network security – week 8 - kaistcaislab.kaist.ac.kr/lecture/2007/fall/ice615/lecture_note... ·...
TRANSCRIPT
Network Security – Week 8
Network Security
Prof Chan Yeob Yeun
October 22, 2007
School of Engineering,
Information and Communications University
2 / 58 © Information Security Group, ICU
Weekly Lecture Plan
Wk Contents Cmt Wk Contents Cmt
1
(8/27,29)
Introduction to Information Security & Network Security
9
(10/29,31)
Applications of Security II
2
(9/3,5)
CS, PKC and Digital Signature
TP Plan 10
(11/5,7)
Applications of Security III Hw#3
3
(9/10,12)
New PKCs and Semantic Security
Hw#1 11
(11/12,14)
SSL and TLS
4
(9/17,19)
Security Protocols 12
(11/19,21)
IPSec and SETHW#4
5
(10/1)
TP Contest #1 TP Rep#1 13
(11/26,28)
Firewall and IDS
6
(10/8)
TP Contest #2 14
(12/3,5)
TP Contest #2 TP paper
7
(10/15, 17)
Revision and Min Term Exam 15
(12/12)
Final Exam
8
(10/22,24)
Applications of Security I
GSM / 3G Security
Hw #2
3 / 58 © Information Security Group, ICU
Mobile Communications
First telephone (photophone) – Alexander Bell, 1880
The first car mounted radio telephone – 1921
1946 – First commercial mobile radio-telephone service
by Bell and AT&T in Saint Louis, USA. Half duplex(PTT)
1973 – First handheld cellular phone – Motorola.
4 / 58 © Information Security Group, ICU
GSM (SMS...Live Information Services...eGSM (SMS...Live Information Services...e--mail)mail)
Mobile ISPMobile ISP
WAPWAP
GPRS/3GPPGPRS/3GPP
UMTSUMTS
1999 2000 2001 2002 2003 2004 2005 2006 2007
HSDPAHSDPA
Mobile Evolution (1/3)
5 / 58 © Information Security Group, ICU
Evolution of Network and Digital Convergence create a new era of Mobile Services
Network Evolution Digital Convergence Service Evolution
Cellular
Heterogeneous
LAN : 802.11b 802.11g/a
2G(14.4k)
2.5G(~144k)
MAN : WiMaxPAN : BT, UWB, RFID
3G(over 384k)
Mobile TV
Wi Fi
Location Based Service
Mobile 3D Gaming
Entertainment
Information
TV, Game
Multimedia
MP3, Camera, Camcorder
GPS, PC, PDA
2G 2.5G 3G 4G
GSM GPRS EDGEHSDPA
WCDMA
IS-95A IS-95B 1x RTT1x EVDV
1x EV-DOAll IP
9.6~14.4k 144k~ 384k~ 10M~
2D Standalone Game
GPS based E911
Bluetooth Application
Mobile Evolution (2/3)
6 / 58 © Information Security Group, ICU
Mobile Evolution (3/3)
Introduction to GSM networking
GSM Security
Terminal and SIM
Value-Added Services
Introduction to 3rd generation networking
Build on GSM Security
Add new security features
7 / 58 © Information Security Group, ICU
Cellular principles
Frequency reuse – same frequency in many cell sites
Cellular expansion – easy to add new cells
Handover – moving between cells
Roaming between networks
8 / 58 © Information Security Group, ICU
Generation Gap (1/3)
Generation #1 – Analog [routines for sending voice]
All systems are incompatible
No international roaming
Little capacity – cannot accommodate masses of subscribers
Generation #2 – digital [voice encoding]
Increased capacity
More security
Compatibility
Can use TDMA or CDMA for increasing capacity
9 / 58 © Information Security Group, ICU
Generation Gap (2/3)
Time Division Multiple Access (TDMA)
Each channel is divided into timeslots, each conversation uses one timeslot.
Many conversations are multiplexed into a single channel.
Used in GSM
Code Division Multiple Access (CDMA)
All users share the same frequency all the time!
To pick out the signal of specific user, this signal is modulated with a unique code sequence.
Generation #2.5 – packet-switching
Connection to the internet is paid by packets and not by connection time.
Connection to internet is cheaper and faster [up to 56KBps]
The service name is GPRS – General Packet Radio Services
10 / 58 © Information Security Group, ICU
Generation Gap (3/3)
Generation #3
Permanent web connection at 2Mbps
Internet, phone and media: 3 in 1
The standard based on GSM is called UMTS.
The EDGE standard is the development of GSM towards 3G.
World First 3G + DVB-H Commercial Development
11 / 58 © Information Security Group, ICU
GSM (1/3)
More than 800 million end users in 190 countries and representing over 70% of today's digital wireless market.
source: GSM Association
Mobile phone is identified by SIM card.
Key feature of the GSM
Has the “secret” for authentication
GSM comes in three flavors(frequency bands): 900, 1800, 1900 MHz. 900 is the Orange flavour in Israel.
Voice is digitized using Full-Rate coding.
20 ms sample => 260 bits . 13 Kbps bitrate
GSM uses TDMA and FDMA to let everybody talk.
FDMA: 25MHz freq. is divided into 124 carrier frequencies. Each base station gets few of those.
TDMA: Each carrier frequency is divided into bursts [0.577 ms]. 8 bursts are a frame.
12 / 58 © Information Security Group, ICU
GSM (2/3)
BTS – houses the radiotransceivers of the cell and handles the radio-link protocols with the mobile
BSC – manages radio resources (channel setup, handover) for one or more BTSs
HLR – database of all users + current location. One per network
VLR – database of users + roamers in some geographic area. Caches the HLR
EIR – database of valid equipment
AuC – Database of users’ secret keys
13 / 58 © Information Security Group, ICU
GSM (3/3)
GSM uses TDMA and FDMA to let everybody talk.
FDMA: 25MHz freq. is divided into 124 carrier frequencies. Each base station gets few of those.
TDMA: Each carrier frequency is divided into bursts [0.577 ms]. 8 bursts are a frame.
The physical channel in GSM is the timeslot.
The logical channel is the information which goes through the physical ch.
Both user data and signaling are logical channels.
User data is carried on the traffic channel (TCH) , which is defined as 26 TDMA frames.
There are lots of control channels for signaling, base station to mobile, mobile to base station (“aloha” to request network access)
SS7: Signaling protocol for networks
Packet – switching [like IP]
GSM uses SS7 for communication between HLR and VLR (allowing roaming) and other advanced capabilities.
GSM’s protocol which sits on top of SS7 is MAP – mobile application part
14 / 58 © Information Security Group, ICU
Evolution of Mobile Security
Mobile phone is rapidly evolving into drastically more than a wireless phone - it is transforming into a “Ubiquitous Device (UD) with Multi-Mode Capabilities”.
We are going look at the following mobile Security:
GSM Security
WAP Security
3GPP Security
This will allow for a large variety of new services and applications - including
Mobile Commerce ApplicationsMobile Games, VotingMobile Location Based ServicesMobile TV Services – Data Interactive
The Security Architecture for future terminals and applications focuses on several requirements and analysis whether these requirements can be fulfilled with PKIs and/ or PK applications.
15 / 58 © Information Security Group, ICU
GSM Security (1/26)
The GSM standard includes a number of features designed to secure the radio access
Subscriber identity confidentiality
Subscriber identity authentication
Confidentiality of user traffic and signalling
Mobile equipment identity checking
Cryptographic authentication of subscriber to network
Stream ciphering of user traffic and user-related control data on the air interface
Use of SIM as security module for key distribution, authentication and cipher key generation
16 / 58 © Information Security Group, ICU
GSM Security (2/26)
Operators
Bills right people
Avoid fraud
Protect Services
Customers
Privacy
Anonymity
Confidentiality and Anonymity on the radio path
Strong client authentication to protect the operator against thebilling fraud
Prevention of operators from compromising of each others’security
Inadvertently
Competition pressure
17 / 58 © Information Security Group, ICU
GSM Security (3/26)
The security mechanismMUST NOT
Add significant overhead on call set up
Increase bandwidth of the channel
Increase error rate
Add expensive complexity to the system
MUST Cost effective scheme
Define security proceduresGeneration and distribution of keys
Exchange information between operators
Confidentiality of algorithms
Key management is independent of equipmentSubscribers can change handsets without compromising security
Subscriber identity protectionnot easy to identify the user of the system intercepting a user data
Detection of compromised equipmentDetection mechanism whether a mobile device was compromised or not
Subscriber authenticationThe operator knows for billing purposes who is using the system
Signaling and user data protectionSignaling and data channels are protected over the radio path
18 / 58 © Information Security Group, ICU
3.2.5 GSM Security (4/26)
Mobile Station
Mobile Equipment (ME)Physical mobile device
Identifiers
IMEI – International Mobile Equipment Identity
Subscriber Identity Module (SIM)Smart Card containing keys, identifiers and algorithms
Identifiers
Ki – Subscriber Authentication Key
IMSI – International Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity
MSISDN – Mobile Station International Service Digital Network
PIN – Personal Identity Number protecting a SIM
LAI – location area identity
TMSI – Temporary Mobile Subscriber Identity
GoalsTMSI is used instead of IMSI as an a temporary subscriber identifier
TMSI prevents an eavesdropper from identifying of subscriber
UsageTMSI is assigned when IMSI is transmitted to AuC on the first phone switch on
Every time a location update (new MSC) occur the networks assigns a new TMSI
TMSI is used by the MS to report to the network or during a call initialization
Network uses TMSI to communicate with MS
On MS switch off TMSI is stored on SIM card to be reused next time
The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI
19 / 58 © Information Security Group, ICU
GSM Security (5/26)
Ki – Subscriber Authentication Key
Shared 128 bit key used for authentication of subscriber by the operator
Key StorageSubscriber’s SIM (owned by operator, i.e. trusted)
Operator’s Home Locator Register (HLR) of the subscriber’s home network
SIM can be used with different equipment
TMSI – Temporary Mobile Subscriber Identity
GoalsTMSI is used instead of IMSI as an a temporary subscriber identifier
TMSI prevents an eavesdropper from identifying of subscriber
UsageTMSI is assigned when IMSI is transmitted to AuC on the first phone switch on
Every time a location update (new MSC) occur the networks assigns a new TMSI
TMSI is used by the MS to report to the network or during a call initialization
Network uses TMSI to communicate with MS
On MS switch off TMSI is stored on SIM card to be reused next time
The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI
20 / 58 © Information Security Group, ICU
GSM Security (6/26)
International Mobile Equipment Identifier (IMEI)
Identifier allowing to identify mobiles
IMEI is independent of SIM
Used to identify stolen or compromised equipment
Equipment Identity Register (EIR)Black list – stolen or non-type mobiles
White list - valid mobiles
Gray list – local tracking mobiles
Central Equipment Identity Register (CEIR)
Approved mobile type (type approval authorities)
Consolidated black list (posted by operators)
Authentication Goals
Subscriber (SIM holder) authentication
Protection of the network against unauthorized use
Create a session key
Authentication Scheme
Subscriber identification: IMSI or TMSI
Challenge-Response authentication of the subscriber by the operator
21 / 58 © Information Security Group, ICU
GSM Security (7/26) - Authentication
Ki = Subscriber authentication key (128 bit)
RAND = Authentication challenge (128 bit)
(X)RES = (Expected) authentication response (32 bit)
Kc = Cipher key (64 bit)
MSC/VLR HLR/AuCSIM
RAND
RES
{RAND, XRES, Kc}
Authentication Data Request A3 A8
KiRAND
Kc
KcRES
A3 A8
KiRAND
XRES
RES = XRES?
22 / 58 © Information Security Group, ICU
GSM Security (8/26) - Encryption
A3
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
KcKc
mi Encrypted Data mi
SIM
Signed response (SRES) SRESSRES
Fn Fn
Authentication: are SRES values equal?
MSC/VLR HLR/AuCME
AuC – Authentication Center
Provides parameters for authentication and encryption functions (RAND, SRES, Kc)HLR – Home Location Register
Provides MSC (Mobile Switching Center) with triples (RAND, SRES, Kc)
Handles MS location VLR – Visitor Location Register
Stores generated triples by the HLR when a subscriber is not in his home networkOne operator doesn’t have access to subscriber keys of the another operator.
23 / 58 © Information Security Group, ICU
GSM Security (9/26)
A3 Authentication Algorithm
Generation of SRES response to MSC’s random challenge RAND
A3
RAND (128 bit)
Ki (128 bit)
SRES (32 bit)
24 / 58 © Information Security Group, ICU
GSM Security (10/26)
A8 Voice Privacy Key Generation Algorithm
Generation of session key Ks
A8 specification was never made public
Both A3 and A8 algorithms are implemented on the SIM
Operator can decide, which algorithm to use.
Algorithms implementation is independent of hardware manufacturers and network operators.
A8
RAND (128 bit)
Ki (128 bit)
KC (64 bit)
25 / 58 © Information Security Group, ICU
GSM Security (11/26)
COMP128 is used for both A3 and A8 in most GSM networks.
COMP128 is a keyed hash function
COMP128
RAND (128 bit)
Ki (128 bit)
128 bit outputSRES 32 bit and Kc 54 bit
26 / 58 © Information Security Group, ICU
GSM Security (12/26)
A5 is a stream cipher (Encryption Algorithm)
Implemented very efficiently on hardware
Design was never made public
Leaked to Ross Anderson and Bruce Schneier
Variants
A5/1 – the strong version
A5/2 – the weak version
A5/3
GSM Association Security Group and 3GPP design
Based on Kasumi algorithm used in 3G mobile systems
27 / 58 © Information Security Group, ICU
GSM Security (13/26)
A5
Kc (64 bit)Fn (22 bit)
114 bit
XORData (114 bit)
A5
Kc (64 bit)Fn (22 bit)
114 bit
XORCiphertext (114 bit) Data (114 bit)
Mobile Station BTS
Real A5 output is 228 bit for both directionsReal A5 output is 228 bit for both directions
28 / 58 © Information Security Group, ICU
GSM Security (14/26)
Mobile Stations Base Station Subsystem
Exchange System
Network Management
Subscriber and terminal equipment databases
BSC MSCVLR
HLR
EIR
AUC
OMCBTS
BTS
BTS
A5 Encryption
29 / 58 © Information Security Group, ICU
Subscriber Identification Module (SIM)Smart Card – a single chip computer containing OS, File System, Applications
Protected by PIN
Owned by operator (i.e. trusted)
SIM applications can be written with SIM Toolkit
GSM Security (15/26)
30 / 58 © Information Security Group, ICU
GSM Security (16/26) - Smart Card Anatomy
31 / 58 © Information Security Group, ICU
GSM Security (17/26) - Microprocessor Cards
Typical specification
8 bit CPU
16 K ROM
256 bytes RAM
4K EEPROM
Cost: $5-50
Smart Card Technology
Based on ISO 7816 defining
Card size, contact layout, electrical characteristics
I/O Protocols: byte/block based
File Structure
32 / 58 © Information Security Group, ICU
GSM Security (18/26) - Attacks
SIM Attacks
Radio-link interception attacks
Operator network attacksGSM does not protect an operator’s network
1991
First GSM implementation.
April 1998
The Smartcard Developer Association (SDA) together with U.C. Berkeley researches cracked the COMP128 algorithm stored in SIM and succeeded to get Ki within several hours. They discovered that Kc uses only 54 bits.
August 1999
The week A5/2 was cracked using a single PC within seconds.
December 1999
Alex Biryukov, Adi Shamir and David Wagner have published the scheme breaking the strong A5/1 algorithm. Within two minutes of intercepted call the attack time was only 1 second.
May 2002
The IBM Research group discovered a new way to quickly extract the COMP128 keys using side channels.
33 / 58 © Information Security Group, ICU
GSM Security (19/26) - COMP128
Pseudo-code of the compression in COMP128 algorithm•X[0..15] = Ki; X[16..31] = RAND;•Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
34 / 58 © Information Security Group, ICU
GSM Security (20/26) - Traditional Cryptographic Assumptions
Traditional Cryptographic
Attacks
InputCrypto Processing
Sensitive Information
OutputSmart CardSmart Card
35 / 58 © Information Security Group, ICU
GSM Security (21/26) - Actual Information Available
Side Channels•Power Consumption•Electromagnetic radiation•Timing•Errors•Etc.
Side Channel Attacks
InputCrypto Processing
Sensitive Information
OutputSmart CardSmart Card
36 / 58 © Information Security Group, ICU
GSM Security (22/26) - Simple Power DES Analysis
SPA of DES operation performed by a typical Smart CardAbove: initial permutation, 16 DES rounds, final permutation
Below: detailed view of the second and third rounds
37 / 58 © Information Security Group, ICU
GSM Security (23/26) - Partitioning Attack on COMP128
Attack Goal
Ki stored on SIM card
Knowing Ki it’s possible to clone SIM
Cardinal Principle
Relevant bits of all intermediate cycles and their values should be statistically independent of the inputs, outputs, and sensitive information.
Attack Idea
Find a violation of the Cardinal Principle, i.e. side channels with signals does depend on input, outputs and sensitive information
Try to exploit the statistical dependency in signals to extract a sensitive information
How to implement 512 element T0 table on 8 bit Smart Card (i.e. index is 0..255)?
Split 512 element table into two 256 element tables
It’s possible to detect access of different tables via side channels!
Power Consumption
Electromagnetic radiation
38 / 58 © Information Security Group, ICU
3.2.5 GSM Security (24/26) - Partitioning Attack on COMP128
Pseudo-code of the compression in COMP128 algorithm•X[0..15] = Ki; X[16..31] = RAND;•Lookup tables: T0[512], T1[256], T2[128], T3[64], T4[32]
39 / 58 © Information Security Group, ICU
GSM Security (25/26) - Partitioning Attack on COMP128
K[0]K[0] K[1]K[1] K[15]K[15] R[0]R[0] R[15]R[15]…… ……R[0]R[0]
TT00[y][y] K[1]K[1] K[15]K[15] TT00[z][z] R[15]R[15]…… ……R[0]R[0]
y = K[0] + 2R[0]y = K[0] + 2R[0] z = 2K[0] + R[0]z = 2K[0] + R[0]
0 15 16 32X
Values of y and z depend on the first bytes of K and R
It’s possible to detect via side channels whether values of y and z are within [0..255] or [256..511].
40 / 58 © Information Security Group, ICU
GSM Security (26/26) - Partitioning Attack on COMP128
All we need is…A) Find R[0] such that
K[0] + 2R[0] (mod 512) < 256
K[0] + 2(R[0]+1) (mod 512) >= 256
(There are only two options)
B) Find R’[0] such that
2K[0] + R’[0] (mod 512) < 256
2K[0] + R’[0] + 1 (mod 512) >= 256
C) One of K[0] from A) will match B)
The key byte is always uniquely determined from partitioning information.
Computation of the others bytes of K is similar.
41 / 58 © Information Security Group, ICU
GSM Security Imitations
Developed in early 80’s – when export laws were harsh
64 bit cipher key, Kc
Stream cipher, A5/1“Broken”, but Shamir-Biryukov-Wagner attack requires 2s of exact plaintext
Attack requires control of the channel being attacked
A5/3 is proposed
Designed to provide access security
Ciphering only extends as far as the base station
Did not address active attacks where network elements are impersonated “False base station” attack possible
42 / 58 © Information Security Group, ICU
GSM Security (Modify and) Retain
Subscriber authentication
Radio access network encryption
Key length extended to 128 bits, open design of new algorithm, encryption terminated further back in network
Subscriber identity confidentiality
Continue to use a smart card as a security module (UMTS SIM, “USIM”)
43 / 58 © Information Security Group, ICU
WAP Security (1/5)
WAP is “an open, global specification and empowers mobile users with wireless devices to easily access and interact with information and services instantly.”
WAP-enabled phones can access interactive services such as information, location based services, corporate information and interactive entertainment.
WAP is targeted at various types of handheld devices, including Pocket PCs and Bluetooth enabled mobile phones
WAP 1.x security is in the WTLS protocol which is based on TLS/SSL. However, sensitive information can be translated into clear texts so the operator may read sensitive information at the WAP gateway.
WAP 2.0 uses TLS instead of WTLS due to requiring end-to-end security with all-IP based technology in order to overcome the WAP gateway security breaches.
WAP 2.0 overcomes this problem by using TLS tunnelling to support end-to-end security.
44 / 58 © Information Security Group, ICU
WAP Security (2/5) – WAP 1.x Architecture
45 / 58 © Information Security Group, ICU
WAP Security (3/5) – WAP 2.0 Architecture
46 / 58 © Information Security Group, ICU
WAP Security (4/5) – Web & WAP 1.x Session Security
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity -Confidentiality
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity -Confidentiality
Web
WebServer
Wireless TLS (WTLS)Authentication
Integrity Confidentiality
Wireless TLS (WTLS)Authentication
Integrity Confidentiality
WAP WAPGateway/
Server
WebServer
SSL/TLSSSL/TLS
47 / 58 © Information Security Group, ICU
WAP Security (5/5) – Web & WAP 2.0 Session Security
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity -Confidentiality
Secure Sockets Layer (SSL) &Transport Layer Security (TLS)
Authentication - Integrity -Confidentiality
Web
WebServer
SSL/TLS Authentication
Integrity Confidentiality
SSL/TLS Authentication
Integrity Confidentiality
WAP WAPProxy
WebServer
SSL/TLSSSL/TLS
48 / 58 © Information Security Group, ICU
3G Architecture
Evolution from existing European and US digital cellular systems (W-CDMA, CDMA2000, UMTS)
Promises broadband multimedia on everyone’s handset and a multitude of related services.
Spectrum up for auctions in many countries, put many operators in financial debt.
Delays in 3G rollouts cast doubt over its success. Some talk about jumping to 4G directly.
49 / 58 © Information Security Group, ICU
Network AuthenticationThe user can identify the network
Explicit IntegrityData integrity is assured explicitly by use of integrity algorithms
Also stronger confidentiality algorithms with longer keys
Network SecurityMechanisms to support security within and between networks
Switch Based SecuritySecurity is based within the switch rather than the base station
IMEI IntegrityIntegrity mechanisms for IMEI provided from the start
Secure ServicesProtect against misuse of services provided by SN and HE
Secure ApplicationsProvide security for applications resident on USIM
Fraud DetectionMechanisms to combating fraud in roaming situations
3G Security (1/8) – New Security Features
50 / 58 © Information Security Group, ICU
Fraud Detection
Mechanisms to combating fraud in roaming situations
Flexibility
Security features can be extended and enhanced as required by new threats and services
Visibility and Configurability
Users are notified whether security is on and what level of security is available
Users can configure security features for individual services
Compatibility
Standardized security features to ensure world-wide interoperability and roaming
At least one encryption algorithm exported on world-wide basis
Lawful Interception
Mechanisms to provide authorized agencies with certain information about subscribers
3G Security (2/8) – New Security Features
51 / 58 © Information Security Group, ICU
Permanent user identity IMSI, user location, and user services cannot be determined by eavesdropping
Achieved by use of temporary identity (TMSI) which is assigned by VLR
IMSI is sent in cleartext when establishing TMSI
USIM VLR
IMSI
TMSI allocation
TMSI acknowledgement
IMSI request
3G Security (3/8) – User Confidentiality
52 / 58 © Information Security Group, ICU
3G Security (4/8) – Authentication
K = Subscriber authentication key (128 bit) RAND = User authentication challenge (128 bit)
(X)RES = f2K (RAND)
= (Expected) user response (32-128 bit)
CK = f3K (RAND) = Cipher key (128 bit) IK = f4K (RAND) = Integrity key (128 bit)
AK = f5K (RAND) = Anonymity key (48 bit) SQN = Sequence number (48 bit)
AMF = Authentication management field (16 bit)
MSC/VLR HLR/AuCUSIM
RAND,SQN⊕AK|| AMF||MAC
RES
{RAND, XRES, CK, IK, SQN⊕AK||AMF||MAC}
Authentication Data Request
XRES, CK, IK, AK, MAC
RAND
Ki f1-f5
SQN
Verify MAC using f1Decrypt SQN using f5Check SQN freshness
RES, CK, IK
RAND
f2-f4Ki
AMF
RES = XRES?
53 / 58 © Information Security Group, ICU
Generation of authentication data at HLR:
K
SQN RAND
f1 f2 f3 f4 f5
MAC XRES CK IK AK
AUTN := SQN ⊕ AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
Generate SQN
Generate RAND
AMF
3G Security (5/8) – Authentication
54 / 58 © Information Security Group, ICU
Generation of authentication data in USIM:
KSQN
RAND
f1 f2 f3 f4
f5
XMAC RES CK IK
AK
SQN ⊕ AK AMF MAC
AUTN
Verify MAC = XMAC
Verify that SQN is in the correct range
⊕
3G Security (6/8) – Authentication
55 / 58 © Information Security Group, ICU
Integrity of data and authentication of origin of signalling data must be provided
The user and network agree on integrity key and algorithm duringAKA and security mode set-up
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
MAC -I
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
XMAC -I
SenderUE or RNC
ReceiverRNC or UE
3G Security (7/8) – Data Integrity
56 / 58 © Information Security Group, ICU
Signalling and user data should be protected from eavesdropping
The user and network agree on cipher key and algorithm during AKA
and security mode set-up
PLAINTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderUE or RNC
ReceiverRNC or UE
3G Security (8/8) – Data Confidentiality
57 / 58 © Information Security Group, ICU
IMSI is sent in cleartext when allocating TMSI to the user
The transmission of IMEI is not protected; IMEI is not a security feature
A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN
Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up
Problem with 3G Security
58 / 58 © Information Security Group, ICU
3G vs. GSM
A change was made to defeat the false base station attack. The security mechanisms include a sequence number that ensures that the mobile can identify the network.
Key lengths were increased to allow for the possibility of stronger algorithms for encryption and integrity.
Mechanisms were included to support security within and between networks.
Security is based within the switch rather than the base station as in GSM. Therefore links are protected between the base station and switch.
Integrity mechanisms for the terminal identity (IMEI) have been designed in from the start, rather than that introduced late into GSM.
GSM authentication vector: temporary authentication data that enables an VLR/SGSN to engage in GSM AKA with a particular user. A triplet consists of three elements: a) a network challenge RAND, b) an expected user response SRES and c) a cipher key Kc.
UMTS authentication vector: temporary authentication data that enables an VLR/SGSN to engage in UMTS AKA with a particular user. A quintet consists of five elements: a) a network challenge RAND, b) an expected user response XRES, c) a cipher key CK, d) an integrity key IK and e) a network authentication token AUTN.