UMTS Network Level Security; Investigation on Security Improvements Thesis Author: Yue Feng

advertisement
UMTS Network Level Security;
Investigation on Security
Improvements
Thesis Author: Yue Feng
Supervisor: Professor Sven-Gustav Häggman
Instructor: Lic. Tech Michael Hall
Dedicate this thesis to my parents,
Diwei Feng and Shuhua Yang for being the
best parents can be
2
Presentation outline








Background
Thesis objectives
Thesis scope
Network level security of mobile systems
Introduction to UMTS
UMTS network level security
Proposals for secuity impovements
Conclusions
3
Background





3G era is coming, e.g., UMTS
Security is becoming more and more concerned for 3G cellular
systems, since they are wireless, much more complex than 2G
cellular systems, and especially more sophisticated attacking
means are available
It is believed that attacks against mobile systems will not cease,
as motives are as usual – for fun, criminality, Premium rate
mobile services, unintentional attacks
Network level security attacks can be mainly categoried into DoS
(location update spoofing, and radio jamming), masquerade,
man-in-the-middle, replay, hijacking
Network level security focuses on confidentiality, authentication,
integrity protection, user and location confidentiality, and
availability
4
Thesis objectives





To present GSM network level security features retained in UMTS
To present UMTS network level security features in 3GPP Release
1999, and MAPsec and IPsec based Network Domain Security
(NDS)
To present network level security features specific for UMTS, prior to
GSM network level security features
Proposals for mitigating unintentional radio jamming in uplink in
UMTS – such proposals can not totally cancel such radio jamming
Proposals for interoperation in terms of security between UMTS and
cdma2000 1X roaming users
5
Thesis scope


Focuses only on the UMTS network level security
specified in 3GPP Release 1999, and MAPsec and
IPsec based Network Domain Security (NDS), i.e.,
system level security and protocol level security
Application security, operating system security, and
physical facilities security are out of the scope
6
Network level security of mobile
systems

In 400 B.C, ancient Greeks already mastered the encryption skill
called as “skytals”


A big leap during World War II
Network level security of 1G cellular systems was nothing



Identities transfer over air cloning
No encryption  interception
Lesson was learned that security has to be desgined from the
beginging phase of the design of the whole system, for what ?
7
GSM network level security 1

GSM network level security features:

Subscriber identity and location confidentiality

Subscriber identity authentication



Signalling data and user data confidentiality
Security features are realized by security mechanisms
GSM network level security mechanisms:

Subscriber identity and location confidentiality mechanism

GSM Authentication and Key Agreement (AKA) mechanism

GSM signalling data and user data confidentiality mechanism
8
GSM network level security 2

GSM network level security relies on:
International Mobile Subscriber Identity (IMSI)  Temporary Mobile Subscriber
Identity (TMSI); note in exceptional cases GSM subscriber can be only identified
by IMSI transferred over the air interface
 Subscriber Authentication Key Ki (128bits) only secured in Subscriber Identity
Module (SIM) and Authentication Center (AuC)
 COMP-128 based Authentication Algorithm A3 and Ciphering Key Generating
Algorithm A8 only secured in SIM and AuC; RES(32bits)=A3Ki(RAND);
Kc(64bits)=A8Ki(RAND)
 Stream cipher based Ciphering Algorithm A5 secured in all Mobile Equipments
(MEs) and Base Station Transceivers (BTSs); CipheringStream(114bits)=A5(Kc,
Frame Number); note ME is the terminal part of Mobile Station (MS)!


Authentication of a user implies authenticating the right knowledge of Subscriber
Authentication Key
9
Weaknesses of GSM network level security
1

Weaknesses of GSM Network Level Security  Threats against GSM
network level security cf. Section 2.3.3







Unilateral authentication of MS towards network can cause for active attacks
from a false BTS
An Authenticaion Vector (AV) may be indefinately used
Encryption is provided between the MS and the BTS, but not further into the
network
GSM only provides access security but not Network Domain Security (NDS) and
security data is transmitted in plain text between mobile networks
No cryptographic integrity protection provided leaves a door for man-in-themiddle and hijacking attacks; note Cyclic Reduncy Checking (CRC) is not the
cryptographic integrity protection
Therefore, protection against the man-in-the-middle and hijacking attacks can
partialy rely on the encryption; unfortunately GSM encryption can be disabled
To be continued
10
Weaknesses of GSM network level security
2
Cryptographic algorithms are lack of confidence  64-bit Ciphering Key (Kc) is
short; COMP128 base A3/A8 algorithms are poor (published on Internet in 1998
by Briceno and Goldberg); Ciphering Algorithm A5/2 is the deliberately weakened
version of Ciphering Algorithm A5/1 for export control regulations; Biryukov,
Shamir, and Wagner demonstrated how A5/1 could be cracked less than one
second on a Personal Computer (PC)
 Interfaces of law enforcement was not included in the design of GSM  could be
only considered as an afterthought

11
cdma2000 1X network level security 1



For the later proposals for interoperation in terms of security between UMTS
and cdma2000 1X roaming users
Two-level network level security hierachy: wireless network security and
RADIUS/AAA
Wireless network security includes cdma2000 1X RAN Authentication
Mechanisms:

Initial registration mechanism (Global challenge authentication)
 SSD update mechanism (when SSD is shared) is a mutual authentication
mechansim



Wireless network security also includes cdma2000 1X user identity and
location confidentiality mechanism and cdma2000 1X signalling data and
user data confidentiality mechanism cf. Section 2.4.1 and Section 2.4.2.2 in
the thesis
RADIUS/AAA authenticates user access to Packet Switched (PS) services
by Challenge Handshake Authentication Protocol (CHAP), after a successful
cdma2000 1X RAN Authentication procedure; it is not the interest in the
thesis
To be continued
12
cdma2000 1X network level security 2

cdma2000 1X RAN Authentication Mechanisms rely on:





User Authentication Key A-Key (64bits) and Electronic Serial Number
(ESN 32bits) only secured in Mobile Terminal (MT) and Authentication
Center (AC)
Algorithm Cellular Authentication and Voice Encryption (CAVE)
Shared Secret Data (SSD 128bits) is the cornerstone of cdma2000 1X
wireless network security; SSD(128bits)=CAVE(A-Key, ESN, RANDSSD)
SSD(128bits)Temporary User Authentication Key (SSD-A 64bits), i.e.,
the first 64-bit part; SSD-A is for the initial registration mechanism and
SSD update mechanism – more precisely unique challenge authentication
of SSD update mechanism since the SSD update procedure is a mutual
authentication procedure
Moreover, SSD(128bits)Temporary User Confidentiality Key (SSD-B
64bits), i.e., the second 64-bit part; SSD-B can generate ciphering keys
for signalling data and user data confidentiality mechanisms, cf. Section
2.4.2.2 in the thesis
13
Introduction to UMTS 1

To be continued
14
Introduction to UMTS 2


UMTS employs Wideband Code Division Multiple Access (WCDMA) as the
radio access technology with 5MHz channel bandwidth, i.e., a DS-CDMA
technology, and hence many say WCDMA instead of UMTS, although it is
only a radio access technology
Channel types defined in WCDMA/UMTS are:
Logical channels answer what type of data to be transferred
Transport channels answer how and with which characteristics with the
transferred data
 Physical channels answer exact the physical characteristics of the radio
channels



UMTS Terrestrial Radio Access Network (UTRAN) protocol can be further
divided into three layers: physical layer, link layer, and network layer

Medium Access Control (MAC) sublayer belongs to the link layer, which coverts
the logical channels to the transport channels
 To be continued
15
Introduction to UMTS 3
Radio Link Control (RLC) sublayer belongs to the link layer, which provides
services to upper layers
 Radio Resource Control (RRC) sublayer is the lowest sublayer of the network
layer and terminates in Radio Network Controller (RNC); it provides encryption
control; it performs integrity protection of both the RRC-level signalling and
higher layers signalling

16
UMTS network level security

3G security principle defined in 3GPP TS 33.210:

3G security is built on the security of 2G systems; security elements within GSM
and other 2G systems which have proved to be needed and robust shall be
adopted for the 3G security
 3G security improves the security of 2G systems by correcting the real and
perceived weaknesses
 New 3G security features are defined as necessary to secure the new services
offered by 3G



Requirements capture of UMTS network level security is based on the
weaknesses analysis pp 9-10 and threat analysis cf. Section 2.3.3 in the
thesis
UMTS retains certain network level security features from the 2G systems
In the following part, network access security (3GPP Release 1999) will be
addressed; MAPsec (3GPP Release 4) and IPsec (3GPP Release 5) based
Network Domain Security (NDS) will be addressed
17
UMTS Authentication and Key Agreement
mechanism 1


Mutual authentication retains the user authentication mechanism from GSM,
and in addition the user can authenticate the network,
UMTS AKA relies on User Authentication Key K and Algorithms f1-f5 only
secured in AuC and USIM, SQN stored in AuC and USIM; Authentication
Vector (AV) generated in AuC
Based on Authentication Data Request, AuC generates an array of n fresh
AVs to be sent to VLR/SGSN which selectes AV(i) and in turn forwards RAND(i)
and AUTN(i) to the User Equipment (UE)

18
UMTS Authentication and Key Agreement
mechanism 2

UMTS Subscriber Identity Module (USIM) embeded in UE can
Verify the received AUTN(i) – XMAC(i) ?= MAC(i)
 SQN(i) is in correct range? If not, resynchronization procedure starts, cf. TS 33.102
 Compute RES(i), and establish CK(i), and IK(i)


USIM sends the RES(i) back to VLR/SGSN, cf. Section 4.5.2.3 in the thesis
19
UMTS user identity and location
confidentiality mechanism

International Mobile Subscriber Identity (IMSI)  Temporary Mobile
Subscriber Identity (TMSI) for services provided by Circuit Switched (CS)
domain; IMSI  Packet TMSI (P-TMSI) for services provided by Packet
Switched (PS) domain; note in exceptional cases UMTS user can be
only identified by IMSI over the air interface



UMTS user may also be identified by Radio Network Temporary Identity
(RNTI)
IMSI, TMSI, and P-TMSI are CN-level identities for the UE in idle mode –
such as power up, authentication
RNTI is UTRAN-level identity for the UE in connected mode such as
UTRAN integrity protection
20
UTRAN encryption mechanism







Using Cipheing Algorithm f8, a stream cipher based on a block cipher
KASUMI; publicly evaluated
Under the control of the Ciphering Key CK (128bits) established during the
AKA procedure
MAC sublayer performs the encryption in transparent RLC mode – in case
of Circuit Switched (CS) services
RLC sublayer performs encryption in both acknowledged mode and
unacknowledged mode
Different from the GSM encryption, UTRAN encryption protects the
communications between a ME and the RNC
UTRAN encryption procedure is optional
UTRAN encryption procedure is initiated by security mode setup procedure
cf. Section 4.5.6.3 in the thesis
21
UTRAN integrity protection of RRC
signalling






Threats against integrity is claimed to be most severe
The purpose of the UTRAN integrity protection of Radio Resource Control
(RRC) signalling, is to authenticate individual control messages.
RRC sublayer executes the integrity protection of both RRC-level and
higher layer signalling, by using Integrity Algorithm f9 under the control of
the Integrity Key IK (128bits) established during the AKA procedure
Similar to the Ciphering Algorithm f8, the Integrity Algorithm f9 is based on
the block ciphering KASUMI; publicly evaluated
Not all UTRAN signalling is integrity-protected
Most of RRC signalling is integrity-protected; such UTRAN integrity
protection does not apply for signalling before the Integrity Key IK is in
place, e.g., RRC Connection Request in the security mode setup procedure
22
UMTS Network Domain Security (NDS 1)


SS7-based Network Domain Security (NDS) was not considered in GSM,
since only a limitted number of well-established entities can access
Situation is getting changed

Telecommunication industry is getting deregulated
 In case AVs and sensitive information are modified in the network domain or
between networks of diffrent mobile operators, what a desaster!
 IP-based network is the trend


MAP security (MAPsec) is introduced in 3GPP Release 4, however why
only Mobile Application Part (MAP) signalling is protected?
IP security (IPsec) is introduced in 3GPP Release 5.
23
MAPsec (NDS 2)










MAPsec has three modes, mode 0 – no protection, mode 1 – integrity protection only,
mode 2 – encryption with integrity protection
Borrows the notion of Security Association (SA) from IPsec for security keys and
other relevant information
3GPP Release 4 does not specify how to exchange SAs
Automatic Key Management can be an option, which has the Key Administration
Centre (KAC) as the basis
All SAs are stored in a SAD and Network Elements (NEs) must access it
All SAs are valid on a PLMN-level basis, as a PLMN can only address another PLMN
not its individual NE
Each KAC maintains a SA Database (SAD) and Security Policy Database (SPD);
each NE has similar databases
KACs agree on SAs between themselves by using the Internet Key Exchangement
(IKE) and MAPsec Domain of Interpretation (DoI)
KAC distributes security policies and SAs to NEs over the Ze-interface
A NE must get a valid SA and security policy to address a NE in anohter PLMN
24
IPsec (NDS 3)



IPsec is defined at the network layer to protect IP packets
IPsec three components: Authentication Header (AH), Encapsulation
Security Payload (ESP), and IKE; only the ESP is talked in detail
ESP has two modes: transport mode and tunnel mode

The former fits in better with end-to-end communications; provides both
encryption and integrity protection; but only protects the payload
 The latter fits in better between two nodes, e.g., Gateways; provides both
encryption and integrity protection; protects the whole IP packet; the implication
of the same function as the former has; UMTS NDS prefers using the latter for
signalling protection

Security Gateway (SEG) is the basis of NDS IP-based network (NDS/IP)

Each SEG contains both the SAD and SPD
 SEG uses the IKE to exchage IPsec SAs
 Main difference from the KAC is that SEG also uses the negotiated SAs, while
KAC can only agree SAs over the Zd-interface
25
Proposals for mitigating unintentional radio
jamming in uplink 1

Proposals for mitigating unintentional radio jamming in uplink


Radio jamming is an ongoing threat to any cellular system and hardly to be totally
canceled in practice
 Unintentional radio jamming is met in civilian cellular systems, and may be caused by
co-existing wireless systems – Personal Handyphone System (PHS), radar systems
and broadcasting systems operating on Ultra High Frequency (UHF)
 Radio jamming in uplink may be very severe, since the Base Station (BS) is visible,
static, and open
 Smart antenna is the big hope
Review of results
 GSM is relatively resistant to radio jamming thanks for its digital features
 Power Control (PC) and rescue handover mechanisms can further ease radio
jamming
 WCDMA/UMTS has even better radio jamming resistance ability; more sophisticated
PC and handover mechanisms are introduced
 Moderate radio jamming can not make WCDMA/UMTS network deaf
26
Proposals for mitigating unintentional radio
jamming in uplink 2



In case of high radio jamming environments, Capital Expenditures (CAPEX) have been
invested on countermeasures, otherwise Operating Expense (OPEX) would be critical for
UMTS operators in long run
Mitigating unintentional radio jamming in uplink shall set about Identifying radio jamming
sources, analyzing radio jamming reasons, figuring out radio jamming characteristics, and
evaluating radio jamming impacts before making further countermeasures; network trial is
essential for optimizing countermeasures and for balancing against the costs
Based on the above efforts, proposals for effectively mitigating unintentional radio jamming in
uplink in UMTS are made:
 In case of static jamming sources such as a power plant or a broadcasting system,
switched beam smart antennas shall be adopted around the jamming area; network trial
can help UMTS operator further select Butler matrix or Blass matrix; the latter performs
better while being complex, heavy, and expensive; switched beam smart antenna may
cause for intra-cell handover and call loss; in general some areas are more severely
influenced than others. Therefore, cell splitting and more Node Bs shall be introduced,
while in turn pushing up the costs
 To be continued
27
Proposals for mitigating unintentional radio
jamming in uplink 3

In case of dynamic radio jamming sources such as radar arrays, airport and harbor
radio equipments, or co-existing systems in the same building or along highways,
adaptive array smart antennas shall be adopted, since such smart antennas can
dynamically track UEs and can simultaneously adjust beams to desired signals while
nulling out radio jamming signals; Sample Matrix Inversion (SMI) DSP performs better
especially in WCDMA/UMTS, since the SMI DSP can take advantage of pilot signal in
uplink and the SMI algorithm has fast convergence rate, but the SMI DSP is complex
and expensive; Least Mean Square (LMS) DSP is simple and cheap
 In case of pervasive jamming environments of high power, unintentional radio jamming
in uplink may be mitigated by means of implementing adaptive array smart antennas
and minimizing cell size; UMTS operators shall adopt lines such as copper lines or
optical fiber, other than radio, to be the backbone network transmission medium
 In addition, UMTS operators shall adopt antennas with lower side lobes and use
electrical down-tilt antennas
 UMTS operators must cooperate with authorities or legal forces, which would be an
easy way to prevent the occurrences of radio jamming, or to be compensated in case
of radio jamming damage
28
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 1

Since inter-system handover and Inter-system Packet Switched (PS) domain
registration are hardly feasible with justifiable efforts and network level security
only plays a limited part, only two other scenarios are considered:

Registration of a UMTS user in a cdma2000 1X SN, called USIM roaming
 Registration of a cdma2000 1X user in a UMTS SN, called cdma2000 1X Mobile
Terminal (MT) roaming



Principle: permanent authentication key material would be never disclosed to
any network component apart from the AuC of HE in UMTS, or the AC of HE in
cdma2000 1X; UE (ME + USIM) and MT can run both UMTS AKA and
cdma2000 1X RAN authentication protocols
Hence, such proposals are based on a UMTS and cdma2000 1X Gateway
To be continued
29
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 2



The necessary adaptation has to be mainly facilitated by the features on the
user side and the Gateway
In case B-user is roaming in A-SN, to A-SN the Gateway acts like the HE of
A-SN, while to B-HE the Gateway acts like a B-SN
Proposal for USIM roaming – relatively simple as no SQN is involved

Gateway in addition acts as the HE of USIM
 Gateway in a predefined way converts the received UMTS AKA authentication
data for the purpose of a cdma2000 1X SSD update procedure with the UMTS
user ( Set SSD=IK, RANDSSD=RAND).
 Gateway runs cdma2000 1X SSD update procedure with the USIM via the
cdma2000 1X SN

Proposal for cdma2000 1X Mobile Terminal (MT) roaming

Gateway in addition acts as the HE of cdma2000 1X MT
 Gateway requests a cdma2000 1X SSD update procedure by abusing the
message with especially reserved parameters to the cdma2000 1X AC of HE
 Gateway in a predefined way converts the received cdma2000 1X authentication
data to a UMTS AV (RAND=RANDSSD||RD, 0,0,0,0) and set K=SSD
 To be continued
30
Proposals for interoperation in terms of security
between UMTS and cdma2000 1X roaming users 3

Gateway authenticates the cdma2000 1X user by abusing Resynchronization
procedure (0, AUTS)
 Only from this point forward, Gateway generates a UMTS authentication
quintuple (RAND, XRES, CK, IK, AUTN), by using Algorithms f1-f5, under the
control of SSD as the substitute for the UMTS User Authentication Key K
 The new UMTS authentication quintuple is sent to UMTS SN for further security
matters, e.g., mutual authentication, integrity protection and so on
 cdma2000 1X does not have SQN approach, hence a special manner has to be
arranged, every time a cdma2000 1X MT attempts to register in UMTS, the SQN
in both the cdma2000 1X MT and the Gateway are forced to 1; it is incremented
by 1 for the generation of a new UMTS authentication quintuplet under the
condition of same SSD
31
Conclusions




UMTS network level security addresses and corrects GSM network level
securtiy real and perceived weaknesses
UMTS has more robust network level security than cdma2000 1X
UMTS network level security can be the pattern for the development of such
security matters for future cellular systems
Future work





Avoid IMSI transfer over the air interface
Integrity-protect all types of signalling in network domain
Is it possible to introduce public key mechanism for UMTS network level security
Prevent a Base Station (BS)/handset from camping on a false handset/ Base
Station (BS)
Firewall shall be introduced to protect network domain
32
Thanks
33
Download