Download presentation
Presentation is loading. Please wait.
Published byAngelica Ryan Modified over 6 years ago
1
Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr
Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr. Frank Li CSCI 555
2
GSM Architecture (review)
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM Architecture (review) OMC, EIR, AUC fixed network HLR GMSC NSS with OSS VLR MSC VLR MSC BSC BSC RSS Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 2
3
GSM – Components 1 (review)
Subscriber Identity Module (SIM) Card: operator dependent smart card which contains A3/8 algorithms, IMSI and Ki. Mobile Equipment (ME): operator independent communication device. It contains A5 algorithm. Base Transceiver Station (BTS): Base stations form a patchwork of radio cells over a given geographic coverage area. Base Station Controller (BSC) a node controlling a number of BTS, coordinating handovers and performing BS co-ordination not related to switching. Mobile Switching Center (MSC): a node controlling a number of BSC. It is center device and has a lot of function in GSM system.
4
GSM – Components 2 (review)
Home Location Register (HLR) : recording the most recent known location of all MS belonging to MS’s home area. It contains all administrative information about each registered user Visited Location Register (VLR): recording information about all MS when they are at the “visiting” area. Authentication Centre (AuC): used by a HLR to generate random challenges (RAND) and to store secret key information (Ki) relating to each of its MS. Equipment Identity Register (EIR) Black list – stolen or non-type mobiles White list - valid mobiles Gray list – local tracking mobiles
5
Subscriber Identity Module (review)
Smart card (processor chip card) in MS: Current encryption key Kc (64 bits) Secret subscriber key Ki (128 bits) Algorithms A3 and A8 IMSI TMSI PIN, PUK Personal phone book SIM Application Toolkit (SIM-AT) platform ...
6
SIM Anatomy Subscriber Identification Module (SIM)
Smart Card – a single chip computer containing OS, File System, Applications Protected by PIN Owned by operator (i.e. trusted) SIM applications can be written with SIM Toolkit
7
Microprocessor Cards Typical specification Smart Card Technology
8 bit CPU 16 K ROM 256 bytes RAM 4K EEPROM Cost: $5-50 Smart Card Technology Based on ISO 7816 defining Card size, contact layout, electrical characteristics I/O Protocols: byte/block based File Structure
8
Smart Card Anatomy
9
Temporary Mobile Subscriber Identity (review)
To hide IMSI (which gives away the exact identity) When a MS makes initial contact with the GSM network, an unencrypted subscriber identifier (IMSI) has to be transmitted. GSM uses 4-byte TMSI for local subscriber identification: selected by the current VLR, is only valid temporarily and within the location area of the VLR The IMSI is sent only once, then a temporary mobile subscriber identity (TMSI) is assigned (encrypted) and used in the entire range of the MSC
10
TMSI (review) TMSI: VLR keeps relation <(TIMSI, LAI), IMSI>
When the MS moves into the range of another MSC, a new TMSI is assigned A VLR may change the TMSI periodically VLR keeps relation <(TIMSI, LAI), IMSI> LAI = Local Area Information
11
Security in GSM access control/authentication confidentiality
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 Security in GSM access control/authentication user - SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM-network: challenge response method confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI newly assigned at each new location update encrypted transmission Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 11
12
Cryptography in GSM A3 -- authentication algorithm
A5 -- signalling data and user data encryption algorithm A8 -- ciphering key generating algorithm Note: These are symmetric key crypto algorithms public key cryptography was considered at the time – 1980s – but not considered mature enough
13
GSM Authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM Authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit 128 bit 128 bit 128 bit AC A3 A3 SIM SRES* 32 bit SRES bit SRES* =? SRES SRES MSC SRES 32 bit Ki: individual subscriber authentication key SRES: signed response Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 13
14
Authentication in ME Authentication Steps: Note:
Fixed subsystem transmits a non-predictable number RAND (128 bits) to the MS. MS computes SRES, the ‘signature’ of RAND, using algorithm A3 and the secret Authentication Key Ki MS transmits SRES to the fixed subsystem. The fixed subsystem tests SRES for validity. Note: Computations in ME performed in the SIM. Location update within the same VLR area follows the same pattern.
15
GSM - key generation and encryption
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM - key generation and encryption mobile network (BTS) MS with SIM RAND Ki RAND RAND Ki AC SIM 128 bit 128 bit 128 bit 128 bit A8 A8 cipher key Kc 64 bit Kc 64 bit data encrypted data SRES data BSS MS A5 A5 Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 15
16
GSM Authentication (skip)
MSC/VLR HLR/AuC security related information request IMSI generate RAND(1,…,n) Ki A3/A8 Authentication vector response <RAND(1,..n),SRES(1,..n),Kc(1,..n)> Store <RAND,SRES,Kc> triples for IMSI
17
GSM Authentication (skip)
SIM (MS) MSC/VLR Radio Link TMSI RAND Ki RAND RAND TMSI A8 Lookup key from store Kc Kc
18
MS/BSC Encryption (skip)
COUNT [22 bit] = (TDMA Frame No.) = COUNT [22 bit] 114 bits cipher block Kc 114 bits plain text A5 Radio Link bit-wise binary addition MS BSC
19
A5 Encryption BTS OMC BTS VLR MSC BSC HLR AUC BTS EIR Mobile Stations
Base Station Subsystem Network Management Subscriber and terminal equipment databases A5 Encryption BTS OMC Exchange System BTS VLR MSC BSC HLR AUC BTS EIR
20
GSM Security Summary
21
Cryptographic algorithms: A3/A8
Algorithms A3 and A8 are shared between subscriber and home network; thus each network could choose its own algorithms. Algorithms A3 and A8 are at each operator’s discretion. COMP128 is one choice for A3/A8; attack to retrieve Ki from the SIM ( cloning) possible; not used by many European providers.
22
Stream Cipher A5 A5: stream cipher that encrypts 114-bit frames
key for each frame derived from the secret key Kc and the current frame number (22 bits). has to be shared between all subscribers and all network operators. Why a stream cipher, not a block cipher (DES or AES)? Ans: Radio links are relatively noisy. Block cipher: a single bit error in the cipher text affects an entire clear text frame; Stream cipher: a single bit error in the cipher text affects a single clear text bit.
23
Stream Cipher A5 A5 is a stream cipher
Implemented very efficiently on hardware Design was never made public Leaked to Ross Anderson and Bruce Schneier Variants A5/1 – the strong version A5/2 – the weak version A5/1, A5/2 (simpler “export” version). Cryptanalytic attacks against both algorithms have been published. A5/3 GSM Association Security Group and 3GPP design Based on Kasumi algorithm used in 3G mobile systems
24
GSM Security Mechanism
Voice traffic encrypted over the radio link (A5) but calls are transmitted in the clear after the base station Optional encryption of signaling data but ME can be asked to switch off encryption Separation of subscriber identity from equipment identity Some protection of location privacy (TMSI) Vulnerability: No authentication of network. IMSI catcher pretend to be BTS and request IMSI.
25
GSM Fraud Often attacks the revenue flow rather than the data flow and does not break the underlying technology. Roaming fraud: subscriptions taken out with a home network; SIM shipped abroad and used in visited network. Fraudster never pays for the calls (soft currency fraud). Home network has to pay the visited network for the services used by the fraudster (hard currency fraud). Scope for fraudsters and rogue network operators to collude. Premium rate fraud: customers lured into calling back to premium rate numbers owned by the attacker. GSM charging system (mis)used to get the victim's money. premium rate service fraud and international revenue share fraud (IRSF) 2015 statistic IRSF, Roaming: $7.1 billion IRSF, In-Network: $3.7 billion IRSF, Total/Combined: $10.8 billion how the world’s largest mobile operators are using Hadoop and machine learning to fight fraud
26
GSM Fraud Business model attack: Criminals open a premium rate service, call their own number to generate revenue, collect their share of the revenue from the network operator, and disappear at the time the network operator realises the fraud. Countermeasures: Human level: exercise caution before answering a call back request. Legal system: clarify how user consent has to be sought for subscribers to be liable for charges to their account. Business models of network operators. GSM operators have taken a lead in using advanced fraud detection techniques, based on neural networks, to detect fraud early and limit their losses.
27
GSM Attack Types – Faked BTS
Modified BTS behaves as the identity the network to the MS, while the modified MS impersonates the MS to the network The fake BTS can request IMSI, IMEI or TMSI
28
GSM Attack Types – Clonning SIM
Clonning SIM Card COMP128 was never made public, but the design has been reverse engineered and cryptanalyzed. All that is needed to clone a SIM card is the 128 bit COMP128 secret key Ki and the IMSI which is coded in the SIM. By copying Ki and IMSI into an empty SIM, attacker can beahve as user. Ki is needed for clonning SIM card.
29
Clonning SIM Card - 2 MS is required to respond to every challenge made by GSM network (there is no authentication of BTS). MS uses 66 frames in authentication process The duration of the whole signaling sequence is ms/frame x 66 frames = s. It is known that the cryptographic attack requires approximately challenge-response pairs. This means that the attack takes approximately 45,689 seconds ( challenges x s), that is approximately 13 hours.
30
Attack on the Confidentiality of GSM
Brute-Force Attacks: Kc is 64 bits although the last 10 bits are set to zero. It reduces the key space from 2^64 to 2^54 A5/2 can be broken in real time with a work factor of approximately 2^16 A5/1 can be break with a work factor of 2^40 A key space of 2^54 would thus require about 18 hours
31
Attack on the Confidentiality of GSM
(skip) Goldberg, Wagner and Green Known Plaintext Attacks: T is the calculation number, 2^20 calculations can made in 1 second by personal computers
32
Attack on the Confidentiality of GSM
(skip) Israelian Researchers; A Biryukov, A Shamir, and D Wagne Attack
33
Denial of Service (DoS) Attacks
DoS attacks can be performed by physically disturbing radio signals or by logical means The attacker could for example cut the wire leaving a base station. Jamming affects GSM radio signals badly.
34
Fake BST 9/19/2018
35
Dirtbox – Location Tracking
9/19/2018
36
Why in GSM & 3G 9/19/2018
37
Fake BST Universal Software Radio Peripheral 9/19/2018
38
Passive, Semi-Passive, and Active Attacks
The differences of three types attacks? Some attack examples next … 9/19/2018
39
Passive Identity Caching
A passive attack that requires a modified MS and exploits the weakness that the network may sometimes request the user to send its identity in clear text. The use of temporary identities allocated by the serving network makes passive eavesdropping inefficient since the user must wait for a new registration or a mismatch in the serving network database before he can capture the user’s permanent identity in plaintext.
40
Active Identity Caching
An active attack that requires a modified BTS and exploits the weakness that the network may request the MS to send its permanent user identity in cleartext. An intruder entices the target to camp on its false BTS subsequently requests the target to send its permanent user identity in cleartext perhaps by forcing a new registration or by claiming a temporary identity mismatch due to database failure.
41
Suppressing encryption between the target user and the intruder
An attack that requires a modified BTS and that exploits the weakness that the MS cannot authenticate messages received over the radio interface. The target is enticed to camp on the false BTS. When the intruder or the target user initiates a service, the intruder does not enable encryption by spoofing the cipher mode command.
42
Compromised cipher key
An attack that requires a modified BTS and the possession by the intruder of a compromised authentication vector and thus exploits the weakness that the user has no control upon the cipher key. The target user is enticed to camp on the false BTS/MS. When a call is set-up the false BTS/MS forces the use of a compromised cipher key on the mobile user. 3G: The presence of a sequence number in the challenge allows the USIM to verify the freshness of the cipher key to help guard against forced re-use of a compromised authentication vector..
43
Solutions against Attacks - 1
Using secure algorithms for A3/A8 implementations COMP128 should be replaced Prevent SIM card cloning attack. This solution requires providing and distributing new SIM cards and modifying the software of the HLR.
44
Solutions against Attacks - 2
Using secure ciphering algorithms Operators can use newer and more secure algorithms such as A5/3 The deployed cryptographic algorithms should be implemented on both BTS and mobile phones
45
Solutions against Attacks - 3
End-to-end Security Most of GSM security vulnerabilities (except SIM cloning and DoS attacks) do not aim ordinary people Their targets are usually restricted to special groups It is reasonable and economical that such groups make their communications secure by the end-to-end security Eencryption and security establishment should be performed at the end-entities
46
3G Third Generation Mobile Communications Technology (IMT-2000)
developed by Third-Generation Partnership Project (3GPP). In Europe, 3G is called UMTS (Universal Mobile Telecommunications System)
47
UMTS (Universal Mobile Telecommunications System)
Work on 3rd generation mobile communications systems started in the early 1990s. The UMTS security architecture is similar to GSM, but adds mutual authentication; the crypto algorithms are published.
48
UMTS AKA “Authentication and Key Agreement”
Home network (AuC) and USIM (Universal Subscriber Identity Module) in user equipment (UE) share secret 128-bit key K. AuC can generate random challenges RAND. USIM and AuC have synchronized sequence numbers SQN available. Key agreement on 128-bit cipher key CK and 128-bit integrity key IK. AMF: Authentication Management Field.
49
GSM security issues No mutual authentication - Mobile authenticated but not network Active attacks not considered (fake base station problem) Weak crypto algorithms (A5/1, A5/2) Secret and weak Comp128 - SIM cloning Smaller key size - 64 bits Encryption ends early on base stations Plaintext communication within and between networks
50
UMTS (3G) network Based on the earlier GSM architecture
User equipment (UE) i.e. terminal = mobile equipment (ME) + universal subscriber identity module (USIM) UMTS terrestrial radio access network (UTRAN) = radio network controller (RNC) + base stations (Node B = BS) Core network = multiple service domains + home location register 3GPP Release 8 specifies an all-IP network for signalling and data, replacing old SS7 telephony signalling network Circuit-switched (CS) domain for voice Packet-switched (PS) domain for IP data
51
UMTS architecture IP Multimedia Subsystem (IMS) domain
52
Security architecture
Home location register (HLR) of the subscriber’s home operator keeps track of the mobile’s location Visitor location register (VLR) keeps track of roaming (visiting) mobiles at each network SIM card has a globally unique international mobile subscriber identifier (IMSI) Shorter, temporary identifier TMSI allocated by the current network Shared key between SIM and authentication center (HRL/AuC) at the home network symmetric cryptography VLR of the visited network obtains authentication tuples (triplets in 2G) from AuC of the mobile’s home network and authenticates the mobile Main goals: authentication of the mobile for charging purposes, and encryption of the radio channel
53
Using counters for freshness
Simple shared-key authentication with nonces: 1. A → B: NA 2. B → A: NB, MACK(Tag2, A, B, NA, NB) 3. A → B: MACK(Tag3, A, B, NA, NB) K = master key shared between A and B SK = h(K, NA, NB) Using counters can save one message or roundtrip: 1. A → B: 2. B → A: NB, SQN, MACK(Tag2, A, B, SQN, NB) 3. A → B: MACK(Tag3, A, B, SQN, NB) SK = h(K, SQN, NB) Another benefit: B can pre-compute message 2 A must check that the counter always increases
54
Using counters Counters must be monotonically increasing
Absolutely never accept previously used values Persistent counter storage needed Recovering from lost synchronization: Verifier can maintain a window of acceptable counter values to recover from message loss or reordering Nonce-based protocol for resynchronization if counters get badly out of sync Counter values must not run out or wrap to zero Limit the rate at which values can be consumed But support bursts of activity Use long enough counter to last the equipment lifetime or lifetime of the shared key in use
55
UMTS (3G) authentication and key agreement (AKA)
56
UMTS AKA (simplified view)
57
UMTS AKA (simplified view)
58
UMTS AKA
59
RSQ Resynchronization (skip)
Resynchronization needed if the sequence number gets out of sync between USIM and AuC.
60
AKA Protocol Linkability Attack (skip)
Source: Borgaonkar et al.
61
Remaining UMTS security weaknesses
IMSI may still be sent in clear, when requested by base station Authentication tuples available to thousands of operators around the world, and all they can create fake base stations Equipment identity IMEI still not authenticated Non-repudiation for call and roaming charges is still based on server logs, not on public-key signatures Still no end-to-end security Thousands of legitimate radio network operators Any government or big business gain control of one and intercept calls at RNC
62
UMTS AKA: VLR ↔ AuC (skip)
VLR/SGSN AuC IMSI IMSI generate RAND K SQN authentication vector <RAND,AUTN,XRES,CK,IK> store <RAND,AUTN,XRES,CK,IK> tuples for IMSI
63
AV Generation at AuC (skip)
generate f1 f2 f4 f5 f3 SQN RAND K MAC XRES CK IK AK AMF
64
UMTS AKA: USIM ↔ VLR (skip)
Radio Link K = yes/no RAND, AUTN AUTN USIM VLR/SGSN Lookup XRES from store XRES RAND RES CK SQN IK checks whether SQN is big enough
65
Authentication in USIM (skip)
f1 f2 f4 f5 f3 SQN RAND K RES CK IK AK AUTN SQNAK AMF MAC = yes/no XMAC
66
UMTS AKA – summary Checks at USIM: Checks at VLR:
Compares MAC received as part of AUTN and XMAC computed to verify that RAND and AUTN had been generated by the home AuC. Checks that SQN is fresh to detect replay attacks. Checks at VLR: Compares RES and XRES to authenticate USIM. False base station attacks prevented by a combination of key freshness and integrity protection of signaling data, not by authenticating the serving network.
67
UMTS Crypto Algorithms - summary
Confidentiality: MISTY1: block cipher, designed to resist differential and linear cryptanalysis KASUMI: eight round Feistel cipher, 64-bit blocks, 128-bit keys, builds on MISTY1 Authentication and key agreement MILENAGE: block cipher,128-bit blocks, 128-bit keys All proposals are published and have been subject to a fair degree of cryptanalysis
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.