Presentation on theme: "Cryptography in Mobile Networks"— Presentation transcript:
1Cryptography in Mobile Networks Mats NäslundCommunication Security LabEricsson ResearchMarch 6, 2009
2Outline Overview of GSM Cryptography Some “attacks” on GSM Lessons to be learntOverview of “3G” UMTS CryptographyThe new ”thing”: Cryptography in LTE
3History Mobile (wireless) communication has inherent threats EavesdroppingImpersonationConnection hijacking...Except early systems (e.g. NMT), use of cryptography has been deemed necessary- Protection of buisness (robust charging of subscribers)- User privacyEarly systems were not perfect and under restrictions...
5GSM SecurityUse of a smart card SIM – Subscriber Identity Module, tamper resistant device holding critical information,e.g. 128-bit key shared with Home OperatorThe SIM is the entity which is authenticatedChallenge response mechanism (one-sided)At the time (ca 1990) crypto was considered “weapon”Initial GSM algorithms (were) not publicly availableLimited key sizeSpecial “export version” of encryption algorithmsGSM ciphering on “first hop” only: stream ciphers using 54/64 bit keysIn a “free” world, we will soon see 128 bits in GSMBasic user identity protection (“pseudonyms”)GSM crypto is probably (one of) the most frequently used crypto in the world.
6GSM Architecture (”2G”) MSC: Mobile Switching CenterBSC: Base Station Controller RBS: Radio Base StationMS: Mobile StationHLR: Home Location Register AuC: Authentication CenterSIM: Subcriber Identity ModuleKHLR/AuCAuthentication,shared key, A3 AlgorithmTo other (mobile) network(s)MSCEncryption: A5/1, A5/3 (64 bit) A5/2 (”export” version)A5/4 (128 bits, new)BSCRBSK128-bit keyMSSIM
9 Quick Note: LFSR (Linear feedback shift register) key =1output1State:1...01XOR:ed with plaintextVery efficient, rich theory, unfortunately very insecure…Add non-linear componentsCombine several LFSRsIrregular clockingUsed by A5/1 and A5/2
10Lesson #1: Avoid using the same key for two different things Idea behind the attackA5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknown 0/1 variables, of which 64 is the keyIf plaintext known, each 114-bit frame gives 114 equationsLesson #1: Avoid using the same key for two different thingsOnly difference between frames is that frame number increases by one.After 6 frames (in reality only 4) we have > 660 equations can solve! (Takes about 1sec on a PC)Even if “speech” plaintext unknown, GSM control channels contains known info and uses same key as speech channel!
11Lesson #2: Signalling that controls the Impact 1: Find key, eavesdrop (passive attack)Impact 2: Active attacks in any network (False base-station/man-in-the-middle attacks)Lesson #2: Signalling that controls thesecurity should be authentciated/integrity protected2 RAND1 RAND4 RES3 RES6 Start encr: A5/25 Start encr: A5/18 Stop encr9 Start encr: A5/1Lesson #3: If you change encryption algorithm, change also the key7 Attack key
12Note A5/2 is an ”export” version, not used in Sweden (or Europe) Attack does not apply to A5/1, A5/3…well almost….Various countermeasures proposed but expensive to upgrade all equipmentAdding integrity, change of keys as proposed on previous slide fall into the ”not-for-free” categorySimple and quite good solution is to phase out A5/2- This is in progress (done?)
13GSM Summary GSM was desiged in the ”dark ages” of crypto It addresses the threats that were considered at the timeIt targeted a 10-year ”economic lifetime”The best feature of GSM security is that securiy is built-inas a user, you don’t need to do ”configuration” etc
153G (UMTS) Security Described later Mutual Authentication with Replay ProtectionProtection of signalling dataSecure negotiation of protection algorithmsIntegrity protection and origin authenticationEncryptionProtection of user data payload“Open” algorithms basis for securityAES for authentication and key agreementKasumi (block cipher) for confidentiality/integritySecurity level (key sizes): 128 bitsProtection further into the networkLesson #2…Only feature common to GSM
16UMTS Architecture (”3G”) GSN: GPRS Support NodeSGSN: Serving GSNGGSN: Gateway GSN RNC: Radio Network ControllerME: Mobile EquipmentUMTS Architecture (”3G”)KHLR/AuCGPRS, ”2.5G”Authentication, shared key Milenage (AES) algorithmTo other (mobile) network(s)MSC”Internet”SGSNGGSNEncryption:UEA1 or UEA2RNC”secure env””insecure env”Signalling integrity:UIA1 or UIA2NodeBKMEUMTS SIM (USIM)
17UMTS Encryption Example: UEA1 COUNT || BEARER || DIR || 0…0 (64 bits)Kasumim (const)c = 1c = 2c = B“Provably” secure under assumptions on KasumiKasumiKasumiKasumiKasumiCK (128 bits)“keystream” XOR:ed with plaintext
18Note There are no known security problems with UMTS HSPA (a.k.a. ”Mobile broadband”, ”Turbo 3G”,...) is from crypto/security point of view identical to 3G/UMTSYou can feel safe when using it!
20Disclaimer on Notation ”LTE” refers only to the radio part of the new standardAlso other parts of the mobile network is upgradedRefered to as EPC, ”Evolved Packet Core”Will for simplicty use ”LTE” to denote the entire architectureIf you do look at the standards document (3GPP TS ) you will not see the same names for keys etc
21Background: Standardization Mobile standards (including security functions) are defined by 3GPP (part of ETSI)Participation by mobile vendors and operatorsThe cryptography is defined by SAGE (also part of ETSI)Special Algorithm Group of Experts2006: initiative for ”next generation”, LTE, startedSlogan: ”At least as secure as UMTS”First LTE release just finished after intense efforts- Example: considering only Ericsson and only security, we had 240 contributions during 2008
22LTE Thinking Starting from a UMTS network... IP part, efficient, cheap, attaractive services:keep and optimize!HLR/AuCsplitOldfashioned ”telephony”: get rid of it!After 1 years of discussion in standardization it was decided to terminate (most) security in NodeB.MSC”Internet”SGSNGGSN?Powerful but complex, adds delay/latencyRNCBut what do we do with encryption?”secure env”New ”radio”, 100Mb/s(OFDM)”insecure env”NodeBHigh security: keep SIM conceptME
23LTE - A simplified network - HSS: Home Subscriber SystemMME: Mobility Management EntityeNodeB: Evolved NodeBencryptionintgegrityKHSSAuthentication, similar to UMTSInternet &IP services”split” into controland user plane“Gateway”MMERe-encryption of user traffic (IPsec)Encryption/integrity, for network control signallingEncryption for user trafficeNodeBEncryption/integrity, for radio control signalling5 different keys used...KSame USIM as in UMTS but K may be up to 256 bitsME
24Recap of Lesson #1 and #3”Don’t use the same key for two different things”Suppose we have a function, F, from a set of pseudo random functions (outputs ”look” random):Applications:Key1 for algorithm1, Key2 for algorithm2Key1 for encryption, Key2 for integrityKey1 for user data, Key2 for control sign....etc...KeyKey1F(Key, ”1”)Key2F(Key, ”2”)* Key1 can not be reverse-engineered from Key2 (or v.v.)* Key can not be reverse-engineered from Key1 and/or Key2
25Fasten Seatbelts... Notation: black color for unprotected infored color for encrypted intoyellow color for integrity protected infoblue color for encrypted and integrity protectedNext slides does not show which-key-is-used-for-whatF denotes a PRF based on HMAC_SHA256AES1, AES2, AES3 denotes 3 PRFs based on AES
26LTE: Initial Attach K K eNB MME HSS - Does AUTN come from HSS? - Have I seen it before?ATTACH REQUEST (IMSI, SUPPORTED_ALGS)AUTH VECT FETCH (IMSI)1. Check (AES1(K, RAND), SQN, AUTN))2. RES = AES2(K, RAND)3. (Ck, Ik) = AES3(K, RAND)RAND, XRES, AUTN, KARAND, AUTNRAND = RANDOM() SQN = SQN + 1AUTN = AES1(K, RAND, SQN)RES = AES2(K, AND)(Ck, Ik) = AES3(K, RAND) KA = F(Ck, Ik, ...)Check: RES == XRES ??RES, Ck, IkRESDerive KA, Ke ....KN-encKN-intKAFKe”OK”, SELECTED_ALG, SUPPORTED_ALGS- Verify ”OK” - Switch ”on” security[”OK”]KeProtected signalingKeRRC-encKeRRC-intKeUP-encKeFProtected traffic
27LTE: Key Hirearchy USIM/HSS ME/HSS ME/MME ME/eNB ME/MME ”Downward” derivationby one-way function,infeasible to get ”high”key from a ”low” keyUSIM/HSSCKIKME/HSSKAME/MMEKN-intKN-encKeME/eNBME/MMEKeUP-encKeRRC-intKeRRC-encPRF: infeasible to to get another key on ”same level”
28Example Ck, Ik KA = F(Ck, Ik, ....) KA Ke = F(KA, ....) Ke HSS MME eNodeB
29LTE Key Handling at Handover (1/3) ”Backard Security”GatewayKAMMEHandoverKe2 = F(Ke1,...)Ke2eNodeB1Ke1eNodeB2Ke2”Handover to eNodeB2”KA, Ke1, ...
32Inter-System Handover/Mobility 3GPP systems support optimized handover between systems,e.g. GSM UMTS during an ongoing callWaiting for (re)authentication too expensiveThe ongoing call would be haltedSolution: key transfer and implict authentication...
33Implicit Authetication User already authenticated in GSM... moves to UMTSMay need transatalantic communication...HLR/AuCKGSMKUMTS = c(KGSM)MSCSGSNKGSMKUMTSAlso, c is a weak XOR-functionBSCRNCThe fact that user was able to produce the correct KUMTS ”proves” that it is the same useror...?KGSMRBSNodeBKGSM
34LTE Inter-system Key Handling Example: UMTS LTE KUMTSKLTE = F1(KUMTS)SGSNMMEKUMTS = F2(KLTE)KLTERNCNodeBeNodeBF1, F2 based on HMAC_SHA256
35Note on ”Crypto capacity” Dedicated Crypto HWQuite high ”crypto load”,say ~ 102 base stationsGatewayMay serve 3-6 ”cells” / ”phones”600Mb/s100Mb/sNodeB100Mb/s
36LTE Crypto Algorithms...Key derivation (128 or 256 bits) functions usingAES on the USIM cardHMAC_SHA256 in ”the phone”Integrity protectionAES-CMACFunction based on polynomials over finite fieldsCan be ”proven” to be secureEncryptionAES-CounterModeSNOW 3G
37SNOW 3G Basic design by T. Johansson & P. Ekdahl (U. Lund) Improvements by ETSI SAGE
38SummaryDespite some attacks on GSM security, the security is so far pretty much a success storyMain reason: convenience and invisibility to userUMTS crypto significantly improved, use with confidenceMain reason: free world, longer keys, “open” standardTheEndLTE much more complex, needed to meet “at least as secure as 3G”Main reason: security “ends” at the base station