GSM and UMTS Security

Vishal Prajapati (08305030)

Vishal Sevani (07405010)
Om Pal (07405702)
Sudhir Rana (05005002)
GSM Security Architecture
Home
network
Switching
and
routing
Other Networks
(GSM, fixed,
Internet, etc.)
Visited network
HLR/AuC
VLR
SIM
GSM Security Features
Authentication
network operator can verify the identity of the subscriber making
it infeasible to clone someone elses mobile phone
Confidentiality
protects voice, data and sensitive signalling information (e.g.
dialled digits) against eavesdropping on the radio path
Anonymity
protects against someone tracking the location of the user or
identifying calls made to or from the user by eavesdropping on
the radio path
GSM Authentication Protocol
MSC or
SGSN
HLR/AuC SIM
RAND
RES
{RAND, XRES, Kc}
Authentication Data
Request
A3 A8
Ki
RAND
Kc
Kc
RES
A3 A8
Ki
RAND
XRES
RES = XRES?
Encryption in GSM

GSM Encryption Principles

Data on the radio path is encrypted between the
Mobile Equipment (ME) and the Base Transceiver
Station (BTS)
protects user traffic and sensitive signalling data against
eavesdropping
extends the influence of authentication to the entire
duration of the call
Uses the encryption key (Kc) derived during
authentication
GSM User Identity Confidentiality
User identity confidentiality on the radio access link
temporary identities (TMSIs) are allocated and used
instead of permanent identities (IMSIs)
Helps protect against:
tracking a users location
obtaining information about a users calling pattern

IMSI: International Mobile Subscriber Identity
TMSI: Temporary Mobile Subscriber Identity
Specific GSM Security Problems
The GSM cipher A5/2
A5/2 is now so weak that the cipher key can
be discovered in near real time using a very
small amount of known plaintext
Aim find the initial internal state of the registers.
Each frame in - 4.615 ms
So 2^8 frames in a sec.
After finding the initial state go backward and can
generate Kc
False Base Station
Attack(1)

Compromises User
Identity Confidentiality
Force MS to send IMSI
Cipher mode fault
False Base Station
Attack(2)

Active attack
IDENTITY REQUEST
Compromises User Data
Confidentiality
Source: LiTH-ISY-EX-3559-2004
Accessing Signaling network
No requirement of
decrypting skills
Need a instrument
that captures
microwave
Gains control of
communication
between MS and
intended receiver

UMTS Security Mechanisms
Limitations of GSM Security

Design only provides access security -
communications and signalling in the fixed network
portion arent protected
Design does not address active attacks, whereby
network elements may be impersonated
Design goal was only ever to be as secure as the fixed
networks to which GSM systems connect
Short key size of Kc (64 bits) makes it more vulnerable
to various attacks
Enhancements in UMTS vs GSM
Mutual Authentication
provides enhanced protection against false base
station attacks by allowing the mobile to authenticate
the network
Data Integrity
provides enhanced protection against false base
station attacks by allowing the mobile to check the
authenticity of certain signalling messages
Network to Network Security
Secure communication between serving networks.
MAPSEC or IPsec can be used
UMTS Enhancements (contd)
Wider Security Scope
Security is based within the RNC rather than
the base station
Flexibility
Security features can be extended and
enhanced as required by new threats and
services
Longer Key Length
Key length is 128 as against 64 bits in GSM
HLR AuC
Access Network
(UTRAN)
Visited
Network
User
Equipment
D
RNC
BTS
USIM ME
SGSN
H
MSC
Home
Network
(2) Authentication
(1) Distribution of
authentication vectors
UMTS Radio Access Link Security
(4) Protection of the
access link (ME-RNC)
(3) CK,IK (3) CK, IK
MSC circuit switched
services
SGSN packet switched
services
Authentication and Key
Agreement

Mutual Authentication between user and
the network

Establishes a cipher key and integrity key

Assures user that cipher/integrity keys
were not used before, thereby providing
protection against replay attacks

Authentication and Key Agreement

Authentication and Key Agreement
UMTS Integrity Protection Principles
Protection of some radio interface signalling
protects against unauthorised modification, insertion and replay
of messages
applies to security mode establishment and other critical
signalling procedures
Helps extend the influence of authentication when
encryption is not applied
Uses the 128-bit integrity key (IK) derived during
authentication
Integrity applied at the Radio Resource Control (RRC)
layer of the UMTS radio protocol stack
signalling traffic only



Integrity and authentication of origin of signalling data provided.
The integrity algorithm (KASUMI) uses 128 bit key and generates
64 bit message authentication code.
Integrity Check

UMTS Encryption Principles
Data on the radio path is encrypted between the
Mobile Equipment (ME) and the Radio Network
Controller (RNC)
protects user traffic and sensitive signalling data
against eavesdropping
extends the influence of authentication to the entire
duration of the call
Uses the 128-bit encryption key (CK) derived
during authentication
Encryption
Signaling and user data protected from eavesdropping. Secret
key, block cipher algorithm (KASUMI) uses 128 bit cipher key.

Protection Against Active
Attacks
False Base Station
Attack(1)

Compromises User
Identity Confidentiality

Reason
No provision to
ascertain the origin of
information ie. lack of
integrity check

False Base Station
Attack(2)

Exploits user data
confidentiality

Reason
No provision to ascertain
the origin of information
ie. lack of integrity check
Source: LiTH-ISY-EX-3559-2004
False Base
Station Attack
Solution
Use of Integrity
Check
After AKA SRNC
sends integrity
protected message
containing security
capabilities of the
ME, which the
mobile verifies to
ensure there is no
foul play
Lack of Network Domain
Security
No security for
communication
between network
elements in GSM
Easy to gain access
to sensitive
information such as
Kc
Network Domain
Security in UMTS
foils these attacks
Summary of UMTS Security

UMTS builds upon security mechanisms of GSM, and
in addition provides following enhancements,

Encryption terminates at the radio network controller
Mutual authentication and integrity protection of critical
signalling procedures to give greater protection against false
base station attacks
Longer key lengths (128-bit)
Network Domain Security using MAPSEC or IPSec
References
UMTS security, Boman, K. Horn, G. Howard, P. Niemi, V.
Electronics & Communication Engineering Journal, Oct 2002,
Volume: 14, Issue:5, pp. 191- 204
"Evaluation of UMTS security architecture and services, A. Bais, W.
Penzhorn, P. Palensky, Proceedings of the 4th IEEE International
Conference on Industrial Informatics, p. 6, Singapore, 2006
UMTS Security, Valtteri Niemi, Kaisa Nyberg, published by John
Wiley and Sons, 2003
GSM-Security: a Survey and Evaluation of the Current Situation,
Paul Yousef, Masters thesis, Linkoping Institute of Technology,
March 2004
GSM: Security, Services, and the SIM Klaus Vedder, LNCS 1528,
pp. 224-240, Springer-Verlag 1998
Instant ciphertext-only cryptanalysis of GSM encrypted
communication, Elad Barkan, Eli Biham, Nathan Keller, Advances in
Cryptology CRYPTO 2003