VSECURE: A Secure Service Access
Scheme for GSM
By
VINIT NAGDA
School of Computing and Engineering
University of Missouri Kansas City
Abstract
Global System for Mobile Communications (GSM) provides a basic range of security
features to ensure adequate protection for both the operator and customer. Over the
lifetime of any system, the threat and technology change and so the security needs
periodically reviewed and enhanced. The functional features of any system must be well
supported by secured procedures to ensure incessant working of the system. The security
provided by GSM is well in advance of similar mobile radio systems, and should ensure
that it remains at the front of the field for the time to come. In this paper we discuss,
security loopholes in the existing GSM system, and provide alternatives by making use of
Public Key Cryptography.
VSecure: A Secure Service Access Scheme for GSM
I. Introduction
There are many service domains in the Personal Communication Systems (PCS’s), each
operated under a different administration with a different level of protection. Some
service domains are more vulnerable to attacks than the others from intruders or insiders.
The objective of security for GSM system is to make the system as secure as the Public
Switched Telephone Network (PSTN). The use of radio as the transmission media allows
a number of potential threats resulting in eavesdropping the transmissions.
Mobile computing and communication is a rapidly developing area. But mobility is
associated with problems of security and privacy beyond those in open networks. The
current state of the art GSM security system has several loopholes. It transmits user
information in plain text and requires the need to send other security sensitive
information a number of times. Our proposed solution eliminates the loopholes, using the
same number of exchanged messages as before. For subsequent calls, our scheme reduces
the number of messages exchanged.
We present the security requirements in the following section followed by some
background concepts, related work and our idea, and finally the conclusion.
II. Security Requirements
Existing mobile systems have a number of potential weaknesses. These were considered
in the security requirements for GSM and are listed as follows.









Issue bills to the right people, and that the services cannot be compromised.
The customer requires some privacy against traffic being overheard.
To prevent operators from compromising each others' security, whether
inadvertently or because of competitive pressures.
The security measures must not significantly add to the delay of the initial call set
up or subsequent communication.
The security measures must not increase the bandwidth of the channel.
The security measures must not allow for increased error rates, or error
propagation.
The security measures must not add excessive complexity to the rest of the
system.
The proposed solution must be cost effective.
Implement secure procedures for the generation and distribution of keys,
exchange of information between operators, and the confidentiality of the
algorithms.
2
VSecure: A Secure Service Access Scheme for GSM
III. Background Concepts
IMSI:
The International Mobile Subscriber Identity (IMSI) is a unique non - dialable number
allocated to each mobile subscriber in the GSM system that identifies the subscriber and
his or her subscription within the GSM network. The IMSI resides in the Subscriber
Identity Module (SIM). The IMSI is made up of three parts (1) the mobile country code
(MCC) consisting of three digits, (2) the Mobile Network Code (MNC) consisting of two
digits, and (3) the Mobile Subscriber Identity Number (MSIN) with up to 10 digits.
HLR:
A Home Location Register (HLR) is a database that contains mobile subscriber
information for a wireless carrier. HLR subscriber information includes the International
Mobile Subscriber Identity (IMSI), service subscription information, location information
(the identity of the currently serving Visitor Location Register (VLR) to enable the
routing of mobile-terminated calls), service restrictions and supplementary service
information.
VLR:
A Visitor Location Register (VLR) is a database which contains temporary information
concerning the mobile subscribers that are currently located in a given MSC serving area,
but whose Home Location Register (HLR) is elsewhere. When a mobile subscriber roams
away from his home location and into a remote location, SS7 messages are used to obtain
information about the subscriber from the HLR, and to create a temporary record for the
subscriber in the VLR. There is usually one VLR per MSC.
Wireless Security Concepts
Mobile
Subscriber
Base Station
Communication
Network
Wireless
Link
The mobile unit communicates with the base station using an insecure wireless channel.
The Base Station (BS) however communicates with the rest of the network using a wired
network, which is secure. So the security problem we are concerned about is at the
wireless link between the subscriber and the BS. The subscriber and the BS make use of
cryptography to provide data confidentiality. Both establish and share a common session
key for communication. Thus the BS needs to store one session key per customer.
3
VSecure: A Secure Service Access Scheme for GSM
When the mobile user roams outside the service providers “home area”, he will approach
the VLR to connect the phone calls. However VLR needs to authenticate the Mobile
Subscriber before providing the service. It needs to confirm with the subscribers HLR, so
that he can later bill the HLR for the accessed services. Also the HLR cannot hand over
the secret key shared between itself and the mobile subscriber to the VLR.
We need a mechanism by which the HLR can provide some information to the VLR, on
the basis of which the VLR can authenticate the mobile subscriber, at the same time
hiding the secret key shared between the HLR and the mobile subscriber. The existing
GSM protocol provides a solution but has several security loopholes. The solution is
presented in the next section.
Cryptographic Functions:
Authentication is used to identify the user (or holder of a Smart Card) to the network
operator. It uses a technique that can be described as a "Challenge and Response", based
on encryption. Authentication is performed by a challenge and response mechanism. A
random challenge is issued to the mobile, the mobile encrypts the challenge using the
authentication algorithm (A3) and the key assigned to the mobile, and sends a response
back. The operator can check that, given the key of the mobile, the response to the
challenge is correct. Eavesdropping the radio channel reveals no useful information, as
the next time a new random challenge will be used. Authentication can be provided using
this process. A random number is generated by the network and sent to the mobile. The
mobile use the Random number R as the input (Plaintext) to the encryption, and, using a
secret key unique to the mobile Ki, transforms this into a response Signed RESponse
(SRES) (Cipher text) which is sent back to the network.
MOBILE
RADIO INTERFACE
FIXED NETWORK
Key
Ki
Challenge R
Ki
A3
Response SRES
A3
?
A8
A8
SIM
Kc
Kc
ENCRYPTED DATA
A5
A5
The network can check that the mobile really has the secret key by performing the same
SRES process and comparing the responses with what it receives from the mobile. The
response is then passed through an algorithm A8 by both the mobile and the network to
4
VSecure: A Secure Service Access Scheme for GSM
derive the key Kc used for encrypting the signaling and messages to provide privacy (A5
series algorithms).
IV. Related work
The Existing GSM security scheme
Mobile
Subscriber
VLR
HLR
1
IMSI
IMSI
IMSI, (Rnd No, SRES, Kc)
Rnd No
SRES
3
2
A5(Kc,TMSI)
Rnd No: Random Number
Kc = A8 (Ki, Rnd No)
SRES = A3 (Ki, Rnd No)
Rnd No, SRES, Kc are called as a 3-tuple.
The existing GSM security scheme is as follows. When the mobile user roams outside the
service providers “home area”, he will approach the VLR to connect the phone calls. He
provides the VLR with its own IMSI. The VLR obtains the MNC from the IMSI, which
enables it to identify the HLR, whom it will send the IMSI to. The HLR identifies the
mobile subscriber based on the MSIN, picks up the shared session key from its database
for that subscriber and prepares a 3-tuple, which consists of a random number, SRES
based on the random number and the Kc, again based on the same random number. The
HLR sends the 3-tuple across to the VLR to enable it authenticate the mobile subscriber.
The VLR picks the random number obtained in the 3-tuple and sends it to the mobile
subscriber. Since the mobile subscriber also has the same shared session key Ki, it can
compute the SRES and the Kc by itself. It sends the computed SRES to the VLR. The
VLR then matches the SRES it obtained earlier from the HLR with the one obtained from
the mobile subscriber. If both the SRES match, then the VLR knows the mobile
subscriber is authentic.
The VLR then encrypts a Temporary Mobile Subscriber Identity (TMSI) using the
encryption algorithm A5 and key Kc. The TMSI is used so that sending the IMSI in
5
VSecure: A Secure Service Access Scheme for GSM
unencrypted form can be prevented further. A new TMSI is used for every subsequent
transaction, that the mobile subscriber contacts the VLR.
The HLR actually sends a number of 3-tuples across to the VLR, so that every time the
mobile subscriber wants to make a phone call, the VLR doesn’t need to contact the HLR.
Each 3-tuple can be used only once. The VLR obtains the locally stored 3-tuple and uses
them for subsequent transactions. The VLR will need to contact the HLR, when the
stored 3-tuples for that subscriber are depleted. This practice of sending multiple 3-tuples
is not a very good one, since the 3-tuple is very security sensitive information. Thus if the
storage is not secure, the 3-tuple may be compromised which can create security
problems, since that is the only way to authenticate a roaming user. Also the VLR
requesting the HLR, every time it needs a 3-tuple is also not a good idea, since it
increases the communication overhead. So we need a way which can avoid the multiple
3-tuple problems.
One more problem that exists with the current scheme is that of non-repudiation. Since
the HLR sends multiple 3-tuples to the VLR, some of them may remain unused. However
there is no way to check how many of them were actually used, but to believe the VLR.
The VLR can make false claims that the mobile subscriber made the calls, since it has the
information about the SRES.
Thus we observe 3 security loopholes in the existing system.
1) Transmitting the IMSI in plain text.
2) Sending multiple 3-tuples across to the VLR.
3) Non repudiation.
4)
V. VSecure: The Scheme
VLR
Mobile
Subscriber
MNC, PubHLR[ IMSI, PriMS(IMSI)]
HLR
PubHLR[ IMSI, PriMS(IMSI)]
PubVLR[IMSI, Auth data], PubMS
PubMS(R1), PubVLR
PriMS(R1, timestamp) , PubVLR(R2)
PubMS(R2)
We propose the use of public key security and digital signatures to avoid the above
problems. Our method uses the same number of exchanged messages and achieves a
better level of security.
6
VSecure: A Secure Service Access Scheme for GSM
When the mobile user roams outside the service providers “home area”, he will approach
the VLR to connect the phone calls. He sends the following information to the VLR. Its
IMSI encrypted using its own private key, and another copy of IMSI, all of this encrypted
using the public key of the HLR, and the MNC in the plain text.
The VLR looks at the MNC and routes the remaining part of the packet to the appropriate
HLR based on the MNC. The HLR decrypts the packet using its own private key, obtains
the IMSI, retrieves the MSIN of the mobile user from the IMSI, and obtains the public
key from the database stored for that user. It uses the public key to decrypt the digital
signature of the user. If decrypted successfully, the IMSI contained inside the digital
signature should match the IMSI outside it. Thus the HLR authenticates the mobile
subscriber. It then prepares a packet which contains the IMSI and the authorization data
of the mobile subscriber encrypted using the public key of the VLR. It appends the public
key of the mobile user to the packet and sends it to the VLR.
The VLR decrypts the packet using its own private key, obtains the IMSI and
authorization data. The VLR and the mobile subscriber then initiate a random challenge
to authenticate each other. The VLR sends a random number encrypted in the mobile user
public key, and appends its own public key to the packet.
The mobile user decrypts the packet using its own private key, obtains the random
number and encrypts the random number along with the current timestamp in its own
private key. This serves as a digital signature. It also selects another random number and
encrypts it using the public key of the VLR.
The VLR then makes 2 copies of the digital signature received from the mobile user. It
saves one copy in its local memory and uses it to bill the HLR. It decrypts another copy
using the public key of the user and matches the timestamp. It also decrypts the second
random challenge initiated by the user using its own private key and encrypts it using the
public key of the mobile user.
Each subsequent transaction avoids the 3-way handshake present in the earlier scheme
and requires the user to just send the digital signature encrypted message containing the
current timestamp.
VI. Benefits of VSecure:
VSecure is better than the current GSM security scheme in the following respects:

VSecure avoids sending the IMSI in plain text. It always sends the information
encrypted, and thus avoids the chances of the IMSI being eavesdropped on.

VSecure doesn’t require the HLR to send multiple copies of the 3-tuple. The 3tuple contains security sensitive information and we should avoid prolonged
7
VSecure: A Secure Service Access Scheme for GSM
storage of multiple 3-tuples. VSecure provides the VLR to independently
authenticate the mobile user, without even sending the 3-tuple information.

VSecure avoids the non-repudiation problem by making use of timestamp. Now
the VLR cannot make false claims to the HLR about phone calls that the mobile
user hasn’t made. Since the VLR is required to store a copy of the digital
signature obtained from the mobile user for each call, the security loophole is
avoided. Whenever the VLR tries to cheat, the HLR can ask for the digital
signature copy. Using the public key of the mobile user, one can easily decrypt
the digital signature and thus obtain the timestamp, of when the call was made.

VSecure doesn’t require 3-way handshake for the establishment of subsequent
calls. Sending the time stamped digital signature avoids the need for a TMSI and
a 3 way handshake for each subsequent call. Thus the scheme reduces the number
of messages exchanged for each subsequent call.
VII. Conclusion
Global System for Mobile Communications (GSM) is one of the most widely used
protocols for mobile communications in today’s world. Security of GSM is thus an
important concern. The existing security scheme for GSM has certain loopholes, which
can be avoided using VSecure. VSecure makes use of public key cryptography, a scheme
better than the one-key system. The functionality requirement for the state of the art
protocols change periodically, and so does the security requirement. These schemes will
have to be revised periodically to provide an optimized secure and functional protocol.
8
VSecure: A Secure Service Access Scheme for GSM
VIII. References
[1]
Astrid Lubinski, Security Issues in Mobile Database Access, draft-ietf-pppextl2tp-08.txt (November 1997) (work in progress).
[2]
Astrid Lubinski, Database Security Meets Mobile Requirements, draft-ietfpppext-01.txt (November 1998) (work in progress).
[3]
Audun Josang and Gunnar Sanderud , Security in Mobile Communications:
Challenges and Opportunities.
[4]
T. Vuong and Peng Fu, Security Architecture and Design for Mobile Intelligent
Agent Systems.
[5]
Rafael Alonso and Henry F. Korth , Database system issues in Nomadic
Computing.
[6]
Vijay Varadharajan , Security Enhanced Mobile Agents.
[7]
Andreas Heuer , Database Access in Mobile Environments.
[8]
Iliya K. Georgiev , A Security Model For Distributed Computing.
[9]
Marc Lacoste , Towards a Secure Platform for Distributed Mobile Object.
[10]
Srivaths Ravi, Anand Raghunathan and Nachiketh Potlapally Securing Wireless
Data: System Architecture Challenges.
[11]
Hua Wang, Jinli Cao, Yanchuan Zhang , Ticket-Based Service Access Scheme for
Mobile Users, draft-ietf-pppext-l0-08.txt (Nov. 1999) (work in progress).
9