Vishal Sevani (07405010) Om Pal (07405702) Sudhir Rana (05005002) GSM Security Architecture Home network Switching and routing Other Networks (GSM, fixed, Internet, etc.) Visited network HLR/AuC VLR SIM GSM Security Features Authentication network operator can verify the identity of the subscriber making it infeasible to clone someone elses mobile phone Confidentiality protects voice, data and sensitive signalling information (e.g. dialled digits) against eavesdropping on the radio path Anonymity protects against someone tracking the location of the user or identifying calls made to or from the user by eavesdropping on the radio path GSM Authentication Protocol MSC or SGSN HLR/AuC SIM RAND RES {RAND, XRES, Kc} Authentication Data Request A3 A8 Ki RAND Kc Kc RES A3 A8 Ki RAND XRES RES = XRES? Encryption in GSM
GSM Encryption Principles
Data on the radio path is encrypted between the Mobile Equipment (ME) and the Base Transceiver Station (BTS) protects user traffic and sensitive signalling data against eavesdropping extends the influence of authentication to the entire duration of the call Uses the encryption key (Kc) derived during authentication GSM User Identity Confidentiality User identity confidentiality on the radio access link temporary identities (TMSIs) are allocated and used instead of permanent identities (IMSIs) Helps protect against: tracking a users location obtaining information about a users calling pattern
IMSI: International Mobile Subscriber Identity TMSI: Temporary Mobile Subscriber Identity Specific GSM Security Problems The GSM cipher A5/2 A5/2 is now so weak that the cipher key can be discovered in near real time using a very small amount of known plaintext Aim find the initial internal state of the registers. Each frame in - 4.615 ms So 2^8 frames in a sec. After finding the initial state go backward and can generate Kc False Base Station Attack(1)
Compromises User Identity Confidentiality Force MS to send IMSI Cipher mode fault False Base Station Attack(2)
Active attack IDENTITY REQUEST Compromises User Data Confidentiality Source: LiTH-ISY-EX-3559-2004 Accessing Signaling network No requirement of decrypting skills Need a instrument that captures microwave Gains control of communication between MS and intended receiver
UMTS Security Mechanisms Limitations of GSM Security
Design only provides access security - communications and signalling in the fixed network portion arent protected Design does not address active attacks, whereby network elements may be impersonated Design goal was only ever to be as secure as the fixed networks to which GSM systems connect Short key size of Kc (64 bits) makes it more vulnerable to various attacks Enhancements in UMTS vs GSM Mutual Authentication provides enhanced protection against false base station attacks by allowing the mobile to authenticate the network Data Integrity provides enhanced protection against false base station attacks by allowing the mobile to check the authenticity of certain signalling messages Network to Network Security Secure communication between serving networks. MAPSEC or IPsec can be used UMTS Enhancements (contd) Wider Security Scope Security is based within the RNC rather than the base station Flexibility Security features can be extended and enhanced as required by new threats and services Longer Key Length Key length is 128 as against 64 bits in GSM HLR AuC Access Network (UTRAN) Visited Network User Equipment D RNC BTS USIM ME SGSN H MSC Home Network (2) Authentication (1) Distribution of authentication vectors UMTS Radio Access Link Security (4) Protection of the access link (ME-RNC) (3) CK,IK (3) CK, IK MSC circuit switched services SGSN packet switched services Authentication and Key Agreement
Mutual Authentication between user and the network
Establishes a cipher key and integrity key
Assures user that cipher/integrity keys were not used before, thereby providing protection against replay attacks
Authentication and Key Agreement
Authentication and Key Agreement UMTS Integrity Protection Principles Protection of some radio interface signalling protects against unauthorised modification, insertion and replay of messages applies to security mode establishment and other critical signalling procedures Helps extend the influence of authentication when encryption is not applied Uses the 128-bit integrity key (IK) derived during authentication Integrity applied at the Radio Resource Control (RRC) layer of the UMTS radio protocol stack signalling traffic only
Integrity and authentication of origin of signalling data provided. The integrity algorithm (KASUMI) uses 128 bit key and generates 64 bit message authentication code. Integrity Check
UMTS Encryption Principles Data on the radio path is encrypted between the Mobile Equipment (ME) and the Radio Network Controller (RNC) protects user traffic and sensitive signalling data against eavesdropping extends the influence of authentication to the entire duration of the call Uses the 128-bit encryption key (CK) derived during authentication Encryption Signaling and user data protected from eavesdropping. Secret key, block cipher algorithm (KASUMI) uses 128 bit cipher key.
Protection Against Active Attacks False Base Station Attack(1)
Compromises User Identity Confidentiality
Reason No provision to ascertain the origin of information ie. lack of integrity check
False Base Station Attack(2)
Exploits user data confidentiality
Reason No provision to ascertain the origin of information ie. lack of integrity check Source: LiTH-ISY-EX-3559-2004 False Base Station Attack Solution Use of Integrity Check After AKA SRNC sends integrity protected message containing security capabilities of the ME, which the mobile verifies to ensure there is no foul play Lack of Network Domain Security No security for communication between network elements in GSM Easy to gain access to sensitive information such as Kc Network Domain Security in UMTS foils these attacks Summary of UMTS Security
UMTS builds upon security mechanisms of GSM, and in addition provides following enhancements,
Encryption terminates at the radio network controller Mutual authentication and integrity protection of critical signalling procedures to give greater protection against false base station attacks Longer key lengths (128-bit) Network Domain Security using MAPSEC or IPSec References UMTS security, Boman, K. Horn, G. Howard, P. Niemi, V. Electronics & Communication Engineering Journal, Oct 2002, Volume: 14, Issue:5, pp. 191- 204 "Evaluation of UMTS security architecture and services, A. Bais, W. Penzhorn, P. Palensky, Proceedings of the 4th IEEE International Conference on Industrial Informatics, p. 6, Singapore, 2006 UMTS Security, Valtteri Niemi, Kaisa Nyberg, published by John Wiley and Sons, 2003 GSM-Security: a Survey and Evaluation of the Current Situation, Paul Yousef, Masters thesis, Linkoping Institute of Technology, March 2004 GSM: Security, Services, and the SIM Klaus Vedder, LNCS 1528, pp. 224-240, Springer-Verlag 1998 Instant ciphertext-only cryptanalysis of GSM encrypted communication, Elad Barkan, Eli Biham, Nathan Keller, Advances in Cryptology CRYPTO 2003
Cellular Principles History Technical Details System Architecture GSM Specifications Channels and Sharing of Data Cdma Advantages of GSM Applications GSM Services Security Future Acknowledgement