Network Security Security in Traditional Wireless Networks 1 Network Security Chapter 6. Security in Traditional Wireless Networks

Network Security Security in Traditional Wireless Networks 2  Security in First Generation TWNs  Security in Second Generation TWNs  Security in 2.5 Generation TWNs  Security in 3G TWNs  Summary Objectives

Network Security Security in Traditional Wireless Networks 3  To the designer, they had too many other problems before security became a priority.  Since AMPS radio interface was analog and AMPS used no encryption.  Authentication –Mobile station sends ESN(Electronic Serial Number) to MTSO in clear text over the air interface. –Eavesdrop on cellular telephone conversation –Can capture valid ESN  cloning. Security in 1G TWNs

Network Security Security in Traditional Wireless Networks 4 Security in 2G TWNs

Network Security Security in Traditional Wireless Networks 5 Security in 2G TWNs  use digital system  Beyond the BTS is considered a controlled environment.  Aims to secure only the access network(MS/ME  BTS).

Network Security Security in Traditional Wireless Networks 6  IMSI(International Mobile Subscriber Identity) –MS inform the network about IMSI’s new location when it crosses a cell boundary. –this allows the network to route an incoming call to the correct cell. –If eavesdropper can capture the IMSI over the air, they can determine the identity of the subscriber and their location.  TMSI(temporary mobile Subscriber Identity) –When a ISIM has authenticated with the network, the VLR allocate a TMSI to the scriber. – GSM protects against subscriber traceability by using TMIS. –Has only local significance. –IMSI-TMSI mapping is maintained in VLR/MSC –When it is switched off, the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again, Anonymity in GSM

Network Security Security in Traditional Wireless Networks 7 Anonymity in GSM

Network Security Security in Traditional Wireless Networks 8  No key establishment protocol in the GSM security architecture model.  Use 128-bit pre-shared key K i  Stored in SIM and AuC Key Establishment in GSM

Network Security Security in Traditional Wireless Networks 9 Authentication in GSM (1) MS  BTS : sign-on msg {IMSI or TMSI}. (2) MSC  HLR : request 5 triplets { RAND, SRES, Kc} (3) HLR  MSC : send 5 triplets (4) MSC  MS : RAND (5) MS  MTS: SRES (6) authenticated!!  BSC-MSC-HLR channels are assumed to be secure

Network Security Security in Traditional Wireless Networks 10  Why 5 triplets request?  To improve roaming performance.  Instead of contacting the HLR for security triplets each time a ME roams into its coverage, the MSC gets five set of triplets : one for the current authentication process and four for future use. Authentication in GSM

Network Security Security in Traditional Wireless Networks 11 Authentication and ciphering information transmission

Network Security Security in Traditional Wireless Networks 12 Session Key Kc Generation A8 K i (128 bit), RAND(128bit) K c (64 bits : appened with10 zeros )

Network Security Security in Traditional Wireless Networks 13  GSM : assume the core network beyond the BSC is secure. –BTS  BSC link is not part of core. –GSM does not specify how to this link need to be connected. –In practice, connected by microwave. –susceptible to attacks.  Protection against equipment theft. –Authenticate SIM card and not the subscriber of the SIM card. –When a ME was stolen, the user of the ME reports it to the service provider. –The service provider maintain the compromised SIM card. Authentication

Network Security Security in Traditional Wireless Networks 14  Provide confidentiality over the wireless(ME-BTS) interface.  A5 : GSM standard stream-ciphering algorithm. –A5/0 – unencrypted, –A5/1 (54 bit) – original, used by countries members of CEPT (CEPT: European Conference of Post and Telecommunication Administrations) –A5/2 (16 bit)– countries of non CEPT members. –A5/3 – for 3G –Implemented in hardware of ME. –K c : encryption key. Confidentiality in GSM

Network Security Security in Traditional Wireless Networks 15 What’s wrong with GSM Security?  No provision for any integrity protection of data and message. –Open to man-in-the-middle attack.  Only securing the ME-BTS interface. – BTS-BSC interface is not cryptographically protected. –Sometimes this link is wireless  attractive target for attacks.  Cipher algorithms(A5 family) are not published along with the SGM standards.  does not allow public review.  Small key length - Kc : 64bits (54bits + 10 zeros) –Big enough to protect against real-time attack, but weak to off-line attack. –GSM security architecture is inflexible - difficult to replace.

Network Security Security in Traditional Wireless Networks 16  SIM cloning – recover K i from SIM card –Chosen plaintext attack – (RAND, SRES) pair, 8 adaptively chosen plaintexts within a minute. –Recover K i using differential cryptanalysis or side channel attack. –(1)Physical access to SIM card and communicate with SIM through smartcard reader. Recover in a matter of few hours. –(2)Wireless contact over the air interface. Must be capable of masquerading as a rouge BTS ME is moving, not enough time to collect enough (chosen- plaintext, cipher text) pairs What’s wrong with GSM Security?

Network Security Security in Traditional Wireless Networks 17  SIM cloning (continue) –(3)Attempt to have the AuC generate the SRES of given RANDs instead of using the SIM. Exploits the lack of security in the SS7 signaling network. Core signaling network is not cryptographically protected and incoming messages are not verified for authenticity. So possible to use the AuC to generate SRESs for chosen RANDs What’s wrong with GSM Security

Network Security Security in Traditional Wireless Networks 18  Clear transmission of cipher keys and Authentication values within and between networks –Signaling system vulnerable to interception and impersonation.  One way authentication : no network authentication. –Attacker masquerade as BTS and hijack the ME.  Service provider can choose null encryption(A5/0) –ME is allowed to connect to. What’s wrong with GSM Security?

Network Security Security in Traditional Wireless Networks 19 Security in 2.5 Generation TWNs

Network Security Security in Traditional Wireless Networks 20 Security in 2.5G(GPRS) TWNs  For data service : allocate multiple time slots  Encryption/decryption : MS  SGSN −Protect link between BTS-SGSN

Network Security Security in Traditional Wireless Networks 21 GPRS Authentication and Key Derivation

Network Security Security in Traditional Wireless Networks 22  GPSR – provide ME to connect to internet.  End-to-end security is required.  HTTP/HTML is not optimized to ME(CPU-power, screen, bandwidth, memory) WAP(Wireless Application Protocol)

Network Security Security in Traditional Wireless Networks 23 WAP(Wireless Application Protocol) WAP Gateway : WTP/WML  HTTP/HTML WTLS(Wireless Transport Layer Security) : provide end-to-end security similar to TLS

Network Security Security in Traditional Wireless Networks 24  ME in GPRS can download and run applets.  Malicious applet can harm the ME.  Applets are signed by CAs. –Before executing the applet, the subscriber can be informed of CA which has signed the applet. –If the subscriber trusts that CA, they can allow the applet be executed on their applet. Code Security

Network Security Security in Traditional Wireless Networks 25 Security in 3G TWNs

Network Security Security in Traditional Wireless Networks 26  UMTS(Universal Mobile telecommunications System) Security Architecture –Designed using the GSM Security as the starting point –Adopt the GSM features that have proved to be secure –Redesign the features that have been found to be weak. –To ensure interoperability between GSM and UMTS. Security in 3G TWNs

Network Security Security in Traditional Wireless Networks 27 Building on GSM Security-Architecture

Network Security Security in Traditional Wireless Networks 28 UMTS Security Architecture overview

Network Security Security in Traditional Wireless Networks 29 Anonymity in UMTS  Chicken and egg situation –First ME identify(its IMSI) to the network. –TMSI allocation should be performed after initiation of ciphering to ensure TMSI protection –Ciphering can not start unless CK(cipher key) has been established between USIM and network. –CK can not be established unless the network first identifies the subscriber using its IMSI.  VLRo : old VLR (previous VLR), VLRn : new VLR –ME  VLRn : TMSI_old (previous one) –VLRn  VLRo : request IMSI corresponding to this TMSI –If VLRn cannot retrieve, request ME to identify itself by its IMSI –Now AKA starts or use a previous existing set of keys. –Can you identify UMTS’s bottom line? See the text book.

Network Security Security in Traditional Wireless Networks 30  After completion of AKA(authentication and key agreement) procedure, establish the K C between USIM and network  Now assign a new TMSI to the ME  SQN(sequence number) : can be exploited to trace a subscriber. –Network maintains a per-subscriber SQN –Need to be encrypted. –AK(Anonymity key) - protect SQN to protect traceability. AKA

Network Security Security in Traditional Wireless Networks 31  No key establishment protocol in UMTS.  128-bit pre-shared secret key K i between USIM and AuC.  Authentication in UMTS is mutual. Key establishment in UMTS

Network Security Security in Traditional Wireless Networks 32 Authentication in UMTS (1)USIM  VLR/MSC : sign-on (2)VLR  AuC/HLR : Auth data req. (3)AuC  VLR : Auth vectors(several sets of Auth data) (4)VLR select the first vector and store the rest. (5)VLR  USIM : RAND(128bit), AUTN(128bit) (6)USIM : if MAC in AUTH ?= XMAC, SQN is in correct range ? then authenticated. (7) If verification is OK, USIM  VLR : RES (8) VLR : If RES ?= XRES from AuC, then authenticated

Network Security Security in Traditional Wireless Networks 33 AKA Variables and Functions

Network Security Security in Traditional Wireless Networks 34 UMTS Authentication Vector Generation AMF : authentication Management Field Computation in HLR by VLR request (Step 2 in p.32)

Network Security Security in Traditional Wireless Networks 35 UMTS Response Generation at USIM (1) From VLR (2) Inside of USIM (3) Send RES to VRL

Network Security Security in Traditional Wireless Networks 36 Authentication in UMTS  After Mutual authentication has completed, VLR and USMI establish CK, IK, AK  MILENAGE : recommended function for UMTS Authentication.(corresponding to COMP-128)  But service provider can choose another function.

Network Security Security in Traditional Wireless Networks 37 Confidentiality in UMTS f8 : key stream generation algorithm KASUMI, use 128-bit session key. Count-C (32-bit) : ciphering sequence number, updated every sequentially every plaintext block BARIER (5-bit) : bearer channel number DIRECTION (1-bit): the direction of link(uplink or downlink) LENGTH(16-bit) : length of key stream block

Network Security Security in Traditional Wireless Networks 38 UMTS Stream Cipher f8 About KASUMI

Network Security Security in Traditional Wireless Networks 39 Confidentiality in UMTS  Provide confidentiality to the link between ME – RNC –Include BTS-RNC link which is equivalent to BTS-BSC. –Closing loopholes of GSM Security in BTS-BSC link.  UMTS encryption is applied to all subscriber traffic as well as signaling messages.

Network Security Security in Traditional Wireless Networks 40  GSM security did not provided integrity protection.  MUTS solve this problem using integrity key IK.  MAC-1 : attached to the message by the sender. Integrity Protection in UMTS FRESH: 32-bit per connection nonce.

Network Security Security in Traditional Wireless Networks 41 UMTS Integrity Function f9

Network Security Security in Traditional Wireless Networks 42 Voice data integrity Protection in UMTS  Integrity protection involves a lot of overhead in terms of processing and bandwidth.  For a voice integrity, to integrity protect the number of user packets in conversation is sufficient.  Inserting, deleting or modifying words in a conversation would lead to a change in the number of packets.  In UMTS, periodically RNC send a message containing sequence number to the ME. This message is integrity protected.

Network Security Security in Traditional Wireless Networks 43  The MAC layer offers Data transfer to RLC and higher layers  The RLC(Radio Link Control) layer offers the following services to the higher layers: –Layer 2 connection establishment/release –Transparent data transfer, i.e., no protocol overhead is appended to the information unit received from the higher layer –Assured and un assured data transfer  The RRC(Radio Resource Control) layer offers the core network the following services: –General control service, which is used as an information broadcast service –Notification service, which is used for paging and notification of a selected UEs –Dedicated control service, which is used for establishment/release of a connection and transfer of messages using the connection. Layer in UMTS

Network Security Security in Traditional Wireless Networks 44 Putting the Pieces Together (1)MS  RNC : L2 connection {User Encryption Algorithms(UEAs) User Integrity Algorithms(UIAs)…} (2) MS  VRL : L3 connection Msg.(location update req., routing update req., attach req...) {IMIS or TMIS, Key set Identifier(KSI) for CK,IK..,} (3) Authentication and key generation(CK, IK) { new key or old key} (4) –(11)

Network Security Security in Traditional Wireless Networks 45 Network Domain Security MAP(Mobile Application Part) : an SS7 protocol for UMTS. MAPSEC : protect MAP message – In SS7 Network KAC(Key Administration Center) establish a SA(Security Association) with another KAC. KACs use IKE(Internet Key Exchange) protocol. KACs distribute SA to NEs ( key distribution ) NE use SAs to protect MAP messages.

Network Security Security in Traditional Wireless Networks 46 Network Domain Security for IP-based Network  UMTS is expected to be more closely tied to IP-based network.  Replacing SS7 signaling(MAP) with IP-based signaling(like SIP)  MAP over IP for legacy networks. − SEG(Security Gateway) : establish SA with other SEG. − Provide MAP message protection for NEs.

Network Security Security in Traditional Wireless Networks 47  GSM SECURITY : – FAQs, Papers, Standars, books, news,…. Resources