PKS 2000, San Jose September 2000 Security for 3G Systems1 Michael Walker Head of R&D Vodafone UK Vodafone Professor of Telecommunications at Royal Holloway, University of London Chairman 3GPP SA3 - Security

PKS 2000, San Jose September 2000 Security for 3G Systems2 Acknowledgements rThis presentation is based on the technical specifications and reports produced by the members of 3GPP SA3 and ETSI SAGE available from rMuch of the back ground work was done as part of the EU funded ACTS project USECA the partners are Vodafone, G&D, Panasonic, Siemens Atea, Siemens AG & Katholieke Universiteit Leuven

PKS 2000, San Jose September 2000 Security for 3G Systems3 Principles for 3G Security rBuild on the security of GSM adopt the security features from GSM that have proved to be both needed and robust try to ensure compatibility with GSM in order to ease inter-working and handover rCorrect the problems with GSM by addressing its real and perceived security weaknesses rAdd new security features as are necessary to secure new services offered by 3G to take account of changes in network architecture

PKS 2000, San Jose September 2000 Security for 3G Systems4 3GPP/GSM Architecture GMSC GGSN HLR EIR AUC SCF SMS- IWMSC SMS- IWMSC RNC BS Uu Iu ANCNExternal Networks UE Iur D USIM ME RNC BS Uu USIM ME Iub Iu Gd, Gp, Gn+ SGSN MSC E, G Cu SMS- GMSC SMS- GMSC SGSN MSC BSC BTS Um SIM MT AbisA Gb ISDN PSTN PSPDN CSPDN PDN: -Intranet -Extranet -Internet BSS RNS UTRAN Note: Not all interfaces shown and named F Gf Gr Gn+ H

PKS 2000, San Jose September 2000 Security for 3G Systems5 Building on GSM Security rBe compatible with the GSM core network rProvide user authentication and radio interface encryption rContinue to use a smart card as a security module removable hardware terminal independent management of all customer parameters rSecurity must operate without user assistance rRequire minimal trust in serving network

PKS 2000, San Jose September 2000 Security for 3G Systems6 Limitations of GSM Security rSecurity problems in GSM stem by and large from design limitations on what is protected rather than on defects in the security mechanisms themselves design only provides access security - communications and signalling in the fixed network portion arent protected design does not address active attacks, whereby network elements may be impersonated designed to be only as secure as the fixed networks to which GSM systems connect lawful interception only considered as an after thought

PKS 2000, San Jose September 2000 Security for 3G Systems7 Limitations of GSM Security, 2 rFailure to acknowledge limitations encryption needed to guard against radio channel hijack the terminal is an unsecured environment - so trust in the terminal identity is misplaced rInadequate flexibility to upgrade and improve security functions over time rLack of visibility that the security is being applied no indication to the user that encryption is on no explicit confirmation to the home network that authentication is properly used when customers roam

PKS 2000, San Jose September 2000 Security for 3G Systems8 Limitations of GSM Security, 3 rLack of confidence in cryptographic algorithms lack of openness in design and publication of A5/1 misplaced belief by regulators in the effectiveness of controls on the export or (in some countries) the use of cryptography led to A5/2 encryption key length of 54 bits too short - some implementation faults make increase of length even to 64 bits difficult ill advised use of COMP 128 for authentication

PKS 2000, San Jose September 2000 Security for 3G Systems9 Specific GSM Security Problems rEncryption terminated too soon user traffic and signalling in clear on microwave links rClear transmission of cipher keys & authentication values within and between networks signalling system vulnerable to interception and impersonation rConfidence in strength of algorithms failure to choose best authentication algorithms improvements in cryptanalysis of A5/1 rUse of false base stations

PKS 2000, San Jose September 2000 Security for 3G Systems10 False Base Stations rUsed as IMSI Catcher for law enforcement rUsed to intercept mobile originated calls encryption controlled by network and user unaware if it is not on rDynamic cloning risk in networks where encryption is not used

PKS 2000, San Jose September 2000 Security for 3G Systems11 3GPP Security Architecture Overview Home stratum/ Serving stratum USIMHE/AuCTE Transport stratum MT SN/ VLR/ SGSN AN Application stratum User ApplicationProvider Application I. Network access security II. Provider domain security III. User domain security IV. Application specific security III. IV. I. II.

PKS 2000, San Jose September 2000 Security for 3G Systems12 Authentication & Key Agreement (AKA) rProvides authentication of user (USIM) to network & network to user rEstablishes a cipher key CK & an integrity key IK rProvides an authenticated management field from home network to USIM to allow algorithms and authentication keys to be selected the home network to control the number of times a particular (CK,IK) pair is used

PKS 2000, San Jose September 2000 Security for 3G Systems13 AKA Message Flow auth. data request Quintets (RAND, XRES, CK, IK, AUTN ) RAND, AUTN RES Generate quintets Verify MAC, SQN Derive CK, IK, RES Start using CK, IK XRES = RES ? USIM HLR/AuC VLR or SGSN Distribution of quintets from HLR/AuC to VLR/SGSN Over-the-air authentication and key agreement

PKS 2000, San Jose September 2000 Security for 3G Systems14 AKA Variables and Functions K= user specific authentication key RAND = random challenge generated by AuC in users home network SQN = sequence number XRES = f2 K (RAND) = expected user response computed by AuC CK = f3 K (RAND) = cipher key IK = f4 K (RAND) = integrity key AK = f5 K (RAND) = anonymity key AMF = authentication management field MAC = f1 K (SQN || RAND || AMF) = message authentication code computed over SQN, RAND and AMF AUTN = SQN AK || AMF || MAC = network authentication token, concealment of SQN with AK is optional Quintet = (RAND, XRES, CK, IK, AUTN)

PKS 2000, San Jose September 2000 Security for 3G Systems15 AKA Cryptographic Parameters rK128 bits rRAND128 bits rRES bits rCK128 bits rIK128 bits rAUTN128 bits SQNSequence number48 bits AMFAuthentication management field16 bits MACMessage authentication code64 bits

PKS 2000, San Jose September 2000 Security for 3G Systems16 Air-interface Encryption, 1 rApplies to all user traffic and signalling messages rUses stream ciphering function f8: UEA1 = Kasumi; UEA0 = no encryption CIPHERTEXT BLOCK COUNT-C BEARER DIRECTION LENGTH CK PLAINTEXT BLOCK f8 KEYSTREAM BLOCK COUNT-C BEARER DIRECTION LENGTH CK f8 KEYSTREAM BLOCK PLAINTEXT BLOCK Sender ME or RNC Receiver ME or RNC

PKS 2000, San Jose September 2000 Security for 3G Systems17 Air-interface Encryption, 2 Termination points user side: mobile equipment, network side: radio network controller Ciphering in layer 2 RLC sublayernon-transparent RLC mode (signalling, data) MAC sublayer transparent RLC mode(voice) Key input values to algorithm CK128 bitsCipher key COUNT-C32 bitsCiphering sequence number Further input values BEARER5 bitsBearer identity DIRECTION1 bitUplink/downlink LENGTH16 bitsLength of keystream block

PKS 2000, San Jose September 2000 Security for 3G Systems18 Air-interface Integrity Mechanism, 1 rApplies to all except a specifically excluded signalling messages after security mode set-up rMS supervises that it is started rUses integrity function f9: UIA1 = Kasumi COUNT- I MESSAGE DIRECTION FRESH IK f9 MAC- I COUNT- I MESSAGE DIRECTION FRESH IK f9 XMAC- I Sender ME or RNC Receiver ME or RNC MESSAGE MAC- I MAC- I = XMAC- I ?

PKS 2000, San Jose September 2000 Security for 3G Systems19 Air-interface Integrity Mechanism, 2 Termination points user side: mobile equipment, network side: radio network controller Integrity protection: layer 2 RRC sublayer Key input values IK128 bitsIntegrity key COUNT-I32 bits Integrity sequence number FRESH32 bitsConnection nonce MESSAGESignalling message Further input values DIRECTION1 bitUplink/downlink Output values MAC-I/XMAC-I 32 bits message authentication code

PKS 2000, San Jose September 2000 Security for 3G Systems20 Security Choices rAKA is performed when the user enters a new SN the user indicates that a new AKA is required when the amount of data ciphered with CK has reached a threshold the serving network decides rOtherwise integrity-key based authentication rSelection of UEA and UIA by users home environment

PKS 2000, San Jose September 2000 Security for 3G Systems21 Network Domain Security rSecures signalling data transmitted between and within 3GPP networks for example the authentication vectors rTwo different security protocols being designed rApplication layer security for signalling protocols running over SS7, for example MAP and CAP rIP layer security for native IP based protocols such as GTP and CSCF- HSS signalling

PKS 2000, San Jose September 2000 Security for 3G Systems22 Application Layer Security Architecture

PKS 2000, San Jose September 2000 Security for 3G Systems23 Application Layer Security Features rMAP signalling provided with encryption, origin authentication and integrity using standard symmetric techniques rBlock cipher BEANO designed by ETSI SAGE for securing signalling on public networks may be used rFor communications secured at the application layer, 3GPP will define new Security Associations (i.e. create a new Domain of Interpretation)

PKS 2000, San Jose September 2000 Security for 3G Systems24 IP Layer Security Architecture

PKS 2000, San Jose September 2000 Security for 3G Systems25 IP Layer Security Features rIP layer security provides encryption, origin authentication and integrity using standard IPsec techniques rSecurity may be applied end-to-end between Network Elements (NE) hop-by-hop via Security Gateways (SEG) rFor communications secured using IPsec, the IETF IPsec Security Association will be adapted/profiled for 3GPP

PKS 2000, San Jose September 2000 Security for 3G Systems26 Key Management For Network Domain Security rA two-tiered key management architecture will be adopted in the first phase KACs support IKE and public key rMigration to a PKI-based flat key management architecture will be considered for later phases NEs support IKE and public key On-line KACs become off-line CAs

PKS 2000, San Jose September 2000 Security for 3G Systems27 Encryption & Integrity Algorithm Requirements rLow power with low gate-count hardware implementation as well as software rNo practical attack significantly more efficient than exhaustive key search rNo export restrictions on terminals (or USIM), and network equipment exportable under licence in accordance with Wassenaar rTime for development - six months!

PKS 2000, San Jose September 2000 Security for 3G Systems28 General Approach to Design rETSI SAGE appointed as design authority rRobust approach to exportability - full strength algorithm and expect agencies to fall into line rUse existing block cipher as starting point rMISTY1 chosen: fairly well studied some provable security aspects parameter sizes suitable designed to be efficient in hardware and software offered by Mitsubishi free from royalty payments

PKS 2000, San Jose September 2000 Security for 3G Systems29 Design and Analysis rSAGE work led by Gert Roelofsen, with external experts: separate SAGE design and evaluation teams joined by Mitsuru Matsui from Mitsubishi - designer of MISTY additional evaluators for feasibility of implementation from Nokia, Ericsson and Motorola led by Kaisa Nyberg rExternal security evaluation by three teams: Leuven: Lars Knudsen, Bart Preneel, Vincent Rijmen, Johan Borst, Matt Robshaw Ecole Normale Superiere: Jacques Stern, Serge Vaudenay Royal Holloway: Fred Piper, Sean Murphy, Peter Wild, Simon Blackburn rOpen Publication -

PKS 2000, San Jose September 2000 Security for 3G Systems30 Other Aspects of 3GPP Security rOptions in AKA for sequence management rInteroperation with GSM rAKA+ and interoperation with 3GPP2 standards rFormal analysis of AKA rUser identity confidentiality rUser configurability and visibility of security features rLawful interception rSIM application toolkit security rMExE security rFraud information gathering rGERAN security rOSA/VHE security rLocation services security rAccess security for IP based services rProvision of a standard authentication and key generation algorithm for operators who do not wish to produce their own

PKS 2000, San Jose September 2000 Security for 3G Systems31 References to 3GPP Security Principles, objectives and requirements rTS Security principles and objectives rTS Security threats and requirements Architecture, mechanisms and algorithms rTS Security architecture rTS Integration guidelines rTS Cryptographic algorithm requirements rTS Personalisation of mobile equipment Lawful interception rTS Lawful interception requirements rTS Lawful interception architecture and functions Technical reports rTR A guide to 3G security rTR Criteria for cryptographic algorithm design process rTR Formal analysis of the 3G authentication protocol rTR General report on the design, specification and evaluation of 3GPP standard confid. & integ algs. rTR Report on the evaluation of 3GPP standard confid. & integ. Algs. Algorithm specifications rSpecification of the 3GPP confidentiality and integrity algorithms TS : f8 & f9 TS : KASUMI TS : implementors test data TS : design conformance test data