UMTS Security

advertisement
1
THIRD GENERATION WIRELESS SYSTEMS
2G systems are limited in terms of maximum data rate. This makes 2G systems
practically useless for the increased requirements of future mobile data applications. A
simple transfer of a 2 Mbyte data file would take approximately 28 minutes employing
the 9.6 kbps GSM data transmission.
In order to provide for efficient support of new services, work on the Third Generation
of cellular systems was initiated by the International Telecommunication (ITU) in 1992.
The outcome of the standardization effort, called International Mobile
Telecommunications 2000 (IMT-2000), comprises a number of different 3G standards.
The European proposal for IMT-2000 prepared by ETSI (European Telecommunications Standards Institute) is called UMTS (Universal Mobile
Telecommunications System). IMT-2000 standards are:



EDGE, a TDMA-based system that evolves from GSM and IS-136, offering
data rates up to 473 kbps and backward compatibility with GSM/IS-136.
Cdma2000, a fully backwards-compatible descendant of IS-95 that supports
data rates up to 2 Mbps.
WCDMA, a CDMA-based system that is capable of offering speeds up to 2
Mbps.
WCDMA (Wideband Code Division Multiple Access) has emerged as the most widely
adopted third generation air interface. It’s specifications have been created in 3GPP (the
3rd GENERATION Partnership Project).which is the joint standardization project of
standardization bodies from the whole world. The GSM network is upgraded to the
GPRS, which in turn will be upgraded to the WCDMA network.
The broad objectives of 3G systems are:




Support 2 Mbps for handheld devices, 384 kbps for walking mobile devices, and
144 kbps for car-borne mobile devices.
Support for global roaming
The 3G systems should work in all radio environments: urban areas, suburban
areas, hilly and mountainous regions, and indoor environments. To achieve this,
the cell size may vary considerably.
Asymmetric and symmetric services should be supported, i.e., the uplink (from
handset to base station) data rates can be lower than the downlink data rate.
The following services should be supported:



Computer data with Internet access, e-mail transfer, mobile computing
Telecom services, such as telephony, video telephony, video and audio
conferencing
Audio/video on demand, tele-shopping, TV and radio broadcast
2
Main parameters in WCDMA
Items that characterize WCDMA:







WCDMA is a wideband Direct-Sequence CDMA system, i.e., user information
bits are spread over a wide bandwidth by multiplying the user data with quasirandom bits (chips) derived from CDMA spreading codes.
The chip rate of 3.84 Mcps (Megachips per second) used leads to a carrier
bandwidth of approximately 5 MHz. The network operator can deploy multiple
carriers to increase capacity.
WCDMA supports highly variable data rates, i.e., the concept of obtaining
Bandwidth on Demand (BoD) is well supported. Each user is allocated frames of
10 ms duration, during which the user data rate is kept constant.
WCDMA supports two basic modes of operation: Frequency Division Duplex
(FDD) and Time Division Duplex (TDD).
WCDMA supports the operation of asynchronous base stations, so there is no
need for a global time reference, such as GPS (Global Position System). IS-95
systems are synchronous.
Advanced CDMA receiver concepts, such as multiuser detection and smart
antennas, can be deployed to increase capacity and/or coverage.
Handovers between GSM and WCDMA are supported.
UMTS Network
The UMTS network consists of three interacting domains: the Core network (CN), the
UMTS Terrestrial Access network (UTRAN) and the User Equipment (UE). The CN
architecture is based on the GSM network but all equipments has to be modified for
UMTS operations and services. The UTRAN provides the air interface access method
foe User Equipment. The UE is based on the same principles as the GSM Mobile
Station (MS).
Core Network. CN is functionally divided into two parts, a circuit switched (CS) and a
packet switched (PS) domain. The CS domain offers standard telephone services. It
contains the same network elements found in the NSS of the GSM network, the 3G
MSC/VLR (3G Mobile services Switching center/Visitor Location register) and the 3G
GMSC (3G Gateway MSC). The PS domain offers wideband data services. The PS
domain has also two basic network elements, the SGSN (Serving GPRS Support Node)
and the GGSN ( Gateway GPRS Support Node). A Border Gateway (BG) functions
between different operator’s PS domains. The CN also consists of registers (EIR; HLR;
AuC) as in the GSM network but they contain additional information. The registers are
shared both by the CS and PS domain.
The SGSN node handles all PS connections to the subscriber. It controls routing area
update, location register, packet paging and controlling the security mechanisms related
to packet communication.
3
The GGSN is connected to the Internet by the Gi interface and to the BG by the Gp
interface. All data communication between a subscriber and an external network goes
through a GGSN.
The BG is a gateway between PLMN (Public Mobile Land Network) ÅS domains. It
functions like firewall between different operators.
Figure 1. Architecture of UMTS network.
UMTS Terrestrial Radio Access Network. The UTRAN is the link between the user
and the CN. It contains elements to provide and control UMTS communications over
the air. These elements are the RNC (Radio Network Controller) and Node B
(basestation). The UTRAN has an interface Uu to the UE and two interfaces, Iu PS
(Packet Switched) and Iu CS Circuit Switched), to the CN
The RNC is responsible for the basestations and controls their radio resources. Another
important task for the RNC is confidentiality and integrity protection. The security keys
are placed in the RCN, where they are used together with built-in functions. The RNS
also have a multiple role. A user is connected to a Serving RNC but when the user is
roaming a Drift RNC will take over control.
The basestation, named Node B, receives signals over the Iub interface from the RNC
and converts them to radio signals over the Uu interface. Node B also performs some
basic Radio Resource Management operations, i.e., prevents the near-far problem.
4
User Equipment. The user equipment must be compatible with GSM. It will mainly
consist of a mobile equipment(phone) (ME) and an UMTS Subscriber Identity Module
(USIM).
The USIM is an extension to the GSM SIM but with increased memory capacity, faster
CPU performance and greater capability for encryption. In the future USIM will allow
images, signatures, personal files and fingerprint to be stored to and retrieved from it.
This will for instance give the ability to carry out financial transactions and electronic
commerce.
The main tasks of the ME will be to increase reliability, speed and efficiency of data
transfers as well as data voice transfers.
UMTS Security
The security architecture in UMTS is based on three security principles: authentication,
confidentiality and integrity. Figure 2 illustrates the security architecture. UIC is the
mechanism for user identity confidentiality, AKA is the authentication and key
agreement mechanism, DC is the mechanism for data confidentiality of user and
signaling data, and DI is the mechanism for data integrity of signaling data.
Figure 2. Overview of the UMTS security architecture.
5
Authentication and Key Agreement (AKA)
AKA forms the basis because other security features rely on the results derived by
AKA. The authentication phase is divided into two parts:


Authentication of the user towards the network
Authentication of the network towards the user
Both procedures take place within the same message exchange, i.e. this ‘one-pass
authentication’ reduces messages sent back and forth.
Key agreement includes:


Generating the cipher key
Generating the integrity key
Authentication is needed for the other security mechanisms as confidentiality and
integrity. After the AKA is performed integrity protection of messages, and
confidentiality protection of signaling and used data can take place.
The AKA procedures take place in the USIM, SGSN/VLR (packet switched domain),
MSC/VLR (circuit switched domain) and the HLR/AuC. The AKA procedure will take
place at the following circumstances:






User registration in a serving network. Registration of a subscriber typically
occurs when roaming between national operators is limited. The first time the
subscriber connects to the serving network, he/she gets registered.
After a service request. High level protocols/applications ask AKA to increase
security. Online banking transactions is one example.
Location update request. The terminal updates the HLR regularly with its
position in location update requests.
Attach request. This procedure connects the subscriber to the network.
Detach request. This procedure disconnects the subscriber to the network.
Connection re-establishment request. The procedure is performed when the
maximum number of local authentications to the network.
When the procedure is to take place the SGSN/VLR (SN/VLR) asks the subscriber,
USIM, to send it’s IMSI so that it can be identified and the home network can be
determined. This is needed to start the AKA procedure (see Figure 3). The Home
Environment (HE/HLR/AuC) sends an ordered array of n authentication vectors AV (~
GSM triplet) to the SN/VLR. One authentication vector corresponds to one AKA
between the SN/VLR and the USIM. We have the following AV output parameters
generated in AuC:




A random number RAND
An expected response XRES
A cipher key CK
An integrity key IK
6

An authentication token AUTN
In the initiating phase the SN/VLR selects the next authentication vector from the array
and sends the parameters RAND and AUTN to the user. The USIM then verifies the
authentication to the network (see details later on). If the authentication is successful the
USIM produces a response RES which is sent back to the SN/VLR. The received RES
is compared to XRES in the SN/VLR and if they match the network has authenticated
the subscriber. SN/VLR considers the AKA exchange to be successfully completed.
Figure 3. Authentication and key Agreement procedure.
The key agreement procedure takes place when the authentication process has been
completed successfully. The keys CK and IK for encryption and integrity protection are
created in the AuC and included in the authentication vectors. The SN/VLR gets the the
cipher and integrity keys and sends them to the RNC currently holding the subscriber.
7
AV Generation.
The authentication vectors are generated in AuC by the use of so called one-way
functions, f1 – f5. Such a function is relatively easy to compute bur practically impossible
to invert. This means that by knowing the output of the function, there is no easy way to
compute the inputs.
Input parameters to the one-way functions in the AuC are:




The sequence number, SQN. AuC reads the SQN and then generates a new SQN.
The random challenge, RAND. The RAND is generated by a random generator.
The pre-shared secret key, K. The key K is situated in both theAuC and the
USIM.
The authentication and key management field, AMF. The AMF field is used to
indicate the algorithm and key used to generate a particular AV.
Figure 4. AV generation in the AuC.
The AuC usually pre-computes the Avs and sends them to the HLR to be stored in the
database. The generated parameters are:


The message authentication code, MAC. The MAC is used for the USIM to
authenticate the network. It is compared in the USIM with the expected message
authentication code, XMAC, that is also calculated in the USIM.
The expected result, X-RES. The X-RES parameter is compared to RES calculated
in the USIM to authenticate the subscriber.
8



The cipher key CK. This key is used for encrypting the data dent over the radio
link. It is used by the encryption algorithm located in the terminal and in the
RNC.
The integrity key, IK. This key is used to check the integrity of signaling messages
sent over the radio link. The algorithm using IK is located in the terminal aand in
the RCN.
The anonymity key AK. This key is used to conceal the sequence number (SQN).
SQN may expose the identity and location of the user.
The generation of authentication vectors is show in Figures 4 and 5. When generating a
new AV the AuC reads the stored value of the sequence number, SQN, and then
generates a new SQN and a random challenge, RAND. These two parameters together
with AMF and secret key K are used as input parameters.
Figure 5. RES generation in the USIM.
When the USIM receives the RAND and AUTN parameters it starts by generating the
AK on the received RAND. By XOR-ing the AK with the (SQNAK) the sequence
number of the AuC is revealed. The secret key K is then used with the received AMF,
SQN and RAND to generate the Expected Network Authentication Code (XMAC). The
XMAC is then compared to the MAC. If they match, the key generating functions can
continue. The sequence number has to be within the correct range. If so, the USIM
continues to generate RES by function 2 with the input parameters K and RAND.
9
Confidentiality
Confidentiality is achieved by ciphering the communication between the subscriber
(USIM) and the network (RNC) and by referring to the subscriber by temporary
identities. Confidential properties are:




Identity of the subscriber
Current location of the subscriber
User data
Signaling data
The confidentiality function is shown in the figure below.
Figure 6. Confidentiality function f8.
The ciphering algorithm f8 generates a keystream block that is XOR-ed with the user
plaintext (the user or signaling data) and then sent over the air. The cipher keystream that
is generated is unique for every block.
The input parameters to the algorithm are:
Cipher key (CK). The cipher key is generated in the AuC and sent to the SGSN/VLR as
a part of the AV. After authentication the key is sent the RCN. The USIM generates it’s
own CK. When performing a handover, the CK is transmitted to the new RNC.
Count-C. The counter is incremented by each confidentiality-protected message sent or
received. There are separate counters for uplink and downlink. Count-C, together with
10
the DIRECTION identifier, assures that the input parameters never stay the same within a
connection.
BEARER. The bearer identifier is used to distinguish between different logical radio
bearers associated with the same user on the same physical link.
DIRECTION. The direction identifier distinguishes between messages being sent or
messages being received.
LENGTH. This parameter is used to determine the length of the output keystream block.
Integrity
Integrity protection is required for signaling messages. User data on the other hand is not
integrity protected. Higher-level protocols are needed if user data integrity protection is
needed. Integrity check of signaling data is illustrated in the figure below.
Figure 7. Integrity function f9.
Integrity protection is achieved by adding stamps to the messages. The stamps ensure that
the message is generated at the claimed identity (USIM or SN). The message
authentication code for identity (MAC-I) is computed by the algorithm f9. The receiver
computes the XMAX-I in the same way as the sender computed MAC-I. Verification is
done by comparing the MAC-I with XMAC-I.
Integrity Key (IK). The Integrity Key is generated in both the AuC and USIM. The
SGSN/VLR receives the IK in the AV from the AuC, and sends it to the RNC after
authenticating the USIM. When handovers occur, the IK is transmitted to the new RNC.
The key itself is not changed at handovers.
11
COUNT-I. The counter is incremented by each integrity-protected message. There are
separate counters for uplink and downlink. COUNT-I assures that he input parameters
stay the same within a connection.
FRESH. One FRESH value is assigned to each user and the RNC generates this value at
connection set-up. The lifetime of the FRESH value is one connection and a new FRESH
value will be generated at the next connection. Also at handovers, the FRESH will reset
to a new value. FRESH is used to protect against replay attacks.
DIRECTION. The direction identifier is used to distinguish between uplink and
downlink.
The message itself is an important input to the function. Only by doing this the, the
integrity of the message can be protected. If anyone changes the message between the
sender and the message, the receiver will NOT get an XMAC-I matching the MAC-I
received.
Security algorithms
The algorithms used in the UMTS security features can be divided into two categories.
There are seven authentication and key agreement algorithms. 3GPP has specified an
algorithm called MILENAGE that could be used for these functions. The other cathegory
is the confidentiality algorithm f8 and the integrity algorithm f9. These algorithms are
standardized and based on the algorithm KASUMI.
Download