Subscriber Authentication Key  IMSI – International Mobile Subscriber IdentityIMSI – International Mobile Subscriber Identity  TMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber Identity  MSISDN – Mobile Station International Service DigitalMSISDN – Mobile Station International Service Digital NetworkNetwork  PIN – Personal Identity Number protecting a SIMPIN – Personal Identity Number protecting a SIM  LAI – location area identityLAI – location area identity
  • 8.
    8 GSM ArchitectureGSM Architecture MobileStations Base Station Subsystem Exchange System Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS
  • 9.
    9 Subscriber Identity ProtectionSubscriberIdentity Protection TMSI – Temporary Mobile Subscriber IdentityTMSI – Temporary Mobile Subscriber Identity  GoalsGoals TMSI is used instead of IMSI as an a temporary subscriber identifierTMSI is used instead of IMSI as an a temporary subscriber identifier TMSI prevents an eavesdropper from identifying of subscriberTMSI prevents an eavesdropper from identifying of subscriber  UsageUsage TMSI is assigned when IMSI is transmitted to AuC on the first phoneTMSI is assigned when IMSI is transmitted to AuC on the first phone switch onswitch on Every time a location update (new MSC) occur the networks assignsEvery time a location update (new MSC) occur the networks assigns a new TMSIa new TMSI TMSI is used by the MS to report to the network or during a callTMSI is used by the MS to report to the network or during a call initializationinitialization Network uses TMSI to communicate with MSNetwork uses TMSI to communicate with MS On MS switch off TMSI is stored on SIM card to be reused next timeOn MS switch off TMSI is stored on SIM card to be reused next time  The Visitor Location Register (VLR) performs assignment,The Visitor Location Register (VLR) performs assignment, administration and update of the TMSIadministration and update of the TMSI
  • 10.
    10 Key Management SchemeKeyManagement Scheme KKii – Subscriber Authentication Key– Subscriber Authentication Key  Shared 128 bit key used for authentication of subscriber byShared 128 bit key used for authentication of subscriber by the operatorthe operator  Key StorageKey Storage Subscriber’s SIM (owned by operator, i.e. trusted)Subscriber’s SIM (owned by operator, i.e. trusted) Operator’s Home Locator Register (HLR) of the subscriber’sOperator’s Home Locator Register (HLR) of the subscriber’s home networkhome network SIM can be used with different equipmentSIM can be used with different equipment
  • 11.
    11 Detection of CompromisedDetectionof Compromised EquipmentEquipment International Mobile Equipment Identifier (IMEI)International Mobile Equipment Identifier (IMEI)  Identifier allowing to identify mobilesIdentifier allowing to identify mobiles  IMEI is independent of SIMIMEI is independent of SIM  Used to identify stolen or compromised equipmentUsed to identify stolen or compromised equipment Equipment Identity Register (EIR)Equipment Identity Register (EIR)  Black list – stolen or non-type mobilesBlack list – stolen or non-type mobiles  White list - valid mobilesWhite list - valid mobiles  Gray list – local tracking mobilesGray list – local tracking mobiles Central Equipment Identity Register (CEIR)Central Equipment Identity Register (CEIR)  Approved mobile type (type approval authorities)Approved mobile type (type approval authorities)  Consolidated black list (posted by operators)Consolidated black list (posted by operators)
  • 12.
    12 AuthenticationAuthentication Authentication GoalsAuthentication Goals  Subscriber(SIM holder) authenticationSubscriber (SIM holder) authentication  Protection of the network againstProtection of the network against unauthorized useunauthorized use  Create a session keyCreate a session key Authentication SchemeAuthentication Scheme  Subscriber identification: IMSI or TMSISubscriber identification: IMSI or TMSI  Challenge-Response authentication of theChallenge-Response authentication of the subscriber by the operatorsubscriber by the operator
  • 13.
    13 Authentication and EncryptionAuthenticationand Encryption SchemeScheme A3 Mobile Station Radio Link GSM Operator A8 A5 A3 A8 A5 Ki Ki Challenge RAND KcKc mi Encrypted Data mi SIM Signed response (SRES) SRESSRES Fn Fn Authentication: are SRES values equal?
  • 14.
    14 AuthenticationAuthentication AuC – AuthenticationCenterAuC – Authentication Center  Provides parameters for authentication andProvides parameters for authentication and encryption functions (RAND, SRES, Kencryption functions (RAND, SRES, Kcc)) HLR – Home Location RegisterHLR – Home Location Register  Provides MSC (Mobile Switching Center) with triplesProvides MSC (Mobile Switching Center) with triples (RAND, SRES, K(RAND, SRES, Kcc))  Handles MS locationHandles MS location VLR – Visitor Location RegisterVLR – Visitor Location Register  Stores generated triples by the HLR when aStores generated triples by the HLR when a subscriber is not in his home networksubscriber is not in his home network  One operator doesn’t have access to subscriber keysOne operator doesn’t have access to subscriber keys of the another operator.of the another operator.
  • 15.
    15 A3 – MSAuthentication AlgorithmA3 – MS Authentication Algorithm GoalGoal  Generation of SRES response to MSC’sGeneration of SRES response to MSC’s random challenge RANDrandom challenge RAND A3 RAND (128 bit) Ki (128 bit) SRES (32 bit)
  • 16.
    16 A8 – VoicePrivacy Key GenerationA8 – Voice Privacy Key Generation AlgorithmAlgorithm GoalGoal  Generation of session key KGeneration of session key Kss A8 specification was never made publicA8 specification was never made public A8 RAND (128 bit) Ki (128 bit) KC (64 bit)
  • 17.
    17 Logical ImplementationLogical Implementation ofA3 and A8of A3 and A8 Both A3 and A8 algorithms areBoth A3 and A8 algorithms are implemented on the SIMimplemented on the SIM  Operator can decide, which algorithm to use.Operator can decide, which algorithm to use.  Algorithms implementation is independent ofAlgorithms implementation is independent of hardware manufacturers and networkhardware manufacturers and network operators.operators.
  • 18.
    18 Logical ImplementationLogical Implementation ofA3 and A8of A3 and A8 COMP128 is used for both A3 and A8 inCOMP128 is used for both A3 and A8 in most GSM networks.most GSM networks.  COMP128 is a keyed hash functionCOMP128 is a keyed hash function COMP128 RAND (128 bit) Ki (128 bit) 128 bit output SRES 32 bit and Kc 54 bit
  • 19.
    19 A5 – EncryptionAlgorithmA5 – Encryption Algorithm  A5 is a stream cipherA5 is a stream cipher Implemented very efficiently on hardwareImplemented very efficiently on hardware Design was never made publicDesign was never made public Leaked to Ross Anderson and Bruce SchneierLeaked to Ross Anderson and Bruce Schneier  VariantsVariants A5/1 – the strong versionA5/1 – the strong version A5/2 – the weak versionA5/2 – the weak version A5/3A5/3  GSM Association Security Group and 3GPP designGSM Association Security Group and 3GPP design  Based on Kasumi algorithm used in 3G mobile systemsBased on Kasumi algorithm used in 3G mobile systems
  • 20.
    20 Logical A5 ImplementationLogicalA5 Implementation A5 Kc (64 bit)Fn (22 bit) 114 bit XOR Data (114 bit) A5 Kc (64 bit)Fn (22 bit) 114 bit XOR Ciphertext (114 bit) Data (114 bit) Mobile Station BTS Real A5 output is 228 bit for both directionsReal A5 output is 228 bit for both directions
  • 21.
    21 A5 EncryptionA5 Encryption MobileStations Base Station Subsystem Exchange System Network Management Subscriber and terminal equipment databases BSC MSC VLR HLR EIR AUC OMC BTS BTS BTS A5 Encryption
  • 22.
    22 SIM AnatomySIM Anatomy  SubscriberIdentification Module (SIM)Subscriber Identification Module (SIM) Smart Card – a single chip computer containing OS, FileSmart Card – a single chip computer containing OS, File System, ApplicationsSystem, Applications Protected by PINProtected by PIN Owned by operator (i.e. trusted)Owned by operator (i.e. trusted) SIM applications can be written with SIM ToolkitSIM applications can be written with SIM Toolkit
  • 23.
  • 24.
    24 Microprocessor CardsMicroprocessor Cards TypicalspecificationTypical specification  8 bit CPU8 bit CPU  16 K ROM16 K ROM  256 bytes RAM256 bytes RAM  4K EEPROM4K EEPROM  Cost: $5-50Cost: $5-50 Smart Card TechnologySmart Card Technology  Based on ISO 7816 definingBased on ISO 7816 defining Card size, contact layout, electrical characteristicsCard size, contact layout, electrical characteristics I/O Protocols:I/O Protocols: byte/block basedbyte/block based File StructureFile Structure
  • 25.
  • 26.
    26 Attack CategoriesAttack Categories SIMAttacksSIM Attacks Radio-link interception attacksRadio-link interception attacks Operator network attacksOperator network attacks  GSM does not protect an operator’s networkGSM does not protect an operator’s network
  • 27.
    27 Attack HistoryAttack History 19911991  FirstGSM implementation.First GSM implementation. April 1998April 1998  The Smartcard Developer Association (SDA) together with U.C.The Smartcard Developer Association (SDA) together with U.C. Berkeley researches cracked the COMP128 algorithm stored in SIM andBerkeley researches cracked the COMP128 algorithm stored in SIM and succeeded to get Ksucceeded to get Kii within several hours. They discovered that Kc useswithin several hours. They discovered that Kc uses only 54 bits.only 54 bits. August 1999August 1999  The week A5/2 was cracked using a single PC within seconds.The week A5/2 was cracked using a single PC within seconds. December 1999December 1999  Alex Biryukov, Adi Shamir and David Wagner have published theAlex Biryukov, Adi Shamir and David Wagner have published the scheme breaking the strong A5/1 algorithm. Within two minutes ofscheme breaking the strong A5/1 algorithm. Within two minutes of intercepted call the attack time was only 1 second.intercepted call the attack time was only 1 second. May 2002May 2002  The IBM Research group discovered a new way to quickly extract theThe IBM Research group discovered a new way to quickly extract the COMP128 keys using side channels.COMP128 keys using side channels.
  • 28.
  • 29.
    29 COMP128COMP128 Pseudo-code of thecompression in COMP128 algorithm •X[0..15] = Ki; X[16..31] = RAND; •Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
  • 30.
  • 31.
    31 Actual Information AvailableActualInformation Available Side Channels •Power Consumption •Electromagnetic radiation •Timing •Errors •Etc. Side Channel Attacks Input Crypto Processing Sensitive Information Output Smart CardSmart Card
  • 32.
    32 Simple Power DESAnalysisSimple Power DES Analysis SPA of DES operation performed by a typical Smart CardSPA of DES operation performed by a typical Smart Card  Above: initial permutation, 16 DES rounds, final permutationAbove: initial permutation, 16 DES rounds, final permutation  Below: detailed view of the second and third roundsBelow: detailed view of the second and third rounds
  • 33.
    33 Partitioning Attack onCOMP128Partitioning Attack on COMP128 Attack GoalAttack Goal  KKii stored on SIM cardstored on SIM card  KnowingKnowing KKii it’s possible to clone SIMit’s possible to clone SIM Cardinal PrincipleCardinal Principle  Relevant bits of all intermediate cycles and their values shouldRelevant bits of all intermediate cycles and their values should be statistically independent of the inputs, outputs, and sensitivebe statistically independent of the inputs, outputs, and sensitive information.information. Attack IdeaAttack Idea  Find a violation of theFind a violation of the Cardinal PrincipleCardinal Principle, i.e. side channels with, i.e. side channels with signals does depend on input, outputs and sensitive informationsignals does depend on input, outputs and sensitive information  Try to exploit theTry to exploit the statistical dependencystatistical dependency in signals to extract ain signals to extract a sensitive informationsensitive information
  • 34.
    34 Partitioning Attack onCOMP128Partitioning Attack on COMP128 How to implement 512 element THow to implement 512 element T00 table ontable on 8 bit Smart Card (i.e. index is 0..255)?8 bit Smart Card (i.e. index is 0..255)? Split 512 element table into two 256 element tablesSplit 512 element table into two 256 element tables It’s possible to detect access ofIt’s possible to detect access of different tables via side channels!different tables via side channels!  Power Consumption  Electromagnetic radiation
  • 35.
    35 Partitioning Attack onCOMP128Partitioning Attack on COMP128 Pseudo-code of the compression in COMP128 algorithm •X[0..15] = Ki; X[16..31] = RAND; •Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
  • 36.
    36 Partitioning Attack onCOMP128Partitioning Attack on COMP128 K[0]K[0] K[1]K[1] K[15]K[15] R[0]R[0] R[15]R[15]…… ……R[0]R[0] TT00[y][y] K[1]K[1] K[15]K[15] TT00[z][z] R[15]R[15]…… ……R[0]R[0] y = K[0] + 2R[0]y = K[0] + 2R[0] z = 2K[0] + R[0]z = 2K[0] + R[0] 0 15 16 32 X Values ofValues of yy andand zz depend on the first bytes ofdepend on the first bytes of KK andand RR It’s possible to detect via side channels whether valuesIt’s possible to detect via side channels whether values ofof yy andand zz are within [0..255] or [256..511].are within [0..255] or [256..511].
  • 37.
    37 Partitioning Attack onCOMP128Partitioning Attack on COMP128 All we need is…All we need is…  A) FindA) Find R[0]R[0] such thatsuch that K[0] + 2R[0] (mod 512) < 256K[0] + 2R[0] (mod 512) < 256 K[0] + 2(R[0]+1) (mod 512) >= 256K[0] + 2(R[0]+1) (mod 512) >= 256 (There are only two options)(There are only two options)  B) Find R’[0] such thatB) Find R’[0] such that 2K[0] + R’[0] (mod 512) < 2562K[0] + R’[0] (mod 512) < 256 2K[0] + R’[0] + 1 (mod 512) >= 2562K[0] + R’[0] + 1 (mod 512) >= 256  C) One ofC) One of K[0]K[0] from A) will match B)from A) will match B) The key byte is always uniquely determined fromThe key byte is always uniquely determined from partitioning information.partitioning information. Computation of the others bytes ofComputation of the others bytes of KK is similar.is similar.
  • 38.
    38 SummarySummary GSM Security ObjectivesGSMSecurity Objectives  Concerns, Goals, RequirementsConcerns, Goals, Requirements GSM Security MechanismsGSM Security Mechanisms SIM AnatomySIM Anatomy Algorithms and AttacksAlgorithms and Attacks  COMP128COMP128  Partitioning Attack on COMP128Partitioning Attack on COMP128