Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Ch12-CellularSecurity

advertisement 
GSM Security Overview
Wireless telephone history
Yuri Sherman
It all started like this
• First telephone (photophone) – Alexander
Bell, 1880
• The first car mounted radio
telephone – 1921
Going further
• 1946 – First commercial mobile radiotelephone service by Bell and AT&T in Saint
Louis, USA. Half duplex(PTT)
• 1973 – First handheld cellular phone –
Motorola.
• First cellular net
Bahrein 1978
But what’s cellular?
MSC
BS
PSTN
HLR, VLR,
AC, EIR
Cellular principles
•
•
•
•
Frequency reuse – same frequency in many cell sites
Cellular expansion – easy to add new cells
Handover – moving between cells
Roaming between networks
Generation Gap
• Generation #1 – Analog [routines for sending
voice]
• All systems are incompatible
• No international roaming
• Little capacity – cannot accommodate masses
of subscribers
Generation Gap(2)
•
•
•
•
•
Generation #2 – digital [voice encoding]
Increased capacity
More security
Compatibility
Can use TDMA or CDMA for increasing
capacity
TDMA
• Time Division Multiple Access
• Each channel is divided into timeslots, each
conversation uses one timeslot.
• Many conversations are multiplexed into a
single channel.
• Used in GSM
CDMA
• Code Division Multiple Access
• All users share the same frequency all the
time!
• To pick out the signal of specific user, this
signal is modulated with a unique code
sequence.
Access techniques for mobile
communications
FDMA (TACS)
P
F
T
TDMA (GSM, DECT)
ATDMA (UMTS)
P
F
T
P - Power
T - Time
F - Frequency
CDMA (UMTS)
P
F
T
Back to Generations
• Generation #2.5 – packet-switching
• Connection to the internet is paid by packets
and not by connection time.
• Connection to internet is cheaper and faster
[up to 56KBps]
• The service name is GPRS – General Packet
Radio Services
3rd Generation
•
•
•
•
Generation #3
Permanent web connection at 2Mbps
Internet, phone and media: 3 in 1
The standard based on GSM is called UMTS. Not
yet implemented.
• The EDGE standard is the development of GSM
towards 3G.
• 3+G, 4G systems
– OFDM, Software radio, Array antennas
– WiMAX
GSM
• More than 800 million end users in 190
countries and representing over 70% of today's
digital wireless market.
– source: GSM Association
GSM Overview
Cellular network components
• BTS (Base Transceiver Station) – main component of a cell and
it connects the subscribers to the cellular network; for
transmission/reception of information it uses several
antennas spread across the cell
• BSC (Basic Station Controller) – it is an interface between BTSs
and it is linked to BTSs by cable or microwave links; it routes
calls between BTSs; it is also connected to the MSC
• MSC (Mobile Switching Center) – the coordinator of a cellular
network, it is connected to several BSCs, it routes calls
between BSCs; links the cellular network with other networks
like PSTN through fiber optics, microwave or copper cable
Components of a cellular phone (MSU – Mobile
Subscriber Unit)
• radio transceiver – low power radio transmitter and
receiver
• antenna, usually located inside the phone
• control circuitry – formats the data sent to and from the
BTS; controls signal transmission and reception
• man-machine interface – consists from a keypad and a
display; is managed by the control circuitry
• Subscriber Identity Module (SIM) – integrated circuit card
that stores the identity information of subscriber
• battery, usually Li-ion, the power unit of the phone
Setting up a call process
• when powered on, the phone does not have a frequency/ time
slot/ode assigned to it yet; so it scans for the control channel of
the BTS and picks the strongest signal
• then it sends a message (including its identification number) to
the BTS to indicate its presence
• the BTS sends an acknowledgement message back to the cell
phone
• the phone then registers with the BTS and informs the BTS of its
exact location
• after the phone is registered to the BTS, the BTS assigns a
channel to the phone and the phone is ready to receive or make
calls
Making a call process
• the subscriber dials the receiver’s number and sends it to the
BTS
• the BTS sends to its BSC the ID, location and number of the
caller and also the number of the receiver
• the BSC forwards this information to its MSC
• the MSC routes the call to the receiver’s MSC which is then
sent to the receiver’s BSC and then to its BTS
• the communication with the receiver’s cell phone is
established
Receiving a call process
• when the receiver’ phone is in an idle state it listens for the
control channel of its BTS
• if there is an incoming call the BSC and BTS sends a message
to the cells in the area where the receiver’s phone is located
• the phone monitors its message and compares the number
from the message with its own
• if the numbers matches the cell phone sends an
acknowledgement to the BTS
• after authentication, the communication is established
between the caller and the receiver
Subscriber Identity Module (SIM) card
• SIM – a memory card (integrated circuit) holding identity
information, phone book etc.
• GSM system support SIM cards
• other systems, like CDMA do not support SIM cards, but have
something similar called Re-Usable Identification Module
(RUIM)
International Mobile Equipment Identity (IMEI)
key
• IMEI – a unique 15 digit number identifying each phone, is
incorporated in the cellular phone by the manufacturer
• IMEI ex.: 994456245689001
• when a phone tries to access a network, the service provider
verifies its IMEI with a database of stolen phone numbers; if
it is found in the database, the service provider denies the
connection
• the IMEI is located on a white sticker/label under the battery,
but it can also be displayed by typing *#06# on the phone
International Mobile Subscriber Identity (IMSI)
key
• IMSI – a 15-digit unique number provided by the service
provider and incorporated in the SIM card which identifies
the subscriber
• IMSI enables a service provider to link a phone number with
a subscriber
• first 3 digits of the IMSI are the country code
Temporary Mobile Subscriber Identity (TMSI)
key
• TMSI – is a temporary number, shorter than the IMSI,
assigned by the service provider to the phone on a
temporary basis
• TMSI key identifies the phone and its owner in the cell it is
located; when the phone moves to a different cell it gets a
new TMSI key
• as TMSI keys are shorter than IMSI keys they are more
efficient to send
• TMSI key are used for securing GSM networks
Base Station Subsystem (BSS)
HLR, VLR and EIR registers
• Home Location Register (HLR) - is a database maintained by
the service provider containing permanent data about each
subscriber (i.e. location, activity status, account status, call
forwarding preference, caller identification preference)
• Visitor Location Register (VLR) – database that stores
temporary data about a subscriber; it is kept in the MSC of
the of the area the subscriber is located in; when the
subscriber moves to a new area the new MSC requests this
VLR from the HLR of the old MSC
• Equipment Identity Register (EIR) – database located near the
MSC and containing information identifying cell phones
Into the architecture
• Mobile phone is identified by SIM card.
• Key feature of the GSM
• Has the “secret” for authentication
Into the architecture(2)
• BTS – houses the radiotransceivers of the cell
and handles the radio-link protocols with the
mobile
• BSC – manages radio resources (channel
setup, handover) for one or more BTSs
Into the architecture(3)
• MSC – Mobile Switching Center
• The central component of the network
• Like a telephony switch plus everything for a
mobile subscriber: registration,
authentication, handovers, call routing,
connection to fixed networks.
• Each switch handles dozens of cells
Into the architecture(4)
• HLR – database of all users + current location.
One per network
• VLR – database of users + roamers in some
geographic area. Caches the HLR
• EIR – database of valid equipment
• AuC – Database of users’ secret keys
More GSM
• GSM comes in three flavors(frequency
bands): 900, 1800, 1900 MHz. 900 is the
Orange flavour in Israel.
• Voice is digitized using Full-Rate coding.
• 20 ms sample => 260 bits . 13 Kbps bitrate
Sharing
• GSM uses TDMA and FDMA to let everybody
talk.
• FDMA: 25MHz freq. is divided into 124 carrier
frequencies. Each base station gets few of
those.
• TDMA: Each carrier frequency is divided into
bursts [0.577 ms]. 8 bursts are a frame.
Channels
• The physical channel in GSM is the timeslot.
• The logical channel is the information which
goes through the physical ch.
• Both user data and signaling are logical
channels.
Channels(2)
• User data is carried on the traffic channel
(TCH) , which is defined as 26 TDMA frames.
• There are lots of control channels for
signaling, base station to mobile, mobile to
base station (“aloha” to request network
access)
SS7
• Signaling protocol for networks
• Packet – switching [like IP]
• GSM uses SS7 for communication between
HLR and VLR (allowing roaming) and other
advanced capabilities.
• GSM’s protocol which sits on top of SS7 is
MAP – mobile application part
Agenda
• GSM Security Objectives
– Concerns, Goals, Requirements
• GSM Security Mechanisms
• SIM Anatomy
• Algorithms and Attacks
– COMP128
– Partitioning Attack on COMP128
(J. Rao, P. Rohantgi, H. Scherzer, S. Tunguely)
35
GSM Security Concerns
• Operators
– Bills right people
– Avoid fraud
– Protect Services
• Customers
– Privacy
– Anonymity
• Make a system at least secure as PSTN
36
GSM Security Goals
• Confidentiality and Anonymity on the radio
path
• Strong client authentication to protect the
operator against the billing fraud
• Prevention of operators from compromising of
each others’ security
– Inadvertently
– Competition pressure
37
GSM Security Design Requirements
• The security mechanism
– MUST NOT
•
•
•
•
Add significant overhead on call set up
Increase bandwidth of the channel
Increase error rate
Add expensive complexity to the system
– MUST
• Cost effective scheme
– Define security procedures
• Generation and distribution of keys
• Exchange information between operators
• Confidentiality of algorithms
38
GSM Security Features
• Key management is independent of equipment
– Subscribers can change handsets without compromising security
• Subscriber identity protection
– not easy to identify the user of the system intercepting a user data
• Detection of compromised equipment
– Detection mechanism whether a mobile device was compromised or
not
• Subscriber authentication
– The operator knows for billing purposes who is using the system
• Signaling and user data protection
– Signaling and data channels are protected over the radio path
39
GSM Mobile Station
• Mobile Station
– Mobile Equipment (ME)
• Physical mobile device
• Identifiers
– IMEI – International Mobile Equipment Identity
– Subscriber Identity Module (SIM)
• Smart Card containing keys, identifiers and algorithms
• Identifiers
–
–
–
–
–
–
Ki – Subscriber Authentication Key
IMSI – International Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity
MSISDN – Mobile Station International Service Digital Network
PIN – Personal Identity Number protecting a SIM
LAI – location area identity
40
GSM Architecture
Mobile Stations
Base Station
Subsystem
Network
Management
Subscriber and terminal
equipment databases
OMC
BTS
Exchange
System
VLR
BTS
BSC
MSC
HLR
BTS
AUC
EIR
41
Subscriber Identity Protection
• TMSI – Temporary Mobile Subscriber Identity
– Goals
• TMSI is used instead of IMSI as an a temporary subscriber identifier
• TMSI prevents an eavesdropper from identifying of subscriber
– Usage
• TMSI is assigned when IMSI is transmitted to AuC on the first phone
switch on
• Every time a location update (new MSC) occur the networks assigns a
new TMSI
• TMSI is used by the MS to report to the network or during a call
initialization
• Network uses TMSI to communicate with MS
• On MS switch off TMSI is stored on SIM card to be reused next time
– The Visitor Location Register (VLR) performs assignment,
administration and update of the TMSI
42
Key Management Scheme
• Ki – Subscriber Authentication Key
– Shared 128 bit key used for authentication of subscriber by the
operator
– Key Storage
• Subscriber’s SIM (owned by operator, i.e. trusted)
• Operator’s Home Locator Register (HLR) of the subscriber’s home
network
• SIM can be used with different equipment
43
Detection of Compromised Equipment
• International Mobile Equipment Identifier (IMEI)
– Identifier allowing to identify mobiles
– IMEI is independent of SIM
– Used to identify stolen or compromised equipment
• Equipment Identity Register (EIR)
– Black list – stolen or non-type mobiles
– White list - valid mobiles
– Gray list – local tracking mobiles
• Central Equipment Identity Register (CEIR)
– Approved mobile type (type approval authorities)
– Consolidated black list (posted by operators)
44
Authentication
• Authentication Goals
– Subscriber (SIM holder) authentication
– Protection of the network against unauthorized
use
– Create a session key
• Authentication Scheme
– Subscriber identification: IMSI or TMSI
– Challenge-Response authentication of the
subscriber by the operator
45
Authentication and Encryption Scheme
Mobile Station
Radio Link
GSM Operator
Challenge RAND
SIM
Ki
A3
A3
Signed response (SRES)
SRES
Authentication: are SRES
values equal?
A8
mi
A5
SRES
A8
Kc
Kc
Fn
Ki
Encrypted Data
A5
Fn
mi
46
Authentication
• AuC – Authentication Center
– Provides parameters for authentication and encryption
functions (RAND, SRES, Kc)
• HLR – Home Location Register
– Provides MSC (Mobile Switching Center) with triples
(RAND, SRES, Kc)
– Handles MS location
• VLR – Visitor Location Register
– Stores generated triples by the HLR when a subscriber is
not in his home network
– One operator doesn’t have access to subscriber keys of the
another operator.
47
A3 – MS Authentication Algorithm
• Goal
– Generation of SRES response to MSC’s random
challenge RAND
RAND (128 bit)
Ki (128 bit)
A3
SRES (32 bit)
48
A8 – Voice Privacy Key Generation
Algorithm
• Goal
– Generation of session key Ks
• A8 specification was never made public
RAND (128 bit)
Ki (128 bit)
A8
KC (64 bit)
49
Logical Implementation
of A3 and A8
• Both A3 and A8 algorithms are implemented
on the SIM
– Operator can decide, which algorithm to use.
– Algorithms implementation is independent of
hardware manufacturers and network operators.
50
Logical Implementation
of A3 and A8
• COMP128 is used for both A3 and A8 in most
GSM networks.
– COMP128 is a keyed hash function
RAND (128 bit)
Ki (128 bit)
COMP128
128 bit output
SRES 32 bit and Kc 54 bit
51
A5 – Encryption Algorithm
– A5 is a stream cipher
• Implemented very efficiently on hardware
• Design was never made public
• Leaked to Ross Anderson and Bruce Schneier
– Variants
• A5/1 – the strong version
• A5/2 – the weak version
• A5/3
– GSM Association Security Group and 3GPP design
– Based on Kasumi algorithm used in 3G mobile systems
52
Logical A5 Implementation
BTS
Mobile Station
Fn (22 bit)
Kc (64 bit)
Fn (22 bit)
A5
Kc (64 bit)
A5
114 bit
Data (114 bit)
114 bit
Ciphertext (114 bit)
XOR
Data (114 bit)
XOR
Real A5 output is 228 bit for both directions
53
A5 Encryption
Mobile Stations
Base Station
Subsystem
Network
Management
Subscriber and terminal
equipment databases
OMC
BTS
Exchange
System
VLR
BTS
BSC
MSC
HLR
BTS
A5 Encryption
AUC
EIR
54
SIM Anatomy
– Subscriber Identification Module (SIM)
• Smart Card – a single chip computer containing OS, File System,
Applications
• Protected by PIN
• Owned by operator (i.e. trusted)
• SIM applications can be written with SIM Toolkit
55
Smart Card Anatomy
56
Microprocessor Cards
• Typical specification
–
–
–
–
–
8 bit CPU
16 K ROM
256 bytes RAM
4K EEPROM
Cost: $5-50
• Smart Card Technology
– Based on ISO 7816 defining
• Card size, contact layout, electrical characteristics
• I/O Protocols: byte/block based
• File Structure
57
Algorithm Implementations
and Attacks
58
Attack Categories
• SIM Attacks
• Radio-link interception attacks
• Operator network attacks
– GSM does not protect an operator’s network
59
Attack History
• 1991
– First GSM implementation.
• April 1998
– The Smartcard Developer Association (SDA) together with U.C. Berkeley
researches cracked the COMP128 algorithm stored in SIM and succeeded to
get Ki within several hours. They discovered that Kc uses only 54 bits.
• August 1999
– The week A5/2 was cracked using a single PC within seconds.
• December 1999
– Alex Biryukov, Adi Shamir and David Wagner have published the scheme
breaking the strong A5/1 algorithm. Within two minutes of intercepted call
the attack time was only 1 second.
• May 2002
– The IBM Research group discovered a new way to quickly extract the
COMP128 keys using side channels.
60
Related documents
When we are considering computerized databases, there are
When we are considering computerized databases, there are
TEL 355: Communication and Information Systems in Organizations
TEL 355: Communication and Information Systems in Organizations
Mobile
Mobile
2 Base Station Sub-system (BSS)
2 Base Station Sub-system (BSS)
Ασύρματα Δίκτυα και Κινητές Επικοινωνίες Ενότητα # 7
Ασύρματα Δίκτυα και Κινητές Επικοινωνίες Ενότητα # 7
GSM Security
GSM Security
Chapter 8
Chapter 8
Introduction:
Introduction:
Download
advertisement