Security in GSM/GPRS and UMTS
Security in GSM/GPRS The cellular network must warranty a secure transmission of voice and data without interception, and avoid fraud Security in GSM/GPRS is implemented in the following elements: SIM – This holds the IMSI, the ultrasecret MS key Ki, ciphering key generation algorythm (A8), authentication algorythm (A3) and PIN code Handset – Implements the ciphering algorythms A5 (GSM), GEA1, GEA2, GEA3 (GPRS) in the hardware GSM Network: The AUC (AUthentication Center) is a data base that holds the master keys Ki of users and generates the triplets (RAND, SRES & Kc) vectors. The SGSN stores the triplets to use them during the authentication (RAND, SRES) and ciphering (Kc) and holds the temporary information about attached users (TLLI) Core Network: Network layer (IP) IPSEC; Session layer: (AAA)* RADIUS, DIAMETER, SSL, WTLS (WAP) *AAA: Authentication, Authorization & Accounting
Authentication and Ciphering in GPRS RAI & TLLI or IMSI Request Authentication IMSI Request Authentication Triplets Ki Generate RAND (1..n) A3 A8 SRES (1..n) Kc (1..n) RAND A8 A3 SRES Pass Fail = ? Authentication Ciphering? Ciphering ? Store (1..n) RAND, SRES, Kc vectors GPRS uses the following elements: A random number called RAND A secret Key Ki used for: (The Ki only exist in the HLR and the USIM) Authenticating the subscriber Generating another key for ciphering called Kc An algorithm A3 generating a number SRES (Signed Result) from Ki and RAND input. An algorithm A8 generating the key Kc from the Ki and RAND input. An algorithm A5 (GEA1, GEA2) to apply the ciphering on the transmitted data using the key Kc. ENCRYPTED DATA
GPRS Authentication no encryption Trace: Gb_noencrypted Trace: Gr_noencrypted GMM: IMSI Attach Request [IMSI], [RAI] 3 MAP: SendAuthenticationInfoArg [IMSI] Request Authentication vectors [n] 1 MAP: SendAuthenticationInfoResArg N times [RAND],[SRES] & [KC] 4 Authentication & Ciphering Request[RAND] [Ciphering Algorithm not used] 6 Y MAP: UpdateGPRSLocationArg [IMSI] [SGSNnumber], [SGSN IP] 5 Authentication & Ciphering Response[SRES] SRES =? 9 MAP: InsertSubscriberData Arg [MISDN],[GPRS services and QoS contract] 6 Ack 7 MAP: UpdateGPRSLocatioRes [HLR number] 8 GMM: Attach Accept [P-TMSI] 14 GMM: Attach Complete New TLLI = P-TMSI 17 NOTE: See traces Gb_noencryption & Gr_noencryption
Why Encryption? Security of user data over the air interface The encryption algorythm is installed in the MS and the SGSN. This algorythm is restricted to MS to SGSN encrypted communications. Encryption is implemented at the LLC level. Kc is never transmited over the radio interface. Input: This is the LLC frame dependent input parameter (32 bits) for the ciphering algorithm. Depending on the frame type, this field is derived as follows: - For I-frames carrying user data: - The input value is set to a random initial value at LLC connection set-up and incremented by 1 for each new frame. - For UI-frames carrying user data and signalling messages: - the input parameter is a non-repeating 32-bit value derived from the LLC header. Direction: (1 bit) uplink or downlink Output: This is the output of the ciphering algorithm. The maximum length (1600 octets) of the output string is the maximum length of the payload of the LLC frame, including the FCS (Frame Check Sequence, 3 octets). The minimum length of the output string is 5 octets.
Encrypted Protocols in GPRS After GGM: Authentication & ciphering response. All protocols above LLC are encrypted,between MS and SGSN ENCRYPTED
Non Ciphered Messages The following messages are never ciphered: Attach Request Attach Reject Authentication and Ciphering Request Authentication and Ciphering Response Authentication and Ciphering Reject Identity Request Identity Response Routing Area Update Request Routing Area Update Reject These messages are not ciphered so that the receiver (either SGSN or MS) can interpret the message
GPRS Authentication with encryption Trace: Gb_ciphering Trace: Gr_ciphering GMM: IMSI Attach Request [IMSI], [RAI] 5 MAP: SendAuthenticationInfoArg [IMSI] Request Authentication vectors [n] 1 MAP: SendAuthenticationInfoResArg N times [RAND],[SRES] & [KC] Authentication & Ciphering Request [RAND], [SQN] [Ciphering Algorithm GEA/1] 4 6 Y Authentication & Ciphering Response[SRES] 9 SRES =? MAP: UpdateGPRSLocationArg [IMSI] [SGSNnumber],[SGSN IP] 5 MAP: InsertSubscriberData Arg [MISDN],[GPRS services and QoS contract] 6 ENCRYPTED 7 Ack MAP: UpdateGPRSLocatioRes [HLR number] GMM: Attach Accept[P-TMSI] 8 16 GMM: Attach Complete 19 New TLLI = P-TMSI NOTE: See traces Gb_encryption & Gr_encryption
Tools to analyze and troubleshoot a GPRS deciphered link
Deciphering a Capture file PrismLite: offline only application Posibility to merge up to 3 Gb links offline Generates a raw .txt file <Gb01ciphered_dec.txt> Encryption is activated above the LLC level for signaling (GMM/SM) SAPI=1 and data (SAPI= 3, 5, 9 or 11) Gb Gr
Online deciphering Performer: both offline and online application Over 400,000 sessions online You can also use: An existing Gr File Write the Kc keys into a Gr file.
Security in UMTS
Security in UMTS Three entities are involved in the UMTS authentication Home Network (HLR/Auc): holds the master keys K of all UEs. Generates the Quintuplets vectors (RAND, XRES, CK, IK and AUTN) using 5 one way functions. Serving Network (VLR or SGSN): requests and stores the authentication vectors from the HLR, and sends the Authentication Request message to the UE with RAND and AUTN vectors. The USIM: In the Smart Card of the terminal, holds the master key K (unique for this terminal). When receives the Authentication Request message from VLR/SGSN with AUTN, and RAND vectors, uses these vectors together with the master key K to generate the vectors RES (used in the Authentication Response), CK (Ciphering Key) & IK (Integrity Key). After Authentication has been resolved, the corresponding CK & IK stored in the SGSN/VLR are transferred RNC using the RANAP: Security Mode procedure to start the integrity and encryption process between the UE and the RNC *AAA: Authentication, Authorization & Accounting
Authentication Vectors Initial Parameters: K: Master Key (ultrasecret permanent 128 bits) SQN: Incremental Sequence Number (48 bits) RAND: Random bit Stream (128 bits) AMF: Administrative Authentication Management Field (16 bits) Calculated Parameters: MAC: Message Authentication Code (64 bits) XRES: Expected Authentication Response (4-64 bits) CK: Ciphering Key (128 bits) IK: Integrity Key (128 bits) AK: Anonymous Key (48 bits) Quintuplet Vectors: (1..n) RAND, AUTN, XRES, CK, IK Generated in AuC, temporarily Stored in SGSN/VLR & verified with USIM.
Authentication, Integrity & ciphering in UMTS Home Network Serving Network VLR PS: GMM_Attach Request [RAI & IMSI or P-TMSI] CS: MM_Location Update [LAI & IMSI or TMSI] MAP_Send Auth Info Arg:[ IMSI & num of vectors] Generate Auth Vectors MAP_Send Auth Info Resp: [(1..n) RAND,AUTN, XRES, CK, IK] Store Auth Vectors PS: GMM_Authentication & Ciphering Request [RAND & AUTN] CS: MM_Authentication Request [RAND] Verify AUTN Generate RES PS: GMM_Authentication & Ciphering Response [RES] CS: MM_Authentication Response [RES] RES=XRES RANAP_Security Mode Command [CK & IK] Encryption: Y/N RRC_Security Mode Command Encryption: Y/N Store CK & IK RRC_Security Mode Complete Chosen Integrity Algorythm RANAP_Security Mode Complete Chosen Integrity Algorythm MAP: UpdateGPRSLocationArg [IMSI] [SGSNnumber],[SGSN IP] MAP: InsertSubscriberData Arg [MISDN],[GPRS services and QoS contract] Ack MAP: UpdateGPRSLocatioRes [HLR number] GMM: Attach Accept [P-TMSI] GMM: Attach Complete Example: Open PTMSI_Att_Iu_Gr
Authentication Keys generation: AUC & USIM f2 AMF Generate SQN RAND AK MAC XRES IK CK f5 f4 f3 f1 VLR K IK XMAC RES CK AK SQN f2 f3 f4 f1 f5 = ? * AUTN: = SQN AK || AMF || MAC RAND IMSI Quintuplets: = RAND || XRES || CK || IK || AUTN RES : XOR || : Concatenation
Ciphered Protocols in UMTS After the RNC receives the Kc, the Security Mode Command is sent to the terminal to start the encryption WCDMA Physical Channels SDH or PDH ATM AAL2 MAC RELAY FP (Iub UP) RLC RRC Uu Iub ENCRYPTED MAC SDU Ciphered RLC PDU Ciphered
For tools to analyze and troubleshoot a UMTS deciphered link see: www For tools to analyze and troubleshoot a UMTS deciphered link see: www.radcom.com