UMTS Security

UMTS security builds on the security of GSM, inheriting the proven GSM security features. This maximizes the compatibility between GSM and UMTS i.e. GSM subscribers roaming in a UMTS network are supported by GSM security features. UMTS also provides a solution to the weaknesses of GSM security and adds security features for new 3G radio access networks and services.

UMTS consists of five security feature groups:

1) Network Access Security (A in diagram below) provides users with secure access to UMTS services and protect against attacks on the radio access link. 2) Network Domain Security (B in diagram below) protects against attacks on the wireline network and allows nodes in the provider domain to exchange signaling data securely. 3) User Domain Security (C in diagram below) provides secure access to mobile stations. 4) Application Domain Security (D in diagram below) allows the secure exchange of messages between applications in the user and in the provider domain. 5) Visibility and configurability of security allows the user to observe whether a security feature is currently in operation and if certain services depend on this security feature

TE: Terminal Equipment USIM: User Service Identity Module SN: Serving Network HN: Home Network MT: Mobile Termination AN: Access Network

Unlike GSM, which has authentication of the user to the network only, UMTS uses mutual authentication which means the mobile user and the serving network authenticate each other, providing security against false base stations. This mutual authentication uses an authentication quintet which helps to ensure that a bill is issued to the correct person. The authentication quintet consists of the user challenge (RAND), expected user response (X(RES)), the encryption key (CK), the integrity key (IK) and the authentication token for network authentication (AUTN). Also UMTS provides a new data integrity mechanism which protects the messages being signaled between the mobile station and the radio network controller (RNC). The user and network negotiate and agree on cipher and integrity algorithms. Both the integrity mechanism and enhanced authentication combine to provide protection against active attacks on the radio interface.

Diagram courtesy of http:www.isrc.rhul.ac.uk/useca/OtherPublications/IIRoverview.pdf

K: Subscriber Authentication Key SQNms: Sequence number information at user SQNhe: Sequence number information at home system UE: User Equipments / SIM VLR: Visitor Location Register HLR/AuC: Home Location Register/ Authentication Centre

UMTS provides enhanced encryption which ensures that messages are not available to unauthorized users. With UMTS, encryption is completed in the radio network controller (RNC) rather than the base station, as is the case with GSM. The improved confidentiality has come about by using longer encryption key lengths, which (along with other UMTS security functions) are easier to upgrade than the GSM counterpart. Also, as GSMs ciphering keys were not secure, UMTS added a confidentiality algorithm.

UMTS also provides different security features for maintaining identity confidentiality.

1) User identity confidentiality is maintained by ensuring the permanent user identity (IMSI) of a user using the service cannot be eavesdropped on the radio link. 2) User location confidentiality means that one cannot determine whether the presence of a user by eavesdropping on the radio access link. 3) User untraceability ensures that it cannot be determined if different services are available to the same user by eavesdropping on the radio access link.

It is clear to see UMTS boasts many security advantages over GSM including a data integrity mechanism, enhanced authentication and encryption, identity confidentiality, a potential for secure roaming and greater facilities for upgrading. However UMTS also has security problems. For example everything that could happen to a fixed host attached to the internet could also happen to a UMTS terminal. Also if encryption is disabled hijacking calls is possible. And if the user is drawn to a false base station, he/she is beyond reach of the paging signals of the serving network. Finally when the user is registering for the first time in the serving network the permanent user identity (IMSI) is sent in cleartext. Conclusion

Even though it is clear that UMTS and 3G improves on GSM in many ways, including security, GSM will still remain a strong part of the world's phone network for a few years to come if only to provide a smooth transition to 3G.