Presentation is loading. Please wait.

Presentation is loading. Please wait.

Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr

Published byAngelica Ryan Modified over 6 years ago

Similar presentations

Presentation on theme: "Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr"— Presentation transcript:

1 Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr
Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr. Frank Li CSCI 555

2 GSM Architecture (review)
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM Architecture (review) OMC, EIR, AUC fixed network HLR GMSC NSS with OSS VLR MSC VLR MSC BSC BSC RSS Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 2

3 GSM – Components 1 (review)
Subscriber Identity Module (SIM) Card: operator dependent smart card which contains A3/8 algorithms, IMSI and Ki. Mobile Equipment (ME): operator independent communication device. It contains A5 algorithm. Base Transceiver Station (BTS): Base stations form a patchwork of radio cells over a given geographic coverage area. Base Station Controller (BSC) a node controlling a number of BTS, coordinating handovers and performing BS co-ordination not related to switching. Mobile Switching Center (MSC): a node controlling a number of BSC. It is center device and has a lot of function in GSM system.

4 GSM – Components 2 (review)
Home Location Register (HLR) : recording the most recent known location of all MS belonging to MS’s home area. It contains all administrative information about each registered user Visited Location Register (VLR): recording information about all MS when they are at the “visiting” area. Authentication Centre (AuC): used by a HLR to generate random challenges (RAND) and to store secret key information (Ki) relating to each of its MS. Equipment Identity Register (EIR) Black list – stolen or non-type mobiles White list - valid mobiles Gray list – local tracking mobiles

5 Subscriber Identity Module (review)
Smart card (processor chip card) in MS: Current encryption key Kc (64 bits) Secret subscriber key Ki (128 bits) Algorithms A3 and A8 IMSI TMSI PIN, PUK Personal phone book SIM Application Toolkit (SIM-AT) platform ...

6 SIM Anatomy Subscriber Identification Module (SIM)
Smart Card – a single chip computer containing OS, File System, Applications Protected by PIN Owned by operator (i.e. trusted) SIM applications can be written with SIM Toolkit

7 Microprocessor Cards Typical specification Smart Card Technology
8 bit CPU 16 K ROM 256 bytes RAM 4K EEPROM Cost: $5-50 Smart Card Technology Based on ISO 7816 defining Card size, contact layout, electrical characteristics I/O Protocols: byte/block based File Structure

8 Smart Card Anatomy

9 Temporary Mobile Subscriber Identity (review)
To hide IMSI (which gives away the exact identity) When a MS makes initial contact with the GSM network, an unencrypted subscriber identifier (IMSI) has to be transmitted. GSM uses 4-byte TMSI for local subscriber identification: selected by the current VLR, is only valid temporarily and within the location area of the VLR The IMSI is sent only once, then a temporary mobile subscriber identity (TMSI) is assigned (encrypted) and used in the entire range of the MSC

10 TMSI (review) TMSI: VLR keeps relation <(TIMSI, LAI), IMSI>
When the MS moves into the range of another MSC, a new TMSI is assigned A VLR may change the TMSI periodically VLR keeps relation <(TIMSI, LAI), IMSI> LAI = Local Area Information

11 Security in GSM access control/authentication confidentiality
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 Security in GSM access control/authentication user - SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM-network: challenge response method confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI newly assigned at each new location update encrypted transmission Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 11

12 Cryptography in GSM A3 -- authentication algorithm
A5 -- signalling data and user data encryption algorithm A8 -- ciphering key generating algorithm Note: These are symmetric key crypto algorithms public key cryptography was considered at the time – 1980s – but not considered mature enough

13 GSM Authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM Authentication SIM mobile network RAND Ki RAND RAND Ki 128 bit 128 bit 128 bit 128 bit AC A3 A3 SIM SRES* 32 bit SRES bit SRES* =? SRES SRES MSC SRES 32 bit Ki: individual subscriber authentication key SRES: signed response Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 13

14 Authentication in ME Authentication Steps: Note:
Fixed subsystem transmits a non-predictable number RAND (128 bits) to the MS. MS computes SRES, the ‘signature’ of RAND, using algorithm A3 and the secret Authentication Key Ki MS transmits SRES to the fixed subsystem. The fixed subsystem tests SRES for validity. Note: Computations in ME performed in the SIM. Location update within the same VLR area follows the same pattern.

15 GSM - key generation and encryption
Universität Karlsruhe Institut für Telematik Mobilkommunikation SS 1998 GSM - key generation and encryption mobile network (BTS) MS with SIM RAND Ki RAND RAND Ki AC SIM 128 bit 128 bit 128 bit 128 bit A8 A8 cipher key Kc 64 bit Kc 64 bit data encrypted data SRES data BSS MS A5 A5 Prof. Dr. Dr. h.c. G. Krüger E. Dorner / Dr. J. Schiller 15

16 GSM Authentication (skip)
MSC/VLR HLR/AuC security related information request IMSI generate RAND(1,…,n) Ki A3/A8 Authentication vector response <RAND(1,..n),SRES(1,..n),Kc(1,..n)> Store <RAND,SRES,Kc> triples for IMSI

17 GSM Authentication (skip)
SIM (MS) MSC/VLR Radio Link TMSI RAND Ki RAND RAND TMSI A8 Lookup key from store Kc Kc

18 MS/BSC Encryption (skip)
COUNT [22 bit] = (TDMA Frame No.) = COUNT [22 bit] 114 bits cipher block Kc 114 bits plain text A5 Radio Link bit-wise binary addition MS BSC

19 A5 Encryption BTS OMC BTS VLR MSC BSC HLR AUC BTS EIR Mobile Stations
Base Station Subsystem Network Management Subscriber and terminal equipment databases A5 Encryption BTS OMC Exchange System BTS VLR MSC BSC HLR AUC BTS EIR

20 GSM Security Summary

21 Cryptographic algorithms: A3/A8
Algorithms A3 and A8 are shared between subscriber and home network; thus each network could choose its own algorithms. Algorithms A3 and A8 are at each operator’s discretion. COMP128 is one choice for A3/A8; attack to retrieve Ki from the SIM ( cloning) possible; not used by many European providers.

22 Stream Cipher A5 A5: stream cipher that encrypts 114-bit frames
key for each frame derived from the secret key Kc and the current frame number (22 bits). has to be shared between all subscribers and all network operators. Why a stream cipher, not a block cipher (DES or AES)? Ans: Radio links are relatively noisy. Block cipher: a single bit error in the cipher text affects an entire clear text frame; Stream cipher: a single bit error in the cipher text affects a single clear text bit.

23 Stream Cipher A5 A5 is a stream cipher
Implemented very efficiently on hardware Design was never made public Leaked to Ross Anderson and Bruce Schneier Variants A5/1 – the strong version A5/2 – the weak version A5/1, A5/2 (simpler “export” version). Cryptanalytic attacks against both algorithms have been published. A5/3 GSM Association Security Group and 3GPP design Based on Kasumi algorithm used in 3G mobile systems

24 GSM Security Mechanism
Voice traffic encrypted over the radio link (A5) but calls are transmitted in the clear after the base station Optional encryption of signaling data but ME can be asked to switch off encryption Separation of subscriber identity from equipment identity Some protection of location privacy (TMSI) Vulnerability: No authentication of network. IMSI catcher pretend to be BTS and request IMSI.

25 GSM Fraud Often attacks the revenue flow rather than the data flow and does not break the underlying technology. Roaming fraud: subscriptions taken out with a home network; SIM shipped abroad and used in visited network. Fraudster never pays for the calls (soft currency fraud). Home network has to pay the visited network for the services used by the fraudster (hard currency fraud). Scope for fraudsters and rogue network operators to collude. Premium rate fraud: customers lured into calling back to premium rate numbers owned by the attacker. GSM charging system (mis)used to get the victim's money. premium rate service fraud and international revenue share fraud (IRSF) 2015 statistic IRSF, Roaming: $7.1 billion IRSF, In-Network: $3.7 billion IRSF, Total/Combined: $10.8 billion how the world’s largest mobile operators are using Hadoop and machine learning to fight fraud

26 GSM Fraud Business model attack: Criminals open a premium rate service, call their own number to generate revenue, collect their share of the revenue from the network operator, and disappear at the time the network operator realises the fraud. Countermeasures: Human level: exercise caution before answering a call back request. Legal system: clarify how user consent has to be sought for subscribers to be liable for charges to their account. Business models of network operators. GSM operators have taken a lead in using advanced fraud detection techniques, based on neural networks, to detect fraud early and limit their losses.

27 GSM Attack Types – Faked BTS
Modified BTS behaves as the identity the network to the MS, while the modified MS impersonates the MS to the network The fake BTS can request IMSI, IMEI or TMSI

28 GSM Attack Types – Clonning SIM
Clonning SIM Card COMP128 was never made public, but the design has been reverse engineered and cryptanalyzed. All that is needed to clone a SIM card is the 128 bit COMP128 secret key Ki and the IMSI which is coded in the SIM. By copying Ki and IMSI into an empty SIM, attacker can beahve as user. Ki is needed for clonning SIM card.

29 Clonning SIM Card - 2 MS is required to respond to every challenge made by GSM network (there is no authentication of BTS). MS uses 66 frames in authentication process The duration of the whole signaling sequence is ms/frame x 66 frames = s. It is known that the cryptographic attack requires approximately challenge-response pairs. This means that the attack takes approximately 45,689 seconds ( challenges x s), that is approximately 13 hours.

30 Attack on the Confidentiality of GSM
Brute-Force Attacks: Kc is 64 bits although the last 10 bits are set to zero. It reduces the key space from 2^64 to 2^54 A5/2 can be broken in real time with a work factor of approximately 2^16 A5/1 can be break with a work factor of 2^40 A key space of 2^54 would thus require about 18 hours

31 Attack on the Confidentiality of GSM
(skip) Goldberg, Wagner and Green Known Plaintext Attacks: T is the calculation number, 2^20 calculations can made in 1 second by personal computers

32 Attack on the Confidentiality of GSM
(skip) Israelian Researchers; A Biryukov, A Shamir, and D Wagne Attack

33 Denial of Service (DoS) Attacks
DoS attacks can be performed by physically disturbing radio signals or by logical means The attacker could for example cut the wire leaving a base station. Jamming affects GSM radio signals badly.

34 Fake BST 9/19/2018

35 Dirtbox – Location Tracking
9/19/2018

36 Why in GSM & 3G 9/19/2018

37 Fake BST Universal Software Radio Peripheral  9/19/2018

38 Passive, Semi-Passive, and Active Attacks
The differences of three types attacks? Some attack examples next … 9/19/2018

39 Passive Identity Caching
A passive attack that requires a modified MS and exploits the weakness that the network may sometimes request the user to send its identity in clear text. The use of temporary identities allocated by the serving network makes passive eavesdropping inefficient since the user must wait for a new registration or a mismatch in the serving network database before he can capture the user’s permanent identity in plaintext.

40 Active Identity Caching
An active attack that requires a modified BTS and exploits the weakness that the network may request the MS to send its permanent user identity in cleartext. An intruder entices the target to camp on its false BTS subsequently requests the target to send its permanent user identity in cleartext perhaps by forcing a new registration or by claiming a temporary identity mismatch due to database failure.

41 Suppressing encryption between the target user and the intruder
An attack that requires a modified BTS and that exploits the weakness that the MS cannot authenticate messages received over the radio interface. The target is enticed to camp on the false BTS. When the intruder or the target user initiates a service, the intruder does not enable encryption by spoofing the cipher mode command.

42 Compromised cipher key
An attack that requires a modified BTS and the possession by the intruder of a compromised authentication vector and thus exploits the weakness that the user has no control upon the cipher key. The target user is enticed to camp on the false BTS/MS. When a call is set-up the false BTS/MS forces the use of a compromised cipher key on the mobile user. 3G: The presence of a sequence number in the challenge allows the USIM to verify the freshness of the cipher key to help guard against forced re-use of a compromised authentication vector..

43 Solutions against Attacks - 1
Using secure algorithms for A3/A8 implementations COMP128 should be replaced Prevent SIM card cloning attack. This solution requires providing and distributing new SIM cards and modifying the software of the HLR.

44 Solutions against Attacks - 2
Using secure ciphering algorithms Operators can use newer and more secure algorithms such as A5/3 The deployed cryptographic algorithms should be implemented on both BTS and mobile phones

45 Solutions against Attacks - 3
End-to-end Security Most of GSM security vulnerabilities (except SIM cloning and DoS attacks) do not aim ordinary people Their targets are usually restricted to special groups It is reasonable and economical that such groups make their communications secure by the end-to-end security Eencryption and security establishment should be performed at the end-entities

46 3G Third Generation Mobile Communications Technology (IMT-2000)
developed by Third-Generation Partnership Project (3GPP). In Europe, 3G is called UMTS (Universal Mobile Telecommunications System)

47 UMTS (Universal Mobile Telecommunications System)
Work on 3rd generation mobile communications systems started in the early 1990s. The UMTS security architecture is similar to GSM, but adds mutual authentication; the crypto algorithms are published.

48 UMTS AKA “Authentication and Key Agreement”
Home network (AuC) and USIM (Universal Subscriber Identity Module) in user equipment (UE) share secret 128-bit key K. AuC can generate random challenges RAND. USIM and AuC have synchronized sequence numbers SQN available. Key agreement on 128-bit cipher key CK and 128-bit integrity key IK. AMF: Authentication Management Field.

49 GSM security issues No mutual authentication - Mobile authenticated but not network Active attacks not considered (fake base station problem) Weak crypto algorithms (A5/1, A5/2) Secret and weak Comp128 - SIM cloning Smaller key size - 64 bits Encryption ends early on base stations Plaintext communication within and between networks

50 UMTS (3G) network Based on the earlier GSM architecture
User equipment (UE) i.e. terminal = mobile equipment (ME) + universal subscriber identity module (USIM) UMTS terrestrial radio access network (UTRAN) = radio network controller (RNC) + base stations (Node B = BS) Core network = multiple service domains + home location register 3GPP Release 8 specifies an all-IP network for signalling and data, replacing old SS7 telephony signalling network Circuit-switched (CS) domain for voice Packet-switched (PS) domain for IP data

51 UMTS architecture IP Multimedia Subsystem (IMS) domain

52 Security architecture
Home location register (HLR) of the subscriber’s home operator keeps track of the mobile’s location Visitor location register (VLR) keeps track of roaming (visiting) mobiles at each network SIM card has a globally unique international mobile subscriber identifier (IMSI) Shorter, temporary identifier TMSI allocated by the current network Shared key between SIM and authentication center (HRL/AuC) at the home network symmetric cryptography VLR of the visited network obtains authentication tuples (triplets in 2G) from AuC of the mobile’s home network and authenticates the mobile Main goals: authentication of the mobile for charging purposes, and encryption of the radio channel

53 Using counters for freshness
Simple shared-key authentication with nonces: 1. A → B: NA 2. B → A: NB, MACK(Tag2, A, B, NA, NB) 3. A → B: MACK(Tag3, A, B, NA, NB) K = master key shared between A and B SK = h(K, NA, NB) Using counters can save one message or roundtrip: 1. A → B: 2. B → A: NB, SQN, MACK(Tag2, A, B, SQN, NB) 3. A → B: MACK(Tag3, A, B, SQN, NB) SK = h(K, SQN, NB) Another benefit: B can pre-compute message 2 A must check that the counter always increases

54 Using counters Counters must be monotonically increasing
Absolutely never accept previously used values Persistent counter storage needed Recovering from lost synchronization: Verifier can maintain a window of acceptable counter values to recover from message loss or reordering Nonce-based protocol for resynchronization if counters get badly out of sync Counter values must not run out or wrap to zero Limit the rate at which values can be consumed But support bursts of activity Use long enough counter to last the equipment lifetime or lifetime of the shared key in use

55 UMTS (3G) authentication and key agreement (AKA)

56 UMTS AKA (simplified view)

57 UMTS AKA (simplified view)

58 UMTS AKA

59 RSQ Resynchronization (skip)
Resynchronization needed if the sequence number gets out of sync between USIM and AuC.

60 AKA Protocol Linkability Attack (skip)
Source: Borgaonkar et al.

61 Remaining UMTS security weaknesses
IMSI may still be sent in clear, when requested by base station Authentication tuples available to thousands of operators around the world, and all they can create fake base stations Equipment identity IMEI still not authenticated Non-repudiation for call and roaming charges is still based on server logs, not on public-key signatures Still no end-to-end security Thousands of legitimate radio network operators  Any government or big business gain control of one and intercept calls at RNC

62 UMTS AKA: VLR ↔ AuC (skip)
VLR/SGSN AuC IMSI IMSI generate RAND K SQN authentication vector <RAND,AUTN,XRES,CK,IK> store <RAND,AUTN,XRES,CK,IK> tuples for IMSI

63 AV Generation at AuC (skip)
generate f1 f2 f4 f5 f3 SQN RAND K MAC XRES CK IK AK AMF

64 UMTS AKA: USIM ↔ VLR (skip)
Radio Link K = yes/no RAND, AUTN AUTN USIM VLR/SGSN Lookup XRES from store XRES RAND RES CK SQN IK checks whether SQN is big enough

65 Authentication in USIM (skip)
f1 f2 f4 f5 f3 SQN RAND K RES CK IK AK AUTN SQNAK AMF MAC = yes/no XMAC

66 UMTS AKA – summary Checks at USIM: Checks at VLR:
Compares MAC received as part of AUTN and XMAC computed to verify that RAND and AUTN had been generated by the home AuC. Checks that SQN is fresh to detect replay attacks. Checks at VLR: Compares RES and XRES to authenticate USIM. False base station attacks prevented by a combination of key freshness and integrity protection of signaling data, not by authenticating the serving network.

67 UMTS Crypto Algorithms - summary
Confidentiality: MISTY1: block cipher, designed to resist differential and linear cryptanalysis KASUMI: eight round Feistel cipher, 64-bit blocks, 128-bit keys, builds on MISTY1 Authentication and key agreement MILENAGE: block cipher,128-bit blocks, 128-bit keys All proposals are published and have been subject to a fair degree of cryptanalysis

Download ppt "Special Topic: Mobile Security Part II – GSM and UMTS Security -- Dr"

Similar presentations

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.

Islamic University-Gaza Faculty of Engineering Electrical & Computer Engineering Department Global System for Mobile Communication GSM Group Alaa Al-ZatmaHosam.
Peter Howard Vodafone Group R&D

Peter Howard Vodafone Group R&D
GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.

GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
One-Pass GPRS and IMS Authentication Procedure for UMTS

One-Pass GPRS and IMS Authentication Procedure for UMTS
GSM standard (continued)

GSM standard (continued)
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.

MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.

 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
Evolution from GMS to UMTS

Evolution from GMS to UMTS
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.

GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.

GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.
Security in GSM/GPRS and UMTS

Security in GSM/GPRS and UMTS
GSM Network Structure Lance Westberg.

GSM Network Structure Lance Westberg.
Network components of the Switching Subsystem The switching Subsystem comprises the following subsystems. MSC (Mobile Switching Centre) HLR (Home location.

Network components of the Switching Subsystem The switching Subsystem comprises the following subsystems. MSC (Mobile Switching Centre) HLR (Home location.

Similar presentations

Ads by Google