Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKS 2000, San JoseSecurity of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London.

Published byRosaline Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "PKS 2000, San JoseSecurity of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London."— Presentation transcript:

1

2 PKS 2000, San JoseSecurity of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London Chairman 3GPP SA3 - Security

3 PKS 2000, San JoseSecurity of 3GPP networks2 Acknowledgements This presentation is based on the technical specifications and reports produced by the members of 3GPP SA3 and ETSI SAGE available from http://www.3gpp.org Much of the back ground work was done as part of the EU funded ACTS project USECA the partners are Vodafone, G&D, Panasonic, Siemens Atea, Siemens AG & Katholieke Universiteit Leuven http://www.useca.freeserve.co.uk

4 PKS 2000, San JoseSecurity of 3GPP networks3 Principles for 3G Security Build on the security of GSM adopt the security features from GSM that have proved to be needed and robust try to ensure compatibility with GSM in order to ease inter-working and handover Correct the problems with GSM by addressing its real and perceived security weaknesses Add new security features as are necessary to secure new services offered by 3G to take account of changes in network architecture

5 PKS 2000, San JoseSecurity of 3GPP networks4 Building on GSM Security - Architecture GMSC GGSN HLR EIR AUC SCF SMS- IWMSC SMS- IWMSC RNC BS Uu Iu ANCNExternal Networks UE Iur D USIM ME RNC BS Uu USIM ME Iub Iu Gd, Gp, Gn+ SGSN MSC E, G Cu SMS- GMSC SMS- GMSC SGSN MSC BSC BTS Um SIM MT AbisA Gb ISDN PSTN PSPDN CSPDN PDN: -Intranet -Extranet -Internet BSS RNS UTRAN Note: Not all interfaces shown and named F Gf Gr Gn+ H

6 PKS 2000, San JoseSecurity of 3GPP networks5 Building on GSM Security, 2 Remain compatible with GSM network architecture User authentication & radio interface encryption SIM used as security module removable hardware terminal independent management of all customer parameters Operates without user assistance Requires minimal trust in serving network

7 PKS 2000, San JoseSecurity of 3GPP networks6 Limitations of GSM Security Problems with GSM security stem by and large from design limitations on what is protected rather than on defects in the security mechanisms themselves only provides access security - communications and signalling in the fixed network portion aren’t protected does not address active attacks, whereby network elements may be impersonated designed to be only as secure as the fixed networks to which they connect lawful interception only considered as an after thought

8 PKS 2000, San JoseSecurity of 3GPP networks7 Limitations of GSM Security, 2 Failure to acknowledge limitations encryption needed to guard against radio channel hijack the terminal is an unsecured environment - so trust in the terminal identity is misplaced Inadequate flexibility to upgrade and improve security functions over time Lack of visibility that the security is being applied no indication to the user that encryption is on no explicit confirmation to the home network that authentication is properly used when customers roam

9 PKS 2000, San JoseSecurity of 3GPP networks8 Limitations of GSM Security, 3 Lack of confidence in cryptographic algorithms lack of openness in design and publication of A5/1 misplaced belief by regulators in the effectiveness of controls on the export or (in some countries) the use of cryptography key length too short, but some implementation faults make increase of encryption key length difficult need to replace A5/1, but poor design of support for simultaneous use of more than one encryption algorithm, is making replacement difficult ill advised use of COMP 128

10 PKS 2000, San JoseSecurity of 3GPP networks9 Specific GSM Security Problems Encryption terminated too soon user traffic and signalling in clear on microwave links Clear transmission of cipher keys & authentication values within and between networks signalling system vulnerable to interception and impersonation Confidence in strength of algorithms failure to choose best authentication algorithms improvements in cryptanalysis of A5/1 Use of false base stations

11 PKS 2000, San JoseSecurity of 3GPP networks10 False Base Stations Used as IMSI Catcher for law enforcement Used to intercept mobile originated calls encryption controlled by network and user unaware if it is not on Dynamic cloning risk in networks where encryption is not used

12 PKS 2000, San JoseSecurity of 3GPP networks11 3GPP Security Architecture Overview Home stratum/ Serving Stratum USIMHE/AuCTE Transport stratum MT SN/ VLR/ SGSN AN Application stratum User ApplicationProvider Application I. Network access security II. Provider domain security III. User domain security IV. Application security III. IV. I. II.

13 PKS 2000, San JoseSecurity of 3GPP networks12 Authentication & Key Agreement (AKA) Protocol Objectives Authenticate user to network & network to user Establish a cipher key CK (128 bit) & an integrity key IK (128 bit) Assure user and network that CK/IK have not been used before Authenticated management field HE  USIM authentication key and algorithm identifiers limit CK/IK usage before USIM triggers a new AKA

14 PKS 2000, San JoseSecurity of 3GPP networks13 AKA Prerequisites AuC and USIM share user specific secret key K message authentication functions f1, f1*, f2 key generating functions f3, f4, f5, f5* AuC has a random number generator AuC has scheme to generate fresh sequence numbers USIM has scheme to verify freshness of received sequence numbers

15 PKS 2000, San JoseSecurity of 3GPP networks14 AKA Variables and Functions RAND = random challenge generated by AuC XRES = f2 K (RAND) = expected user response computed by AuC RES = f2 K (RAND) = actual user response computed by USIM CK = f3 K (RAND) = cipher key IK = f4 K (RAND) = integrity key AK = f5 K (RAND) = anonymity key SQN = sequence number AMF = authentication management field MAC = f1 K (SQN || RAND || AMF) = message authentication code computed over SQN, RAND and AMF AUTN = SQN  AK || AMF || MAC = network authentication token, concealment of SQN with AK is optional Quintet = (RAND, XRES, CK, IK, AUTN)

16 PKS 2000, San JoseSecurity of 3GPP networks15 AKA Message Flow auth. data request Quintets (RAND, XRES, CK, IK, AUTN ) RAND, AUTN RES Generate quintets Verify MAC, SQN Derive CK, IK, RES Start using CK, IK XRES = RES ? USIM AuC VLR or SGSN Distribution of quintets from HLR/AuC to VLR/SGSN Over-the-air authentication and key agreement

17 PKS 2000, San JoseSecurity of 3GPP networks16 Length of AKA Cryptographic Parameters K128 bits RAND128 bits RES32-128 bits CK128 bits IK128 bits AUTN128 bits SQNSequence number48 bits AMFAuthentication management field16 bits MACMessage authentication code64 bits

18 PKS 2000, San JoseSecurity of 3GPP networks17 Air-interface Encryption, 1 Applies to all user traffic and signalling messages Uses stream ciphering function f8 - with provision for different algorithms: UEA1 = Kasumi; UEA0 = no encryption CIPHERTEXT BLOCK COUNT-C BEARER DIRECTION LENGTH CK PLAINTEXT BLOCK f8 KEYSTREAM BLOCK COUNT-C BEARER DIRECTION LENGTH CK f8 KEYSTREAM BLOCK PLAINTEXT BLOCK Sender ME or RNC Receiver ME or RNC

19 PKS 2000, San JoseSecurity of 3GPP networks18 Air-interface Encryption, 2 Termination points user side: mobile equipment, network side: radio network controller Ciphering in layer 2 RLC sublayernon-transparent RLC mode (signalling, data) MAC sublayer transparent RLC mode(voice) Key input values to algorithm CK128 bitsCipher key COUNT-C32 bitsCiphering sequence number RLC sublayerHFN RLC (25/20)+ SN RLC (7/12)(SN RLC is transmitted) MAC sublayerHFN MAC (25) + CFN MAC (7)(CFN MAC is transmitted) Further input values BEARER5 bitsBearer identity DIRECTION1 bitUplink/downlink LENGTH16 bitsLength of keystream block

20 PKS 2000, San JoseSecurity of 3GPP networks19 Air-interface Integrity Mechanism, 1 Applies to all except a specifically excluded signalling messages after connection and security mode set-up MS supervises that it is started Uses integrity function f9 - with provision for different algorithms: UIA1 = Kasumi COUNT- I MESSAGE DIRECTION FRESH IK f9 MAC- I COUNT- I MESSAGE DIRECTION FRESH IK f9 XMAC- I Sender ME or RNC Receiver ME or RNC MESSAGE MAC- I MAC- I = XMAC- I ?

21 PKS 2000, San JoseSecurity of 3GPP networks20 Air-interface Integrity Mechanism, 2 Termination points user side: mobile equipment, network side: radio network controller Integrity protection: layer 2 RRC sublayer Key input values IK128 bitsIntegrity key COUNT-I32 bits Integrity sequence number –consists ofHFN RRC (28) + SN RRC (4)(SN RRC is transmitted) FRESH32 bitsConnection nonce MESSAGESignalling message Further input values DIRECTION1 bitUplink/downlink Output values MAC-I/XMAC-I 32 bits message authentication code

22 PKS 2000, San JoseSecurity of 3GPP networks21 Connection Establishment Overview ME/USIM RNCVLR/SGSN Connection Establishment RRC 1. IMSI Interrogation MM 3. Authentication and key agreement MM 4. Security mode command RANAP 5. Security mode command RRC 6. Security mode complete RRC 7. Security mode complete RANAP 8. Response to initial L3 messageMM 9. TMSI allocation MM 10. Initial L3 message 2. MM

23 PKS 2000, San JoseSecurity of 3GPP networks22 Starting Ciphering & Integrity ME/USIM RNCVLR/SGSN Connection Establishment  START; UEA MS, UIA MS  1. Security mode command UEA CN, UIA CN, CK, IK 5. RNC selects UEA and UIA; start of integrity protection Start of ciphering/deciphering Start of integrity protection Start of ciphering/deciphering Authentication and key agreement 4. Initial L3 message CKSN 2. Decide AKA / No AKA Security mode command UEA, UIA, UEA MS, UIA MS FRESH 6. (first integrity protected message) Security mode complete 7.(first ciphered message)

24 PKS 2000, San JoseSecurity of 3GPP networks23 Security Parameters & Choices START(32bits) initial hyperframe number used to initialise COUNT-C/I assures user MAC-I is fresh START stored/updated USIM CKSN(3 bits)cipher key sequence number indicates the key set that is stored in USIM when START exceeds a certain threshold, CKSN can be used to trigger a new AKA FRESH(32 bits) network nonce assures network MAC-I fresh AKA is performed when the user enters a new SN the user indicates that a new AKA is required when the amount of data ciphered with CK has reached a threshold the serving network decides Otherwise integrity-key based authentication Selection of UEA and UIA by user/user’s home environment

25 PKS 2000, San JoseSecurity of 3GPP networks24 Network Domain Security Overview Application layer security for signalling protocols running over SS7 e.g. MAP, CAP IP layer security for native IP based protocols e.g. GTP, CSCF-HSS signalling

26 PKS 2000, San JoseSecurity of 3GPP networks25 Application Layer Security, 1

27 PKS 2000, San JoseSecurity of 3GPP networks26 Application Layer Security, 2 MAP signalling provided with encryption, origin authentication and integrity using standard symmetric techniques Block cipher BEANO designed by ETSI SAGE for public network operators may be used For communications secured at the application layer, 3GPP will define new Security Associations (i.e. create a new Domain of Interpretation for ISAKMP)

28 PKS 2000, San JoseSecurity of 3GPP networks27 IP Layer Security, 1

29 PKS 2000, San JoseSecurity of 3GPP networks28 IP Layer Security, 2 IP layer security provides encryption, origin authentication and integrity using standard IPsec techniques Security may be applied end-to-end between Network Elements (NE) hop-by-hop via Security Gateways (SEG) For communications secured using IPsec, the IETF IPsec Security Association will be adapted/profiled for 3GPP

30 PKS 2000, San JoseSecurity of 3GPP networks29 Key Management For Network Domain Security A two-tiered key management architecture will be adopted in the first phase KACs support IKE and public key crypto Migration to a PKI-based flat key management architecture will be considered for later phases NEs support IKE and public key crypto On-line KACs become off-line CAs

31 PKS 2000, San JoseSecurity of 3GPP networks30 Encryption & Integrity Algorithm Requirements Stream cipher f8 and integrity function f9 - parameters already described Low power, low gate-count hardware, as well as software No practical attack significantly more efficient than exhaustive key search No export restrictions on terminals (or SIMs); network equipment exportable under licence in accordance with Wassenaar Time for development - six months!

32 PKS 2000, San JoseSecurity of 3GPP networks31 General Approach to Design Robust approach to exportability - full strength algorithm and expect agencies to fall into line ETSI SAGE appointed as design authority Take existing algorithm as starting point Use block cipher as building block for both algorithms - MISTY1 chosen: fairly well studied, some provable security aspects parameter sizes suitable designed to be efficient in hardware and software offered by Mitsubishi free from royalty payments

33 PKS 2000, San JoseSecurity of 3GPP networks32 Design and Analysis Designed by SAGE team, led by Gert Roelofsen with external experts: SAGE design and evaluation teams joined by Mitsuru Matsui from Mitsubishi - designer of MISTY additional evaluators from Nokia, Ericsson and Motorola led by Kaisa Nyberg External evaluation by three teams: Leuven: Lars Knudsen, Bart Preneel, Vincent Rijmen, Johan Borst, Matt Robshaw Ecole Normale Superiere: Jacques Stern, Serge Vaudenay Royal Holloway: Fred Piper, Sean Murphy, Peter Wild, Simon Blackburn Open Publication

34 PKS 2000, San JoseSecurity of 3GPP networks33 Kasumi Simpler key schedule than MISTY Additional functions to complicate cryptanalysis without affecting provable security aspects Changes to improve statistical properties Minor changes to speed up or simplify hardware Stream ciphering f8 uses Kasumi in a form of output feedback, but with: BLKCNT added to prevent cycling initial extra encryption added to protect against chosen plaintext attack and collisions Integrity f9 uses Kasumi to form CBC MAC with: non-standard addition of 2nd feedforward

35 PKS 2000, San JoseSecurity of 3GPP networks34 3GPP Stream Cipher f8

36 PKS 2000, San JoseSecurity of 3GPP networks35 3GPP Integrity Function f9

37 PKS 2000, San JoseSecurity of 3GPP networks36 Other Aspects of 3GPP Security Options in AKA for sequence management Re-authentication during a connection and periodic in-call Failure procedures Interoperation with GSM AKA+ and interoperation with 3GPP2 standards Formal analysis of AKA User identity confidentiality and enhanced user identity confidentiality (R00) User configurability and visibility of security features User-USIM, USIM-terminal & USIM - network (SAT) Terminal (identity) security Lawful interception Fraud information gathering Network wide encryption (R00) Location services security Access to user profiles Mobile IP security (R00+) Provision of a standard authentication and key generation algorithm for operators who do not wish to produce their own

38 PKS 2000, San JoseSecurity of 3GPP networks37 References to 3GPP Security Principles, objectives and requirements TS 33.120 Security principles and objectives TS 21.133 Security threats and requirements Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm requirements TS 22.022 Personalisation of mobile equipment Lawful interception TS 33.106 Lawful interception requirements TS 33.107 Lawful interception architecture and functions Technical reports TR 33.900 A guide to 3G security TR 33.901 Criteria for cryptographic algorithm design process TR 33.902 Formal analysis of the 3G authentication protocol TR 33.908 General report on the design, specification and evaluation of 3GPP standard confidentiality and integrity algorithms TR 33.909 Algorithm evaluation report Algorithm specifications Specification of the 3GPP confidentiality and integrity algorithms Document 1: f8 & f9 Document 2: KASUMI Document 3: implementors’ test data Document 4: design conformance test data

Download ppt "PKS 2000, San JoseSecurity of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London."

Similar presentations

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Mobile Switching Systems Unit, L M Ericsson in Finland

Mobile Switching Systems Unit, L M Ericsson in Finland
Eurocrypt 2000Security of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London Chairman.

Eurocrypt 2000Security of 3GPP networks1 On the Security of 3GPP Networks Michael Walker Vodafone AirTouch & Royal Holloway, University of London Chairman.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
GSM Security and Encryption

GSM Security and Encryption
Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2004.

Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research Feb 27, 2004.
GSM and UMTS Security.

GSM and UMTS Security.
Peter Howard Vodafone Group R&D

Peter Howard Vodafone Group R&D
Network Security Security in Traditional Wireless Networks 1 Network Security Chapter 6. Security in Traditional Wireless Networks.

Network Security Security in Traditional Wireless Networks 1 Network Security Chapter 6. Security in Traditional Wireless Networks.
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM(UMTS). EVOLUATION OF MOBILE COMMUNICATION 1 st Generation : Analog Cellular 2 nd Generation : Multiple Digital.

UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM(UMTS). EVOLUATION OF MOBILE COMMUNICATION 1 st Generation : Analog Cellular 2 nd Generation : Multiple Digital.
Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.

Mobile Communication MMS / GPRS. What is GPRS ? General Packet Radio Service (GPRS) is a new bearer service for GSM that greatly improves and simplifies.
Myagmar, Gupta UIUC 2001 1 3G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.

Myagmar, Gupta UIUC G Security Principles Build on GSM security Correct problems with GSM security Add new security features Source: 3GPP.
GSM standard (continued)

GSM standard (continued)
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.

 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
General Packet Radio Service (GPRS) A new Dimension to Wireless Communication.

General Packet Radio Service (GPRS) A new Dimension to Wireless Communication.

Similar presentations

Ads by Google