無線通訊安全 -1(i,gsm,3g). 無線通訊發展 –maxwell, hertz, tesla(radio) –radar (radio...
TRANSCRIPT
• 無線通訊發展– Maxwell, Hertz, Tesla(Radio)– Radar (Radio Detection and Ranging)– 軍事無線通訊
• 無線通訊發展類別– 語音為主– 資料為主
語音為主• 1980 年代
– Target: Analog, circuit-based, narrow band– System:
• AMPS(Advanced Mobile Phone System) 系統– 漫游 (Roaming), Mobile Identification Number,MIN and Electron
ic Serial Number,ESN 以明文傳送
• 1990 年 -2G 第二代行動通訊– Target:Digital, circuit-based, narrow band– System:
• GSM(Global System for Mobile System)• PACS
• 2000 年 -3G 第三代行動通訊– Target: Digit, circuit-based/packet-based, 2Mb
at stationary, 384 Kb at slow moving, 128Kb at vehicle.
– System:• W-CDMA(Wideband code-division multiple access)
– An upgrade to GSM– 384Kb in R99 handset, 3.6Mb in HSDPA– Japan, NTT DoCoMo
• CDMA2000 (韓國為標準主導國家 )• TD-CDMA (中國大陸獨自制定的標準 )
• 2.5 G– High speed, circuit-switched data– Systems:
• iDEN, 64Kb, used in North America and South America, also in China and Japan.
• GPRS, 171kb, • EDGE, 384 kb
資料為主• Short range
– 紅外線– 藍芽技術 (Bluetooth)– RFID
• Medium range– 無線區域網路 802.11x
• Long range– Microwave– WiMax
GSM Security
• ETSI, European Telecommunications Standard Institute, 於 1990 制訂
• GSM 系統架構– 行動台 (Mobile Station, MS)– 基地台子系統 (Base Station Subsystem, BSS)– 網路與交換子系統 (Network and Switching Su
bsystem, NSS)
GSM Network Architecture
BSC
MS
PSTN/ISDN
BTS MSC
BSC
Um
A-bis
Circuit-switched technology
Voice Traffic
A
Gateway MSCVLRVLR
HLRHLR
MSCVLRVLR
AUC
行動台 (Mobile Station, MS)
• MS– Mobile Equipment, ME– Subscriber Identity Module, SIM
• SIM card– IC-based card (memory + Computing)– Stored the IMSI( International Mobile
Subscriber Identity)
基地台子系統 (Base Station Subsystem, BSS)
• BSS includes– 基地傳輸站 (Base Transceiver Station, BTS)
• Receive/Transmit, Audio Frequency interface,…
– 基地控制器 (Base Station Controller, BSC)• BSS 交換 (Channel, signal upward,..)
網路與交換子系統 (Network and Switching Subsystem, NSS)
• 行動交換中心 (Mobile Switching Center, MSC)– Circuit-Switching– Provide service to BSC– MSC service range called Location Area, LA
• 本籍位置記錄器 (Home Location Register, HLR)• 訪客位置記錄器 (Visited Location Register, VLR)• 認證中心 (Authentication Center, AUC)
– International Mobile Subscriber Identity, IMSI
GSM 系統通訊• 註冊階段 (Registration Phase)Scenario1 (roaming from one LA to another LA)
(VLRI, VLR Identity of VLR old, VLRn, VLR new)1) MS TMSI, VLRI (VLRn)2) VLRn TMSI (VLRI), VLRI IMSI (VLRn)3) VLRn newlocation (HLR)4) VLRn TMSI (MS)5) VLRn cancel (VLRI)
Scenario 2 (New MS arrives in BSS) need GSM Security Mechanism to authenticate t
he arrived MS
• 呼叫傳送階段 (Call Delivery Phase)1)Gateway MSC(GMSC) e.g., PSTN GSM
2)GMSC Q Location (HLR)
3)HLR Mobile Station Roaming Number (GMSC)
4)Switch to MSRN
GSM Security Mechanism for authentication
• Objects:– User Identity protect– Authentication to prevent illegal user– Confidential in Communication
• Three functions are used: A3, A5,A8 :– A3 and A8 are one way function like hash but
much simpler, – A5 is the one key encrypted/decrypted function
like RC4,
MS VLR HLRIMSI
IMSI
IMSI, RAND, Kc, SRES
RAND
SRES
A5Kc(TMSI)
Kc=A8(Ki,RAND)SRES=A3(Ki,RAND)
ACK
Communication Key is Kc
GSM Security Elements, 1Key functions: privacy, integrity and confidentiality
• Authentication Protect from unauthorized service access
Based on the authentication algorithm A3(Ki, RAND)=> SRESProblems with inadequate algorithms
• Encryption Scramble bit streams to protect signaling and user dataCiphering algorithm A8(Ki, RAND) => Kc
A5(Kc, Data) => Encrypted DataNeed stronger encryption
• ConfidentialityPrevent intruder from identifying users by IMSITemporary MSINeed more secure mechanism
Problems with GSM Security, 1
• Active AttacksImpersonating network elements such as false BTS is possible
• Key TransmissionCipher keys and authentication values are transmitted in clear
within and between networks (IMSI, RAND, SRES, Kc)
• Limited Encryption ScopeEncryption terminated too soon at edge of network to BTS
Communications and signaling in the fixed network portion aren’t protected
Designed to be only as secure as the fixed networks
• Channel HijackProtection against radio channel hijack relies on encryption. However, encryption is not used in some networks.
Problems with GSM Security, 2
• Implicit Data IntegrityNo integrity algorithm provided
• Unilateral AuthenticationOnly user authentication to the network is provided.
No means to identify the network to the user.
• Weak Encryption AlgorithmsKey lengths are too short, while computation speed is
increasing
Encryption algorithm COMP 128 has been broken
Replacement of encryption algorithms is quite difficult
• Unsecured TerminalIMEI is an unsecured identity
Integrity mechanisms for IMEI are introduced late
Problems with GSM Security, 3
• Lawful Interception & FraudConsidered as afterthoughts
• Lack of VisibilityNo indication to the user that encryption is on
No explicit confirmation to the HE that authentication parameters are properly used in SN when subscribers roam
• InflexibilityInadequate flexibility to upgrade and improve security
functionality over time
3G Network Architecture
Node BMS
PSTN/ISDN
BTSMSC
RNC
Um
Gateway MSC(circuit-switched)VLRVLR
HLRHLRMSC
VLRVLR
AUC
RNC
GGSN (packet-switched)
Node B
Node B
Node B
• Node B replace BSC
• Add Radio Network Controller, RNC layer
• MS– ME + UICC (UMTS IC card, USIM inside)– UICC calculate f1 to f5– ME calculate f8 to f9
3G Security
• 增加– 相互認證– 完整性
• 運作基本– 五個函數 f1~f5 及密鑰 K– 三個參數 SQN(Sequence Number),RAND, AMF(Auth
entication Management Field) ,– 五個認證值 MAC(Message Authentication Key), XRE
S (Expected Response), CK (Cipher Key), IK (Integrity Key), AK(Anonymity Key)
MS VLR HLR(AUC)TMSI
TMSI
SQN, RAND, AMFXRES, MAC, CK, IK, AK, RAND,AUTN
XRES
f8Kc(TMSI)
ACK AUTN=(SQNAK||AMF||MAC)
XRES=f2(Rand, K)CK=f3(Rand,K)IK=f4(Rand,K)AK=f5(Rand,K)MAC=f1(Sqn,Rand,Amf,K)
Get:XRES=f2(Rand, K)CK=f3(Rand,K)IK=f4(Rand,K)AK=f5(Rand,K)
SQN=SQN AK AKGet MAC from AUTNAnd MAC=f1(Sqn,Rand,Amf,K)
Check SQN 合理嗎 ?And MAC=MAC?
Summary of 3G Security Features, 1
• User Confidentiality– Permanent user identity IMSI, user location, and user services
cannot be determined by eavesdropping• Achieved by use of temporary identity (TMSI) which is assigned by VLR, IMSI is
sent in cleartext when establishing TMSI
USIM VLR
IMSI
TMSI allocation
TMSI acknowledgement
IMSI request
Summary of 3G Security Features, 2
• Mutual AuthenticationDuring Authentication and Key Agreement (AKA) the user and
network authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires.
Assumption: trusted HE and SN, and trusted links between them.
After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.
AKA process: USIM VLR HLR
AV request, send IMSI
Generate authentication data V(1..n) RAND(i) || AUTN(i)
Generate RES(i) Compare RES(i) and XRES(i)
Summary of 3G Security Features, 3
Generation of authentication data at HLR:
K
SQN RAND
f1 f2 f3 f4 f5
MAC XRES CK IK AK
AUTN := SQN AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
Generate SQN
Generate RAND
AMF
Summary of 3G Security Features, 4
Generation of authentication data in USIM:
K
SQN
RAND
f1 f2 f3 f4
f5
XMAC RES CK IK
AK
SQN AK AMF MAC
AUTN
Verify MAC = XMAC
Verify that SQN is in the correct range
Summary of 3G Security Features, 5
• Data IntegrityIntegrity of data and authentication of origin of signalling data
must be provided
The user and network agree on integrity key and algorithm during AKA and security mode set-up
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
MAC -I
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
XMAC -I
SenderUE or RNC
ReceiverRNC or UE
Summary of 3G Security Features, 6
• Data ConfidentialitySignalling and user data should be protected from
eavesdropping
The user and network agree on cipher key and algorithm during AKA and security mode set-up
PLAINTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderUE or RNC
ReceiverRNC or UE
Summary of 3G Security Features, 7
• IMEIIMESI is sent to the network only after the authentication of
SNThe transmission of IMEI is not protected
• User-USIM AuthenticationAccess to USIM is restricted to authorized usersUser and USIM share a secret key, PIN
• USIM-Terminal AuthenticationUser equipment must authenticate USIM
• Secure ApplicationsApplications resident on USIM should receive secure
messages over the network
• VisibilityIndication that encryption is onIndication what level of security (2G, 3G) is available
Summary of 3G Security Features, 8
• ConfigurabilityUser configures which security features activated with particul
ar servicesEnabling/disabling user-USIM authenticationAccepting/rejecting incoming non-ciphered callsSetting up/not setting up non-ciphered callsAccepting/rejecting use of certain ciphering algorithms
• GSM CompatibilityGSM user parameters are derived from UMTS parameters usi
ng the following conversion functions:cipher key Kc = c3(CK, IK)random challenge RAND = c1(RAND)signed response SRES = c2(RES)
GSM subscribers roaming in 3GPP network are supported by GSM security context (example, vulnerable to false BTS)
Problems with 3G Security
• IMSI is sent in cleartext when allocating TMSI to the user
• The transmission of IMEI is not protected; IMEI is not a security feature
• A user can be enticed to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of SN
• Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up