1 THIRD GENERATION WIRELESS SYSTEMS 2G systems are limited in terms of maximum data rate. This makes 2G systems practically useless for the increased requirements of future mobile data applications. A simple transfer of a 2 Mbyte data file would take approximately 28 minutes employing the 9.6 kbps GSM data transmission. In order to provide for efficient support of new services, work on the Third Generation of cellular systems was initiated by the International Telecommunication (ITU) in 1992. The outcome of the standardization effort, called International Mobile Telecommunications 2000 (IMT-2000), comprises a number of different 3G standards. The European proposal for IMT-2000 prepared by ETSI (European Telecommunications Standards Institute) is called UMTS (Universal Mobile Telecommunications System). IMT-2000 standards are: EDGE, a TDMA-based system that evolves from GSM and IS-136, offering data rates up to 473 kbps and backward compatibility with GSM/IS-136. Cdma2000, a fully backwards-compatible descendant of IS-95 that supports data rates up to 2 Mbps. WCDMA, a CDMA-based system that is capable of offering speeds up to 2 Mbps. WCDMA (Wideband Code Division Multiple Access) has emerged as the most widely adopted third generation air interface. It’s specifications have been created in 3GPP (the 3rd GENERATION Partnership Project).which is the joint standardization project of standardization bodies from the whole world. The GSM network is upgraded to the GPRS, which in turn will be upgraded to the WCDMA network. The broad objectives of 3G systems are: Support 2 Mbps for handheld devices, 384 kbps for walking mobile devices, and 144 kbps for car-borne mobile devices. Support for global roaming The 3G systems should work in all radio environments: urban areas, suburban areas, hilly and mountainous regions, and indoor environments. To achieve this, the cell size may vary considerably. Asymmetric and symmetric services should be supported, i.e., the uplink (from handset to base station) data rates can be lower than the downlink data rate. The following services should be supported: Computer data with Internet access, e-mail transfer, mobile computing Telecom services, such as telephony, video telephony, video and audio conferencing Audio/video on demand, tele-shopping, TV and radio broadcast 2 Main parameters in WCDMA Items that characterize WCDMA: WCDMA is a wideband Direct-Sequence CDMA system, i.e., user information bits are spread over a wide bandwidth by multiplying the user data with quasirandom bits (chips) derived from CDMA spreading codes. The chip rate of 3.84 Mcps (Megachips per second) used leads to a carrier bandwidth of approximately 5 MHz. The network operator can deploy multiple carriers to increase capacity. WCDMA supports highly variable data rates, i.e., the concept of obtaining Bandwidth on Demand (BoD) is well supported. Each user is allocated frames of 10 ms duration, during which the user data rate is kept constant. WCDMA supports two basic modes of operation: Frequency Division Duplex (FDD) and Time Division Duplex (TDD). WCDMA supports the operation of asynchronous base stations, so there is no need for a global time reference, such as GPS (Global Position System). IS-95 systems are synchronous. Advanced CDMA receiver concepts, such as multiuser detection and smart antennas, can be deployed to increase capacity and/or coverage. Handovers between GSM and WCDMA are supported. UMTS Network The UMTS network consists of three interacting domains: the Core network (CN), the UMTS Terrestrial Access network (UTRAN) and the User Equipment (UE). The CN architecture is based on the GSM network but all equipments has to be modified for UMTS operations and services. The UTRAN provides the air interface access method foe User Equipment. The UE is based on the same principles as the GSM Mobile Station (MS). Core Network. CN is functionally divided into two parts, a circuit switched (CS) and a packet switched (PS) domain. The CS domain offers standard telephone services. It contains the same network elements found in the NSS of the GSM network, the 3G MSC/VLR (3G Mobile services Switching center/Visitor Location register) and the 3G GMSC (3G Gateway MSC). The PS domain offers wideband data services. The PS domain has also two basic network elements, the SGSN (Serving GPRS Support Node) and the GGSN ( Gateway GPRS Support Node). A Border Gateway (BG) functions between different operator’s PS domains. The CN also consists of registers (EIR; HLR; AuC) as in the GSM network but they contain additional information. The registers are shared both by the CS and PS domain. The SGSN node handles all PS connections to the subscriber. It controls routing area update, location register, packet paging and controlling the security mechanisms related to packet communication. 3 The GGSN is connected to the Internet by the Gi interface and to the BG by the Gp interface. All data communication between a subscriber and an external network goes through a GGSN. The BG is a gateway between PLMN (Public Mobile Land Network) ÅS domains. It functions like firewall between different operators. Figure 1. Architecture of UMTS network. UMTS Terrestrial Radio Access Network. The UTRAN is the link between the user and the CN. It contains elements to provide and control UMTS communications over the air. These elements are the RNC (Radio Network Controller) and Node B (basestation). The UTRAN has an interface Uu to the UE and two interfaces, Iu PS (Packet Switched) and Iu CS Circuit Switched), to the CN The RNC is responsible for the basestations and controls their radio resources. Another important task for the RNC is confidentiality and integrity protection. The security keys are placed in the RCN, where they are used together with built-in functions. The RNS also have a multiple role. A user is connected to a Serving RNC but when the user is roaming a Drift RNC will take over control. The basestation, named Node B, receives signals over the Iub interface from the RNC and converts them to radio signals over the Uu interface. Node B also performs some basic Radio Resource Management operations, i.e., prevents the near-far problem. 4 User Equipment. The user equipment must be compatible with GSM. It will mainly consist of a mobile equipment(phone) (ME) and an UMTS Subscriber Identity Module (USIM). The USIM is an extension to the GSM SIM but with increased memory capacity, faster CPU performance and greater capability for encryption. In the future USIM will allow images, signatures, personal files and fingerprint to be stored to and retrieved from it. This will for instance give the ability to carry out financial transactions and electronic commerce. The main tasks of the ME will be to increase reliability, speed and efficiency of data transfers as well as data voice transfers. UMTS Security The security architecture in UMTS is based on three security principles: authentication, confidentiality and integrity. Figure 2 illustrates the security architecture. UIC is the mechanism for user identity confidentiality, AKA is the authentication and key agreement mechanism, DC is the mechanism for data confidentiality of user and signaling data, and DI is the mechanism for data integrity of signaling data. Figure 2. Overview of the UMTS security architecture. 5 Authentication and Key Agreement (AKA) AKA forms the basis because other security features rely on the results derived by AKA. The authentication phase is divided into two parts: Authentication of the user towards the network Authentication of the network towards the user Both procedures take place within the same message exchange, i.e. this ‘one-pass authentication’ reduces messages sent back and forth. Key agreement includes: Generating the cipher key Generating the integrity key Authentication is needed for the other security mechanisms as confidentiality and integrity. After the AKA is performed integrity protection of messages, and confidentiality protection of signaling and used data can take place. The AKA procedures take place in the USIM, SGSN/VLR (packet switched domain), MSC/VLR (circuit switched domain) and the HLR/AuC. The AKA procedure will take place at the following circumstances: User registration in a serving network. Registration of a subscriber typically occurs when roaming between national operators is limited. The first time the subscriber connects to the serving network, he/she gets registered. After a service request. High level protocols/applications ask AKA to increase security. Online banking transactions is one example. Location update request. The terminal updates the HLR regularly with its position in location update requests. Attach request. This procedure connects the subscriber to the network. Detach request. This procedure disconnects the subscriber to the network. Connection re-establishment request. The procedure is performed when the maximum number of local authentications to the network. When the procedure is to take place the SGSN/VLR (SN/VLR) asks the subscriber, USIM, to send it’s IMSI so that it can be identified and the home network can be determined. This is needed to start the AKA procedure (see Figure 3). The Home Environment (HE/HLR/AuC) sends an ordered array of n authentication vectors AV (~ GSM triplet) to the SN/VLR. One authentication vector corresponds to one AKA between the SN/VLR and the USIM. We have the following AV output parameters generated in AuC: A random number RAND An expected response XRES A cipher key CK An integrity key IK 6 An authentication token AUTN In the initiating phase the SN/VLR selects the next authentication vector from the array and sends the parameters RAND and AUTN to the user. The USIM then verifies the authentication to the network (see details later on). If the authentication is successful the USIM produces a response RES which is sent back to the SN/VLR. The received RES is compared to XRES in the SN/VLR and if they match the network has authenticated the subscriber. SN/VLR considers the AKA exchange to be successfully completed. Figure 3. Authentication and key Agreement procedure. The key agreement procedure takes place when the authentication process has been completed successfully. The keys CK and IK for encryption and integrity protection are created in the AuC and included in the authentication vectors. The SN/VLR gets the the cipher and integrity keys and sends them to the RNC currently holding the subscriber. 7 AV Generation. The authentication vectors are generated in AuC by the use of so called one-way functions, f1 – f5. Such a function is relatively easy to compute bur practically impossible to invert. This means that by knowing the output of the function, there is no easy way to compute the inputs. Input parameters to the one-way functions in the AuC are: The sequence number, SQN. AuC reads the SQN and then generates a new SQN. The random challenge, RAND. The RAND is generated by a random generator. The pre-shared secret key, K. The key K is situated in both theAuC and the USIM. The authentication and key management field, AMF. The AMF field is used to indicate the algorithm and key used to generate a particular AV. Figure 4. AV generation in the AuC. The AuC usually pre-computes the Avs and sends them to the HLR to be stored in the database. The generated parameters are: The message authentication code, MAC. The MAC is used for the USIM to authenticate the network. It is compared in the USIM with the expected message authentication code, XMAC, that is also calculated in the USIM. The expected result, X-RES. The X-RES parameter is compared to RES calculated in the USIM to authenticate the subscriber. 8 The cipher key CK. This key is used for encrypting the data dent over the radio link. It is used by the encryption algorithm located in the terminal and in the RNC. The integrity key, IK. This key is used to check the integrity of signaling messages sent over the radio link. The algorithm using IK is located in the terminal aand in the RCN. The anonymity key AK. This key is used to conceal the sequence number (SQN). SQN may expose the identity and location of the user. The generation of authentication vectors is show in Figures 4 and 5. When generating a new AV the AuC reads the stored value of the sequence number, SQN, and then generates a new SQN and a random challenge, RAND. These two parameters together with AMF and secret key K are used as input parameters. Figure 5. RES generation in the USIM. When the USIM receives the RAND and AUTN parameters it starts by generating the AK on the received RAND. By XOR-ing the AK with the (SQNAK) the sequence number of the AuC is revealed. The secret key K is then used with the received AMF, SQN and RAND to generate the Expected Network Authentication Code (XMAC). The XMAC is then compared to the MAC. If they match, the key generating functions can continue. The sequence number has to be within the correct range. If so, the USIM continues to generate RES by function 2 with the input parameters K and RAND. 9 Confidentiality Confidentiality is achieved by ciphering the communication between the subscriber (USIM) and the network (RNC) and by referring to the subscriber by temporary identities. Confidential properties are: Identity of the subscriber Current location of the subscriber User data Signaling data The confidentiality function is shown in the figure below. Figure 6. Confidentiality function f8. The ciphering algorithm f8 generates a keystream block that is XOR-ed with the user plaintext (the user or signaling data) and then sent over the air. The cipher keystream that is generated is unique for every block. The input parameters to the algorithm are: Cipher key (CK). The cipher key is generated in the AuC and sent to the SGSN/VLR as a part of the AV. After authentication the key is sent the RCN. The USIM generates it’s own CK. When performing a handover, the CK is transmitted to the new RNC. Count-C. The counter is incremented by each confidentiality-protected message sent or received. There are separate counters for uplink and downlink. Count-C, together with 10 the DIRECTION identifier, assures that the input parameters never stay the same within a connection. BEARER. The bearer identifier is used to distinguish between different logical radio bearers associated with the same user on the same physical link. DIRECTION. The direction identifier distinguishes between messages being sent or messages being received. LENGTH. This parameter is used to determine the length of the output keystream block. Integrity Integrity protection is required for signaling messages. User data on the other hand is not integrity protected. Higher-level protocols are needed if user data integrity protection is needed. Integrity check of signaling data is illustrated in the figure below. Figure 7. Integrity function f9. Integrity protection is achieved by adding stamps to the messages. The stamps ensure that the message is generated at the claimed identity (USIM or SN). The message authentication code for identity (MAC-I) is computed by the algorithm f9. The receiver computes the XMAX-I in the same way as the sender computed MAC-I. Verification is done by comparing the MAC-I with XMAC-I. Integrity Key (IK). The Integrity Key is generated in both the AuC and USIM. The SGSN/VLR receives the IK in the AV from the AuC, and sends it to the RNC after authenticating the USIM. When handovers occur, the IK is transmitted to the new RNC. The key itself is not changed at handovers. 11 COUNT-I. The counter is incremented by each integrity-protected message. There are separate counters for uplink and downlink. COUNT-I assures that he input parameters stay the same within a connection. FRESH. One FRESH value is assigned to each user and the RNC generates this value at connection set-up. The lifetime of the FRESH value is one connection and a new FRESH value will be generated at the next connection. Also at handovers, the FRESH will reset to a new value. FRESH is used to protect against replay attacks. DIRECTION. The direction identifier is used to distinguish between uplink and downlink. The message itself is an important input to the function. Only by doing this the, the integrity of the message can be protected. If anyone changes the message between the sender and the message, the receiver will NOT get an XMAC-I matching the MAC-I received. Security algorithms The algorithms used in the UMTS security features can be divided into two categories. There are seven authentication and key agreement algorithms. 3GPP has specified an algorithm called MILENAGE that could be used for these functions. The other cathegory is the confidentiality algorithm f8 and the integrity algorithm f9. These algorithms are standardized and based on the algorithm KASUMI.