3G Security Principles

Build on GSM security

Correct problems with GSM security
Add new security features

Source: 3GPP

GSM Network Architecture

PSTN/ISDN

MS
Um

MSC

BTS

BSC
A-bis

OMC

Voice Traffic

Circuit-switched technology

Mobility
mgt
VLR
HLR
AUC
EIR

GSM Security Elements, 1

Key functions: privacy, integrity and confidentiality

Authentication
Protect from unauthorized service access
Based on the authentication algorithm A3(Ki, RAND)=> SRES
Problems with inadequate algorithms

Encryption
Scramble bit streams to protect signaling and user data
Ciphering algorithm A8(Ki, RAND) => Kc
A5(Kc, Data) => Encrypted Data
Need stronger encryption

Confidentiality
Prevent intruder from identifying users by IMSI
Temporary MSI
Need more secure mechanism

GSM Security Elements, 2

SIM
A removable hardware security module
Manageable by network operators
Terminal independent

Secure Application Layer

Secure application layer channel between subscriber module and home
network

Transparency
Security features operate without user assistance
Needs greater user visibility

Minimized Trust
Requires minimum trust between HE and SN

Problems with GSM Security, 1

Active Attacks
Impersonating network elements such as false BTS is possible

Key Transmission
and

Cipher keys and authentication values are transmitted in clear within

between networks (IMSI, RAND, SRES, Kc)

Limited Encryption Scope

Encryption terminated too soon at edge of network to BTS
Communications and signaling in the fixed network portion arent
protected
Designed to be only as secure as the fixed networks

Channel Hijack
Protection against radio channel hijack relies on encryption.
However, encryption is not used in some networks.

Problems with GSM Security, 2

Implicit Data Integrity
No integrity algorithm provided

Unilateral Authentication
Only user authentication to the network is provided.
No means to identify the network to the user.

Weak Encryption Algorithms

Key lengths are too short, while computation speed is increasing
Encryption algorithm COMP 128 has been broken
Replacement of encryption algorithms is quite difficult

Unsecured Terminal
IMEI is an unsecured identity
Integrity mechanisms for IMEI are introduced late

Problems with GSM Security, 3

Lawful Interception & Fraud
Considered as afterthoughts

Lack of Visibility
No indication to the user that encryption is on
No explicit confirmation to the HE that authentication parameters are
properly used in SN when subscribers roam

Inflexibility
Inadequate flexibility to upgrade and improve security functionality
over time

3G Network Architecture
Circuit
Network
Circuit
Switch

Circuit/
Signaling
Gateway

IN Services

Feature
Server(s)

RNC
Voice
Radio Access
Control

Data +
Packet
Voice

Mobility
Manager

Call
Agent

IP Core
Network

Packet
Gateway

Packet Network
(Internet)

IP RAN

2G

2G/2.5G

3G

New Security Features, 1

Network Authentication
The user can identify the network

Explicit Integrity
Data integrity is assured explicitly by use of integrity algorithms
Also stronger confidentiality algorithms with longer keys

Network Security
Mechanisms to support security within and between networks

Switch Based Security

Security is based within the switch rather than the base station

IMEI Integrity
Integrity mechanisms for IMEI provided from the start

New Security Features, 2

Secure Services
Protect against misuse of services provided by SN and HE

Secure Applications
Provide security for applications resident on USIM

Fraud Detection
Mechanisms to combating fraud in roaming situations

Flexibility
Security features can be extended and enhanced as required by new
threats and services

Visibility and Configurability

Users are notified whether security is on and what level of security is
available
Users can configure security features for individual services

10

New Security Features, 3

Compatibility
Standardized security features to ensure world-wide interoperability and
roaming
At least one encryption algorithm exported on world-wide basis

Lawful Interception
Mechanisms to provide authorized agencies with certain information
about subscribers

11

Summary of 3G Security
Features, 1
User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be
determined by eavesdropping
Achieved by use of temporary identity (TMSI) which is assigned by
VLR
IMSI is sent in cleartext when establishing TMSI
USIM

VLR
IMSI request
IMSI
TMSI allocation
TMSI acknowledgement

12

Summary of 3G Security
Features, 2
Mutual Authentication
During Authentication and Key Agreement (AKA) the user and network
authenticate each other, and also they agree on cipher and integrity key
(CK, IK). CK and IK are used until their time expires.
Assumption: trusted HE and SN, and trusted links between them.
After AKA, security mode must be negotiated to agree on encryption
and integrity algorithm.
AKA process:
USIM

VLR

HLR
AV request, send IMSI

RAND(i) || AUTN(i)
Generate RES(i)

Generate authentication
data V(1..n)
Compare RES(i) and XRES(i)

13

Summary of 3G Security
Features, 3
Generation of authentication data at HLR:
Generate SQN
Generate RAND
SQN

RAND

AMF
K

f1

MAC

f2

f3

f4

f5

XRES

CK

IK

AK

AUTN := SQN AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

14

Summary of 3G Security
Features, 4
Generation of authentication data in USIM:
RAND

AUTN

f5

SQN AK

AK

AMF

MAC

SQN
K

f1

f2

f3

f4

XMAC

RES

CK

IK

Verify MAC = XMAC

Verify that SQN is in the correct range

15

Summary of 3G Security
Features, 5
Data Integrity
Integrity of data and authentication of origin of signalling data must be
provided
The user and network agree on integrity key and algorithm during AKA
and security mode set-up
COUNT-I

DIRECTION

MESSAGE

IK

f9

COUNT-I

FRESH

DIRECTION

MESSAGE

IK

FRESH

f9

MAC -I

XMAC -I

Sender
UE or RNC

Receiver
RNC or UE

16

Summary of 3G Security
Features, 6
Data Confidentiality
Signalling and user data should be protected from eavesdropping
The user and network agree on cipher key and algorithm during AKA
and security mode set-up
COUNT-C

DIRECTION

BEARER

CK

COUNT-C

LENGTH

f8

BEARER

CK

KEYSTREAM
BLOCK

PLAINTEXT
BLOCK

DIRECTION

f8

KEYSTREAM
BLOCK

CIPHERTEXT
BLOCK
Sender
UE or RNC

LENGTH

PLAINTEXT
BLOCK
Receiver
RNC or UE

17

Summary of 3G Security
Features, 7
IMEI
IMEI is sent to the network only after the authentication of SN
The transmission of IMEI is not protected

User-USIM Authentication
Access to USIM is restricted to authorized users
User and USIM share a secret key, PIN

USIM-Terminal Authentication
User equipment must authenticate USIM

Secure Applications
Applications resident on USIM should receive secure messages over the
network

Visibility
Indication that encryption is on
Indication what level of security (2G, 3G) is available

18

Summary of 3G Security
Features, 8
Configurability
User configures which security features activated with particular services
Enabling/disabling user-USIM authentication
Accepting/rejecting incoming non-ciphered calls
Setting up/not setting up non-ciphered calls
Accepting/rejecting use of certain ciphering algorithms

GSM Compatibility
GSM user parameters are derived from UMTS parameters using the
following conversion functions:
cipher key Kc = c3(CK, IK)
random challenge RAND = c1(RAND)
signed response SRES = c2(RES)
GSM subscribers roaming in 3GPP network are supported by
GSM security
context (example, vulnerable to false BTS)

19

Problems with 3G Security

IMSI is sent in cleartext when allocating TMSI to the user

The transmission of IMEI is not protected; IMEI is not a security feature

A user can be enticed to camp on a false BS. Once the user camps on the radio
channels of a false BS, the user is out of reach of the paging signals of SN

Hijacking outgoing/incoming calls in networks with disabled encryption is

possible. The intruder poses as a man-in-the-middle and drops the user once
the call is set-up

20

References

3G TS 33.120 Security Principles and Objectives

http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf

3G TS 33.120 Security Threats and Requirements

http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF

Michael Walker On the Security of 3GPP Networks

http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/mike_walker.pdf

Redl, Weber, Oliphant An Introduction to GSM

Artech House, 1995

Joachim Tisal GSM Cellular Radio Telephony

John Wiley & Sons, 1997

Lauri Pesonen GSM Interception

http://www.dia.unisa.it/ads.dir/corso-security/www/CORSO-9900/a5/Netsec/netsec.html

3G TR 33.900 A Guide to 3rd Generation Security

ftp://ftp.3gpp.org/TSG_SA/WG3_Security/_Specs/33900-120.pdf

3G TS 33.102 Security Architecture

ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33102-370.zip

3G TR 21.905 Vocabulary for 3GPP Specifications

http://www.quintillion.co.jp/3GPP/Specs/21905-010.pdf

21