無線通訊安全 -1(I,GSM,3G)

• 無線通訊發展– Maxwell, Hertz, Tesla(Radio)– Radar (Radio Detection and Ranging)– 軍事無線通訊

• 無線通訊發展類別– 語音為主– 資料為主

語音為主• 1980 年代

– Target: Analog, circuit-based, narrow band– System:

• AMPS(Advanced Mobile Phone System) 系統– 漫游 (Roaming), Mobile Identification Number,MIN and Electron

ic Serial Number,ESN 以明文傳送

• 1990 年 -2G 第二代行動通訊– Target:Digital, circuit-based, narrow band– System:

• GSM(Global System for Mobile System)• PACS

• 2000 年 -3G 第三代行動通訊– Target: Digit, circuit-based/packet-based, 2Mb

at stationary, 384 Kb at slow moving, 128Kb at vehicle.

– System:• W-CDMA(Wideband code-division multiple access)

– An upgrade to GSM– 384Kb in R99 handset, 3.6Mb in HSDPA– Japan, NTT DoCoMo

• CDMA2000 (韓國為標準主導國家 )• TD-CDMA (中國大陸獨自制定的標準 )

• 2.5 G– High speed, circuit-switched data– Systems:

• iDEN, 64Kb, used in North America and South America, also in China and Japan.

• GPRS, 171kb, • EDGE, 384 kb

資料為主• Short range

– 紅外線– 藍芽技術 (Bluetooth)– RFID

• Medium range– 無線區域網路 802.11x

• Long range– Microwave– WiMax

GSM Security

• ETSI, European Telecommunications Standard Institute, 於 1990 制訂

• GSM 系統架構– 行動台 (Mobile Station, MS)– 基地台子系統 (Base Station Subsystem, BSS)– 網路與交換子系統 (Network and Switching Su

bsystem, NSS)

GSM Network Architecture

 

                             

BSC

MS

PSTN/ISDN

BTS MSC

BSC

Um

A-bis

Circuit-switched technology

Voice Traffic

A

Gateway MSCVLRVLR

HLRHLR

MSCVLRVLR

AUC

行動台 (Mobile Station, MS)

• MS– Mobile Equipment, ME– Subscriber Identity Module, SIM

• SIM card– IC-based card (memory + Computing)– Stored the IMSI( International Mobile

Subscriber Identity)

基地台子系統 (Base Station Subsystem, BSS)

• BSS includes– 基地傳輸站 (Base Transceiver Station, BTS)

• Receive/Transmit, Audio Frequency interface,…

– 基地控制器 (Base Station Controller, BSC)• BSS 交換 (Channel, signal upward,..)

網路與交換子系統 (Network and Switching Subsystem, NSS)

• 行動交換中心 (Mobile Switching Center, MSC)– Circuit-Switching– Provide service to BSC– MSC service range called Location Area, LA

• 本籍位置記錄器 (Home Location Register, HLR)• 訪客位置記錄器 (Visited Location Register, VLR)• 認證中心 (Authentication Center, AUC)

– International Mobile Subscriber Identity, IMSI

GSM 系統通訊• 註冊階段 (Registration Phase)Scenario1 (roaming from one LA to another LA)

(VLRI, VLR Identity of VLR old, VLRn, VLR new)1) MS TMSI, VLRI (VLRn)2) VLRn TMSI (VLRI), VLRI IMSI (VLRn)3) VLRn newlocation (HLR)4) VLRn TMSI (MS)5) VLRn cancel (VLRI)

Scenario 2 (New MS arrives in BSS) need GSM Security Mechanism to authenticate t

he arrived MS

• 呼叫傳送階段 (Call Delivery Phase)1)Gateway MSC(GMSC) e.g., PSTN GSM

2)GMSC Q Location (HLR)

3)HLR Mobile Station Roaming Number (GMSC)

4)Switch to MSRN

GSM Security Mechanism for authentication

• Objects:– User Identity protect– Authentication to prevent illegal user– Confidential in Communication

• Three functions are used: A3, A5,A8 :– A3 and A8 are one way function like hash but

much simpler, – A5 is the one key encrypted/decrypted function

like RC4,

MS VLR HLRIMSI

IMSI

IMSI, RAND, Kc, SRES

RAND

SRES

A5Kc(TMSI)

Kc=A8(Ki,RAND)SRES=A3(Ki,RAND)

ACK

Communication Key is Kc

GSM Security Elements, 1Key functions: privacy, integrity and confidentiality

• Authentication Protect from unauthorized service access

Based on the authentication algorithm A3(Ki, RAND)=> SRESProblems with inadequate algorithms

• Encryption Scramble bit streams to protect signaling and user dataCiphering algorithm A8(Ki, RAND) => Kc

A5(Kc, Data) => Encrypted DataNeed stronger encryption

• ConfidentialityPrevent intruder from identifying users by IMSITemporary MSINeed more secure mechanism

Problems with GSM Security, 1

• Active AttacksImpersonating network elements such as false BTS is possible

• Key TransmissionCipher keys and authentication values are transmitted in clear

within and between networks (IMSI, RAND, SRES, Kc)

• Limited Encryption ScopeEncryption terminated too soon at edge of network to BTS

Communications and signaling in the fixed network portion aren’t protected

Designed to be only as secure as the fixed networks

• Channel HijackProtection against radio channel hijack relies on encryption. However, encryption is not used in some networks.

Problems with GSM Security, 2

• Implicit Data IntegrityNo integrity algorithm provided

• Unilateral AuthenticationOnly user authentication to the network is provided.

No means to identify the network to the user.

• Weak Encryption AlgorithmsKey lengths are too short, while computation speed is

increasing

Encryption algorithm COMP 128 has been broken

Replacement of encryption algorithms is quite difficult

• Unsecured TerminalIMEI is an unsecured identity

Integrity mechanisms for IMEI are introduced late

Problems with GSM Security, 3

• Lawful Interception & FraudConsidered as afterthoughts

• Lack of VisibilityNo indication to the user that encryption is on

No explicit confirmation to the HE that authentication parameters are properly used in SN when subscribers roam

• InflexibilityInadequate flexibility to upgrade and improve security

functionality over time

3 G

3G Network Architecture

 

                   

Node BMS

PSTN/ISDN

BTSMSC

RNC

Um

Gateway MSC(circuit-switched)VLRVLR

HLRHLRMSC

VLRVLR

AUC

RNC

GGSN (packet-switched)

Node B

Node B

Node B

• Node B replace BSC

• Add Radio Network Controller, RNC layer

• MS– ME + UICC (UMTS IC card, USIM inside)– UICC calculate f1 to f5– ME calculate f8 to f9

3G Security

• 增加– 相互認證– 完整性

• 運作基本– 五個函數 f1~f5 及密鑰 K– 三個參數 SQN(Sequence Number),RAND, AMF(Auth

entication Management Field) ，– 五個認證值 MAC(Message Authentication Key), XRE

S (Expected Response), CK (Cipher Key), IK (Integrity Key), AK(Anonymity Key)

MS VLR HLR(AUC)TMSI

TMSI

SQN, RAND, AMFXRES, MAC, CK, IK, AK, RAND,AUTN

XRES

f8Kc(TMSI)

ACK AUTN=(SQNAK||AMF||MAC)

XRES=f2(Rand, K)CK=f3(Rand,K)IK=f4(Rand,K)AK=f5(Rand,K)MAC=f1(Sqn,Rand,Amf,K)

Get:XRES=f2(Rand, K)CK=f3(Rand,K)IK=f4(Rand,K)AK=f5(Rand,K)

SQN=SQN AK AKGet MAC from AUTNAnd MAC=f1(Sqn,Rand,Amf,K)

Check SQN 合理嗎 ?And MAC=MAC?

Summary of 3G Security Features, 1

• User Confidentiality– Permanent user identity IMSI, user location, and user services

cannot be determined by eavesdropping• Achieved by use of temporary identity (TMSI) which is assigned by VLR, IMSI is

sent in cleartext when establishing TMSI

USIM VLR

IMSI

TMSI allocation

TMSI acknowledgement

IMSI request

Summary of 3G Security Features, 2

• Mutual AuthenticationDuring Authentication and Key Agreement (AKA) the user and

network authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires.

Assumption: trusted HE and SN, and trusted links between them.

After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.

AKA process: USIM VLR HLR

AV request, send IMSI

Generate authentication data V(1..n) RAND(i) || AUTN(i)

Generate RES(i) Compare RES(i) and XRES(i)

Summary of 3G Security Features, 3

Generation of authentication data at HLR:

K

SQN RAND

f1 f2 f3 f4 f5

MAC XRES CK IK AK

AUTN := SQN AK || AMF || MAC

AV := RAND || XRES || CK || IK || AUTN

Generate SQN

Generate RAND

AMF

Summary of 3G Security Features, 4

Generation of authentication data in USIM:

K

SQN

RAND

f1 f2 f3 f4

f5

XMAC RES CK IK

AK

SQN AK AMF MAC

AUTN

Verify MAC = XMAC

Verify that SQN is in the correct range

Summary of 3G Security Features, 5

• Data IntegrityIntegrity of data and authentication of origin of signalling data

must be provided

The user and network agree on integrity key and algorithm during AKA and security mode set-up

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

MAC -I

f 9

COUNT-I DIRECTION

MESSAGE FRESH

IK

XMAC -I

SenderUE or RNC

ReceiverRNC or UE

Summary of 3G Security Features, 6

• Data ConfidentialitySignalling and user data should be protected from

eavesdropping

The user and network agree on cipher key and algorithm during AKA and security mode set-up

PLAINTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

CIPHERTEXTBLOCK

f8

COUNT-C DIRECTION

BEARER LENGTH

CK

KEYSTREAMBLOCK

PLAINTEXTBLOCK

SenderUE or RNC

ReceiverRNC or UE

Summary of 3G Security Features, 7

• IMEIIMESI is sent to the network only after the authentication of

SNThe transmission of IMEI is not protected

• User-USIM AuthenticationAccess to USIM is restricted to authorized usersUser and USIM share a secret key, PIN

• USIM-Terminal AuthenticationUser equipment must authenticate USIM

• Secure ApplicationsApplications resident on USIM should receive secure

messages over the network

• VisibilityIndication that encryption is onIndication what level of security (2G, 3G) is available

Summary of 3G Security Features, 8

• ConfigurabilityUser configures which security features activated with particul

ar servicesEnabling/disabling user-USIM authenticationAccepting/rejecting incoming non-ciphered callsSetting up/not setting up non-ciphered callsAccepting/rejecting use of certain ciphering algorithms

• GSM CompatibilityGSM user parameters are derived from UMTS parameters usi

ng the following conversion functions:cipher key Kc = c3(CK, IK)random challenge RAND = c1(RAND)signed response SRES = c2(RES)

GSM subscribers roaming in 3GPP network are supported by GSM security context (example, vulnerable to false BTS)

Problems with 3G Security

• IMSI is sent in cleartext when allocating TMSI to the user

• The transmission of IMEI is not protected; IMEI is not a security feature

• A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN

• Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up