network security – week 8 - kaistcaislab.kaist.ac.kr/lecture/2007/fall/ice615/lecture_note... ·...

58
Network Security – Week 8 Network Security Prof Chan Yeob Yeun October 22, 2007 School of Engineering, Information and Communications University

Upload: others

Post on 21-May-2020

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

Network Security – Week 8

Network Security

Prof Chan Yeob Yeun

October 22, 2007

School of Engineering,

Information and Communications University

Page 2: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

2 / 58 © Information Security Group, ICU

Weekly Lecture Plan

Wk Contents Cmt Wk Contents Cmt

1

(8/27,29)

Introduction to Information Security & Network Security

9

(10/29,31)

Applications of Security II

2

(9/3,5)

CS, PKC and Digital Signature

TP Plan 10

(11/5,7)

Applications of Security III Hw#3

3

(9/10,12)

New PKCs and Semantic Security

Hw#1 11

(11/12,14)

SSL and TLS

4

(9/17,19)

Security Protocols 12

(11/19,21)

IPSec and SETHW#4

5

(10/1)

TP Contest #1 TP Rep#1 13

(11/26,28)

Firewall and IDS

6

(10/8)

TP Contest #2 14

(12/3,5)

TP Contest #2 TP paper

7

(10/15, 17)

Revision and Min Term Exam 15

(12/12)

Final Exam

8

(10/22,24)

Applications of Security I

GSM / 3G Security

Hw #2

Page 3: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

3 / 58 © Information Security Group, ICU

Mobile Communications

First telephone (photophone) – Alexander Bell, 1880

The first car mounted radio telephone – 1921

1946 – First commercial mobile radio-telephone service

by Bell and AT&T in Saint Louis, USA. Half duplex(PTT)

1973 – First handheld cellular phone – Motorola.

Page 4: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

4 / 58 © Information Security Group, ICU

GSM (SMS...Live Information Services...eGSM (SMS...Live Information Services...e--mail)mail)

Mobile ISPMobile ISP

WAPWAP

GPRS/3GPPGPRS/3GPP

UMTSUMTS

1999 2000 2001 2002 2003 2004 2005 2006 2007

HSDPAHSDPA

Mobile Evolution (1/3)

Page 5: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

5 / 58 © Information Security Group, ICU

Evolution of Network and Digital Convergence create a new era of Mobile Services

Network Evolution Digital Convergence Service Evolution

Cellular

Heterogeneous

LAN : 802.11b 802.11g/a

2G(14.4k)

2.5G(~144k)

MAN : WiMaxPAN : BT, UWB, RFID

3G(over 384k)

Mobile TV

Wi Fi

Location Based Service

Mobile 3D Gaming

Entertainment

Information

TV, Game

Multimedia

MP3, Camera, Camcorder

GPS, PC, PDA

2G 2.5G 3G 4G

GSM GPRS EDGEHSDPA

WCDMA

IS-95A IS-95B 1x RTT1x EVDV

1x EV-DOAll IP

9.6~14.4k 144k~ 384k~ 10M~

2D Standalone Game

GPS based E911

Bluetooth Application

Mobile Evolution (2/3)

Page 6: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

6 / 58 © Information Security Group, ICU

Mobile Evolution (3/3)

Introduction to GSM networking

GSM Security

Terminal and SIM

Value-Added Services

Introduction to 3rd generation networking

Build on GSM Security

Add new security features

Page 7: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

7 / 58 © Information Security Group, ICU

Cellular principles

Frequency reuse – same frequency in many cell sites

Cellular expansion – easy to add new cells

Handover – moving between cells

Roaming between networks

Page 8: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

8 / 58 © Information Security Group, ICU

Generation Gap (1/3)

Generation #1 – Analog [routines for sending voice]

All systems are incompatible

No international roaming

Little capacity – cannot accommodate masses of subscribers

Generation #2 – digital [voice encoding]

Increased capacity

More security

Compatibility

Can use TDMA or CDMA for increasing capacity

Page 9: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

9 / 58 © Information Security Group, ICU

Generation Gap (2/3)

Time Division Multiple Access (TDMA)

Each channel is divided into timeslots, each conversation uses one timeslot.

Many conversations are multiplexed into a single channel.

Used in GSM

Code Division Multiple Access (CDMA)

All users share the same frequency all the time!

To pick out the signal of specific user, this signal is modulated with a unique code sequence.

Generation #2.5 – packet-switching

Connection to the internet is paid by packets and not by connection time.

Connection to internet is cheaper and faster [up to 56KBps]

The service name is GPRS – General Packet Radio Services

Page 10: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

10 / 58 © Information Security Group, ICU

Generation Gap (3/3)

Generation #3

Permanent web connection at 2Mbps

Internet, phone and media: 3 in 1

The standard based on GSM is called UMTS.

The EDGE standard is the development of GSM towards 3G.

World First 3G + DVB-H Commercial Development

Page 11: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

11 / 58 © Information Security Group, ICU

GSM (1/3)

More than 800 million end users in 190 countries and representing over 70% of today's digital wireless market.

source: GSM Association

Mobile phone is identified by SIM card.

Key feature of the GSM

Has the “secret” for authentication

GSM comes in three flavors(frequency bands): 900, 1800, 1900 MHz. 900 is the Orange flavour in Israel.

Voice is digitized using Full-Rate coding.

20 ms sample => 260 bits . 13 Kbps bitrate

GSM uses TDMA and FDMA to let everybody talk.

FDMA: 25MHz freq. is divided into 124 carrier frequencies. Each base station gets few of those.

TDMA: Each carrier frequency is divided into bursts [0.577 ms]. 8 bursts are a frame.

Page 12: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

12 / 58 © Information Security Group, ICU

GSM (2/3)

BTS – houses the radiotransceivers of the cell and handles the radio-link protocols with the mobile

BSC – manages radio resources (channel setup, handover) for one or more BTSs

HLR – database of all users + current location. One per network

VLR – database of users + roamers in some geographic area. Caches the HLR

EIR – database of valid equipment

AuC – Database of users’ secret keys

Page 13: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

13 / 58 © Information Security Group, ICU

GSM (3/3)

GSM uses TDMA and FDMA to let everybody talk.

FDMA: 25MHz freq. is divided into 124 carrier frequencies. Each base station gets few of those.

TDMA: Each carrier frequency is divided into bursts [0.577 ms]. 8 bursts are a frame.

The physical channel in GSM is the timeslot.

The logical channel is the information which goes through the physical ch.

Both user data and signaling are logical channels.

User data is carried on the traffic channel (TCH) , which is defined as 26 TDMA frames.

There are lots of control channels for signaling, base station to mobile, mobile to base station (“aloha” to request network access)

SS7: Signaling protocol for networks

Packet – switching [like IP]

GSM uses SS7 for communication between HLR and VLR (allowing roaming) and other advanced capabilities.

GSM’s protocol which sits on top of SS7 is MAP – mobile application part

Page 14: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

14 / 58 © Information Security Group, ICU

Evolution of Mobile Security

Mobile phone is rapidly evolving into drastically more than a wireless phone - it is transforming into a “Ubiquitous Device (UD) with Multi-Mode Capabilities”.

We are going look at the following mobile Security:

GSM Security

WAP Security

3GPP Security

This will allow for a large variety of new services and applications - including

Mobile Commerce ApplicationsMobile Games, VotingMobile Location Based ServicesMobile TV Services – Data Interactive

The Security Architecture for future terminals and applications focuses on several requirements and analysis whether these requirements can be fulfilled with PKIs and/ or PK applications.

Page 15: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

15 / 58 © Information Security Group, ICU

GSM Security (1/26)

The GSM standard includes a number of features designed to secure the radio access

Subscriber identity confidentiality

Subscriber identity authentication

Confidentiality of user traffic and signalling

Mobile equipment identity checking

Cryptographic authentication of subscriber to network

Stream ciphering of user traffic and user-related control data on the air interface

Use of SIM as security module for key distribution, authentication and cipher key generation

Page 16: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

16 / 58 © Information Security Group, ICU

GSM Security (2/26)

Operators

Bills right people

Avoid fraud

Protect Services

Customers

Privacy

Anonymity

Confidentiality and Anonymity on the radio path

Strong client authentication to protect the operator against thebilling fraud

Prevention of operators from compromising of each others’security

Inadvertently

Competition pressure

Page 17: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

17 / 58 © Information Security Group, ICU

GSM Security (3/26)

The security mechanismMUST NOT

Add significant overhead on call set up

Increase bandwidth of the channel

Increase error rate

Add expensive complexity to the system

MUST Cost effective scheme

Define security proceduresGeneration and distribution of keys

Exchange information between operators

Confidentiality of algorithms

Key management is independent of equipmentSubscribers can change handsets without compromising security

Subscriber identity protectionnot easy to identify the user of the system intercepting a user data

Detection of compromised equipmentDetection mechanism whether a mobile device was compromised or not

Subscriber authenticationThe operator knows for billing purposes who is using the system

Signaling and user data protectionSignaling and data channels are protected over the radio path

Page 18: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

18 / 58 © Information Security Group, ICU

3.2.5 GSM Security (4/26)

Mobile Station

Mobile Equipment (ME)Physical mobile device

Identifiers

IMEI – International Mobile Equipment Identity

Subscriber Identity Module (SIM)Smart Card containing keys, identifiers and algorithms

Identifiers

Ki – Subscriber Authentication Key

IMSI – International Mobile Subscriber Identity

TMSI – Temporary Mobile Subscriber Identity

MSISDN – Mobile Station International Service Digital Network

PIN – Personal Identity Number protecting a SIM

LAI – location area identity

TMSI – Temporary Mobile Subscriber Identity

GoalsTMSI is used instead of IMSI as an a temporary subscriber identifier

TMSI prevents an eavesdropper from identifying of subscriber

UsageTMSI is assigned when IMSI is transmitted to AuC on the first phone switch on

Every time a location update (new MSC) occur the networks assigns a new TMSI

TMSI is used by the MS to report to the network or during a call initialization

Network uses TMSI to communicate with MS

On MS switch off TMSI is stored on SIM card to be reused next time

The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI

Page 19: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

19 / 58 © Information Security Group, ICU

GSM Security (5/26)

Ki – Subscriber Authentication Key

Shared 128 bit key used for authentication of subscriber by the operator

Key StorageSubscriber’s SIM (owned by operator, i.e. trusted)

Operator’s Home Locator Register (HLR) of the subscriber’s home network

SIM can be used with different equipment

TMSI – Temporary Mobile Subscriber Identity

GoalsTMSI is used instead of IMSI as an a temporary subscriber identifier

TMSI prevents an eavesdropper from identifying of subscriber

UsageTMSI is assigned when IMSI is transmitted to AuC on the first phone switch on

Every time a location update (new MSC) occur the networks assigns a new TMSI

TMSI is used by the MS to report to the network or during a call initialization

Network uses TMSI to communicate with MS

On MS switch off TMSI is stored on SIM card to be reused next time

The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI

Page 20: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

20 / 58 © Information Security Group, ICU

GSM Security (6/26)

International Mobile Equipment Identifier (IMEI)

Identifier allowing to identify mobiles

IMEI is independent of SIM

Used to identify stolen or compromised equipment

Equipment Identity Register (EIR)Black list – stolen or non-type mobiles

White list - valid mobiles

Gray list – local tracking mobiles

Central Equipment Identity Register (CEIR)

Approved mobile type (type approval authorities)

Consolidated black list (posted by operators)

Authentication Goals

Subscriber (SIM holder) authentication

Protection of the network against unauthorized use

Create a session key

Authentication Scheme

Subscriber identification: IMSI or TMSI

Challenge-Response authentication of the subscriber by the operator

Page 21: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

21 / 58 © Information Security Group, ICU

GSM Security (7/26) - Authentication

Ki = Subscriber authentication key (128 bit)

RAND = Authentication challenge (128 bit)

(X)RES = (Expected) authentication response (32 bit)

Kc = Cipher key (64 bit)

MSC/VLR HLR/AuCSIM

RAND

RES

{RAND, XRES, Kc}

Authentication Data Request A3 A8

KiRAND

Kc

KcRES

A3 A8

KiRAND

XRES

RES = XRES?

Page 22: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

22 / 58 © Information Security Group, ICU

GSM Security (8/26) - Encryption

A3

A8

A5

A3

A8

A5

Ki Ki

Challenge RAND

KcKc

mi Encrypted Data mi

SIM

Signed response (SRES) SRESSRES

Fn Fn

Authentication: are SRES values equal?

MSC/VLR HLR/AuCME

AuC – Authentication Center

Provides parameters for authentication and encryption functions (RAND, SRES, Kc)HLR – Home Location Register

Provides MSC (Mobile Switching Center) with triples (RAND, SRES, Kc)

Handles MS location VLR – Visitor Location Register

Stores generated triples by the HLR when a subscriber is not in his home networkOne operator doesn’t have access to subscriber keys of the another operator.

Page 23: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

23 / 58 © Information Security Group, ICU

GSM Security (9/26)

A3 Authentication Algorithm

Generation of SRES response to MSC’s random challenge RAND

A3

RAND (128 bit)

Ki (128 bit)

SRES (32 bit)

Page 24: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

24 / 58 © Information Security Group, ICU

GSM Security (10/26)

A8 Voice Privacy Key Generation Algorithm

Generation of session key Ks

A8 specification was never made public

Both A3 and A8 algorithms are implemented on the SIM

Operator can decide, which algorithm to use.

Algorithms implementation is independent of hardware manufacturers and network operators.

A8

RAND (128 bit)

Ki (128 bit)

KC (64 bit)

Page 25: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

25 / 58 © Information Security Group, ICU

GSM Security (11/26)

COMP128 is used for both A3 and A8 in most GSM networks.

COMP128 is a keyed hash function

COMP128

RAND (128 bit)

Ki (128 bit)

128 bit outputSRES 32 bit and Kc 54 bit

Page 26: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

26 / 58 © Information Security Group, ICU

GSM Security (12/26)

A5 is a stream cipher (Encryption Algorithm)

Implemented very efficiently on hardware

Design was never made public

Leaked to Ross Anderson and Bruce Schneier

Variants

A5/1 – the strong version

A5/2 – the weak version

A5/3

GSM Association Security Group and 3GPP design

Based on Kasumi algorithm used in 3G mobile systems

Page 27: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

27 / 58 © Information Security Group, ICU

GSM Security (13/26)

A5

Kc (64 bit)Fn (22 bit)

114 bit

XORData (114 bit)

A5

Kc (64 bit)Fn (22 bit)

114 bit

XORCiphertext (114 bit) Data (114 bit)

Mobile Station BTS

Real A5 output is 228 bit for both directionsReal A5 output is 228 bit for both directions

Page 28: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

28 / 58 © Information Security Group, ICU

GSM Security (14/26)

Mobile Stations Base Station Subsystem

Exchange System

Network Management

Subscriber and terminal equipment databases

BSC MSCVLR

HLR

EIR

AUC

OMCBTS

BTS

BTS

A5 Encryption

Page 29: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

29 / 58 © Information Security Group, ICU

Subscriber Identification Module (SIM)Smart Card – a single chip computer containing OS, File System, Applications

Protected by PIN

Owned by operator (i.e. trusted)

SIM applications can be written with SIM Toolkit

GSM Security (15/26)

Page 30: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

30 / 58 © Information Security Group, ICU

GSM Security (16/26) - Smart Card Anatomy

Page 31: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

31 / 58 © Information Security Group, ICU

GSM Security (17/26) - Microprocessor Cards

Typical specification

8 bit CPU

16 K ROM

256 bytes RAM

4K EEPROM

Cost: $5-50

Smart Card Technology

Based on ISO 7816 defining

Card size, contact layout, electrical characteristics

I/O Protocols: byte/block based

File Structure

Page 32: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

32 / 58 © Information Security Group, ICU

GSM Security (18/26) - Attacks

SIM Attacks

Radio-link interception attacks

Operator network attacksGSM does not protect an operator’s network

1991

First GSM implementation.

April 1998

The Smartcard Developer Association (SDA) together with U.C. Berkeley researches cracked the COMP128 algorithm stored in SIM and succeeded to get Ki within several hours. They discovered that Kc uses only 54 bits.

August 1999

The week A5/2 was cracked using a single PC within seconds.

December 1999

Alex Biryukov, Adi Shamir and David Wagner have published the scheme breaking the strong A5/1 algorithm. Within two minutes of intercepted call the attack time was only 1 second.

May 2002

The IBM Research group discovered a new way to quickly extract the COMP128 keys using side channels.

Page 33: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

33 / 58 © Information Security Group, ICU

GSM Security (19/26) - COMP128

Pseudo-code of the compression in COMP128 algorithm•X[0..15] = Ki; X[16..31] = RAND;•Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]

Page 34: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

34 / 58 © Information Security Group, ICU

GSM Security (20/26) - Traditional Cryptographic Assumptions

Traditional Cryptographic

Attacks

InputCrypto Processing

Sensitive Information

OutputSmart CardSmart Card

Page 35: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

35 / 58 © Information Security Group, ICU

GSM Security (21/26) - Actual Information Available

Side Channels•Power Consumption•Electromagnetic radiation•Timing•Errors•Etc.

Side Channel Attacks

InputCrypto Processing

Sensitive Information

OutputSmart CardSmart Card

Page 36: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

36 / 58 © Information Security Group, ICU

GSM Security (22/26) - Simple Power DES Analysis

SPA of DES operation performed by a typical Smart CardAbove: initial permutation, 16 DES rounds, final permutation

Below: detailed view of the second and third rounds

Page 37: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

37 / 58 © Information Security Group, ICU

GSM Security (23/26) - Partitioning Attack on COMP128

Attack Goal

Ki stored on SIM card

Knowing Ki it’s possible to clone SIM

Cardinal Principle

Relevant bits of all intermediate cycles and their values should be statistically independent of the inputs, outputs, and sensitive information.

Attack Idea

Find a violation of the Cardinal Principle, i.e. side channels with signals does depend on input, outputs and sensitive information

Try to exploit the statistical dependency in signals to extract a sensitive information

How to implement 512 element T0 table on 8 bit Smart Card (i.e. index is 0..255)?

Split 512 element table into two 256 element tables

It’s possible to detect access of different tables via side channels!

Power Consumption

Electromagnetic radiation

Page 38: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

38 / 58 © Information Security Group, ICU

3.2.5 GSM Security (24/26) - Partitioning Attack on COMP128

Pseudo-code of the compression in COMP128 algorithm•X[0..15] = Ki; X[16..31] = RAND;•Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]

Page 39: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

39 / 58 © Information Security Group, ICU

GSM Security (25/26) - Partitioning Attack on COMP128

K[0]K[0] K[1]K[1] K[15]K[15] R[0]R[0] R[15]R[15]…… ……R[0]R[0]

TT00[y][y] K[1]K[1] K[15]K[15] TT00[z][z] R[15]R[15]…… ……R[0]R[0]

y = K[0] + 2R[0]y = K[0] + 2R[0] z = 2K[0] + R[0]z = 2K[0] + R[0]

0 15 16 32X

Values of y and z depend on the first bytes of K and R

It’s possible to detect via side channels whether values of y and z are within [0..255] or [256..511].

Page 40: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

40 / 58 © Information Security Group, ICU

GSM Security (26/26) - Partitioning Attack on COMP128

All we need is…A) Find R[0] such that

K[0] + 2R[0] (mod 512) < 256

K[0] + 2(R[0]+1) (mod 512) >= 256

(There are only two options)

B) Find R’[0] such that

2K[0] + R’[0] (mod 512) < 256

2K[0] + R’[0] + 1 (mod 512) >= 256

C) One of K[0] from A) will match B)

The key byte is always uniquely determined from partitioning information.

Computation of the others bytes of K is similar.

Page 41: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

41 / 58 © Information Security Group, ICU

GSM Security Imitations

Developed in early 80’s – when export laws were harsh

64 bit cipher key, Kc

Stream cipher, A5/1“Broken”, but Shamir-Biryukov-Wagner attack requires 2s of exact plaintext

Attack requires control of the channel being attacked

A5/3 is proposed

Designed to provide access security

Ciphering only extends as far as the base station

Did not address active attacks where network elements are impersonated “False base station” attack possible

Page 42: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

42 / 58 © Information Security Group, ICU

GSM Security (Modify and) Retain

Subscriber authentication

Radio access network encryption

Key length extended to 128 bits, open design of new algorithm, encryption terminated further back in network

Subscriber identity confidentiality

Continue to use a smart card as a security module (UMTS SIM, “USIM”)

Page 43: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

43 / 58 © Information Security Group, ICU

WAP Security (1/5)

WAP is “an open, global specification and empowers mobile users with wireless devices to easily access and interact with information and services instantly.”

WAP-enabled phones can access interactive services such as information, location based services, corporate information and interactive entertainment.

WAP is targeted at various types of handheld devices, including Pocket PCs and Bluetooth enabled mobile phones

WAP 1.x security is in the WTLS protocol which is based on TLS/SSL. However, sensitive information can be translated into clear texts so the operator may read sensitive information at the WAP gateway.

WAP 2.0 uses TLS instead of WTLS due to requiring end-to-end security with all-IP based technology in order to overcome the WAP gateway security breaches.

WAP 2.0 overcomes this problem by using TLS tunnelling to support end-to-end security.

Page 44: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

44 / 58 © Information Security Group, ICU

WAP Security (2/5) – WAP 1.x Architecture

Page 45: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

45 / 58 © Information Security Group, ICU

WAP Security (3/5) – WAP 2.0 Architecture

Page 46: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

46 / 58 © Information Security Group, ICU

WAP Security (4/5) – Web & WAP 1.x Session Security

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity -Confidentiality

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity -Confidentiality

Web

WebServer

Wireless TLS (WTLS)Authentication

Integrity Confidentiality

Wireless TLS (WTLS)Authentication

Integrity Confidentiality

WAP WAPGateway/

Server

WebServer

SSL/TLSSSL/TLS

Page 47: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

47 / 58 © Information Security Group, ICU

WAP Security (5/5) – Web & WAP 2.0 Session Security

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity -Confidentiality

Secure Sockets Layer (SSL) &Transport Layer Security (TLS)

Authentication - Integrity -Confidentiality

Web

WebServer

SSL/TLS Authentication

Integrity Confidentiality

SSL/TLS Authentication

Integrity Confidentiality

WAP WAPProxy

WebServer

SSL/TLSSSL/TLS

Page 48: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

48 / 58 © Information Security Group, ICU

3G Architecture

Evolution from existing European and US digital cellular systems (W-CDMA, CDMA2000, UMTS)

Promises broadband multimedia on everyone’s handset and a multitude of related services.

Spectrum up for auctions in many countries, put many operators in financial debt.

Delays in 3G rollouts cast doubt over its success. Some talk about jumping to 4G directly.

Page 49: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

49 / 58 © Information Security Group, ICU

Network AuthenticationThe user can identify the network

Explicit IntegrityData integrity is assured explicitly by use of integrity algorithms

Also stronger confidentiality algorithms with longer keys

Network SecurityMechanisms to support security within and between networks

Switch Based SecuritySecurity is based within the switch rather than the base station

IMEI IntegrityIntegrity mechanisms for IMEI provided from the start

Secure ServicesProtect against misuse of services provided by SN and HE

Secure ApplicationsProvide security for applications resident on USIM

Fraud DetectionMechanisms to combating fraud in roaming situations

3G Security (1/8) – New Security Features

Page 50: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

50 / 58 © Information Security Group, ICU

Fraud Detection

Mechanisms to combating fraud in roaming situations

Flexibility

Security features can be extended and enhanced as required by new threats and services

Visibility and Configurability

Users are notified whether security is on and what level of security is available

Users can configure security features for individual services

Compatibility

Standardized security features to ensure world-wide interoperability and roaming

At least one encryption algorithm exported on world-wide basis

Lawful Interception

Mechanisms to provide authorized agencies with certain information about subscribers

3G Security (2/8) – New Security Features

Page 51: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

51 / 58 © Information Security Group, ICU

Permanent user identity IMSI, user location, and user services cannot be determined by eavesdropping

Achieved by use of temporary identity (TMSI) which is assigned by VLR

IMSI is sent in cleartext when establishing TMSI

USIM VLR

IMSI

TMSI allocation

TMSI acknowledgement

IMSI request

3G Security (3/8) – User Confidentiality

Page 52: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

52 / 58 © Information Security Group, ICU

3G Security (4/8) – Authentication

K = Subscriber authentication key (128 bit) RAND = User authentication challenge (128 bit)

(X)RES = f2K (RAND)

= (Expected) user response (32-128 bit)

CK = f3K (RAND) = Cipher key (128 bit) IK = f4K (RAND) = Integrity key (128 bit)

AK = f5K (RAND) = Anonymity key (48 bit) SQN = Sequence number (48 bit)

AMF = Authentication management field (16 bit)

MSC/VLR HLR/AuCUSIM

RAND,SQN⊕AK|| AMF||MAC

RES

{RAND, XRES, CK, IK, SQN⊕AK||AMF||MAC}

Authentication Data Request

XRES, CK, IK, AK, MAC

RAND

Ki f1-f5

SQN

Verify MAC using f1Decrypt SQN using f5Check SQN freshness

RES, CK, IK

RAND

f2-f4Ki

AMF

RES = XRES?

Page 53: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

53 / 58 © Information Security Group, ICU

Generation of authentication data at HLR:

K

SQN RAND

f1 f2 f3 f4 f5

MAC XRES CK IK AK

AUTN := SQN ⊕ AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

Generate SQN

Generate RAND

AMF

3G Security (5/8) – Authentication

Page 54: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

54 / 58 © Information Security Group, ICU

Generation of authentication data in USIM:

KSQN

RAND

f1 f2 f3 f4

f5

XMAC RES CK IK

AK

SQN ⊕ AK AMF MAC

AUTN

Verify MAC = XMAC

Verify that SQN is in the correct range

3G Security (6/8) – Authentication

Page 55: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

55 / 58 © Information Security Group, ICU

Integrity of data and authentication of origin of signalling data must be provided

The user and network agree on integrity key and algorithm duringAKA and security mode set-up

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

MAC -I

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

XMAC -I

SenderUE or RNC

ReceiverRNC or UE

3G Security (7/8) – Data Integrity

Page 56: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

56 / 58 © Information Security Group, ICU

Signalling and user data should be protected from eavesdropping

The user and network agree on cipher key and algorithm during AKA

and security mode set-up

PLAINTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

CIPHERTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

PLAINTEXTBLOCK

SenderUE or RNC

ReceiverRNC or UE

3G Security (8/8) – Data Confidentiality

Page 57: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

57 / 58 © Information Security Group, ICU

IMSI is sent in cleartext when allocating TMSI to the user

The transmission of IMEI is not protected; IMEI is not a security feature

A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN

Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up

Problem with 3G Security

Page 58: Network Security – Week 8 - KAISTcaislab.kaist.ac.kr/lecture/2007/fall/ice615/Lecture_Note... · 2018-09-27 · Network Security – Week 8 Network Security Prof Chan Yeob Yeun

58 / 58 © Information Security Group, ICU

3G vs. GSM

A change was made to defeat the false base station attack. The security mechanisms include a sequence number that ensures that the mobile can identify the network.

Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.

Mechanisms were included to support security within and between networks.

Security is based within the switch rather than the base station as in GSM. Therefore links are protected between the base station and switch.

Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.

GSM authentication vector: temporary authentication data that enables an VLR/SGSN to engage in GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc.

UMTS authentication vector: temporary authentication data that enables an VLR/SGSN to engage in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.