Documente Academic
Documente Profesional
Documente Cultură
University of Split
2013/2014.
Databases
(e.g., Home
Location Register)
External
Mobile
Station Base Mobile
Network
Station Switching
Center
Cellular Network
3
EPFL, JPH
Cellular Network Architecture
Registration Process
Nr: 079/4154678
079/4154678
079/8132627 079/4154678
079/8132627
5
EPFL, JPH
Cellular Network Architecture
Paging Broadcast (locating a particular mobile station in case of mobile
terminated call)
079/8132627?
079/8132627?
079/8132627?
079/8132627?
079/8132627
079/8132627
7
EPFL, JPH
Cellular Network Architecture
Channel Assignement
Channel
Channel 47
Channel
47 68
Channel
68
8
EPFL, JPH
Cellular Network Architecture
Conversation
9
EPFL, JPH
Cellular Network Architecture
Handover (or Handoff)
10
EPFL, JPH
Cellular Network Architecture
Message Sequence Chart
Base Switch Base
Caller Station Callee
Station
GSM: overview
OMC, EIR,
AUC
HLR GMSC
NSS fixed network
with OSS
VLR MSC MSC
VLR
BSC
BSC
RSS
14
GSM: system architecture
radio network and switching fixed
subsystem subsystem networks
MS MS
ISDN
PSTN
MSC
BTS
BSC EIR
BTS
SS7 HLR
BTS VLR
BSC ISDN
BTS MSC PSTN
BSS IWF
PSPDN 15
CSPDN
System architecture: radio subsystem
radio network and switching
subsystem subsystem Components
MS (Mobile Station)
MS MS
BSS (Base Station Subsystem):
consisting of
BTS (Base Transceiver Station):
BTS sender and receiver
BSC MSC BSC (Base Station Controller):
BTS
controlling several transceivers
BTS
BSC MSC
BTS
BSS
16
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
Components
Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components including sender,
receiver, antenna - if directed antennas are used one BTS can cover
several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels onto
terrestrial channels
17
GSM: cellular network
segmentation of the area into cells
HLR
Databases
HLR (Home Location Register)
VLR VLR (Visitor Location Register)
ISDN
EIR (Equipment Identity Register)
MSC
PSTN
IWF
PSPDN
CSPDN
19
Network and switching subsystem
NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks,
system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal
within the domain of the MSC - several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent
data of all subscribers assigned to the HLR (one provider can have several HLRs)
Visitor Location Register (VLR)
local database for a subset of user data, including data about all user currently in
the domain of the VLR
20
Mobile Services Switching Center
The MSC (mobile switching center) plays a central role in
GSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
21
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
22
Please check http://gsmfordummies.com/gsmevents/mobile_terminated.shtml
MS
1 BSS
10
24
Mobile Terminated and Mobile Originated Calls
MS MTC BTS MS MOC BTS
paging request
channel request channel request
immediate assignment immediate assignment
paging response service request
authentication request authentication request
authentication response authentication response
ciphering command ciphering command
ciphering complete ciphering complete
setup setup
call confirmed call confirmed
assignment command assignment command
assignment complete assignment complete
alerting alerting
connect connect
connect acknowledge connect acknowledge
data/speech exchange data/speech exchange
25
Security in GSM
Based on:
Security in the GSM system by Jeremy Quirke
Confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
Anonymity
temporary identity TMSI (Temporary Mobile Subscriber Identity)
newly assigned at each new location update (LUP)
encrypted transmission
27
Security Services in GSM
Authentication
RAND
Ki RAND RAND Ki
A3 A3
SIM
SRES* 32 bit SRES 32 bit
MSC SRES
SRES* =? SRES SRES
32 bit
RAND
Ki RAND RAND Ki
AC 128 bit 128 bit 128 bit 128 bit SIM
A8 A8
cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BTS MS
data
A5 A5
31
Security Services in GSM
Authentication and Encryption
A3 and A8 algorithms are both run in SIM at the same time on the
same input (RAND, Ki)
A3A8 = COMP128v1, COMP128v2, COMP123v3 (serious weaknesses known)
not used in UMTS
Encryption algorithm A5
symmetric encryption algorithm
voice/data encryption performed by a phone using generated encryption key Kc
32
Security Services in GSM
Encryption
A5 algorithms
A5/0 no encryption used
A5/1 and A5/2 developed far from public domain and later found
flawed
stream ciphers based on linear feedback shift registers
A5/2 completely broken (not used anymore in GSM)
A5/1 is a bit stronger but also broken by many researchers
33
Security Services in GSM
Summary
34
Security Weaknesess in GSM
A mobile phone does not authenticate the base station!
only mobile authenticate to BS (one-way authentication)
fake BS and man-in-the middle attacks possible
attacker does not have to know authentication key Ki
36
Security Services in GSM
Anonymity
38
Security Services in GSM
Anonymity
39
Security Weaknesess in GSM
Attack Against the Anonymity Service
40
Countermeasures: UMTS
UMTS defines 2-way authentication and mandates the
use of stronger encryption and authentication primitives
prevents MITM attacks by a fake BS, but be cautious...
41
Many Reason to Worry About Your Privacy
http://www.theregister.co.uk/2008/05/20/tracking_phones/
http://www.theregister.co.uk/2011/10/31/met_police_datong_mo
bile_tracking/ (check also http://www.pathintelligence.com)
http://docs.google.com/viewer?url=https%3A%2F%2Fmedia.black
hat.com%2Fbh-dc-11%2FPerez-Pico%2FBlackHat_DC_2011_Perez-
Pico_Mobile_Attacks-Slides.pdf
http://docs.google.com/viewer?url=http%3A%2F%2Ffemto.sec.t-
labs.tu-berlin.de%2Fbh2011.pdf
42