View
216
Download
1
Category
Preview:
Citation preview
Outline
§ CellularNetworkArchitecture
§ SecurityRequirements
§ Authenticationin1Gto4G
§ Issuesrelatedtoauthentication
§ Conclusion
Slide 2
Note:SomeresourcesinthispresentationareusedfromthecourseIusedtoteachatTUBerlinwithProf.Jean-PierreSeifert.
SIM– pillarforauthentication
§ SubscriberIdentityModule
§ UniversalIntegratedCircuitCard(UICC)§ InGSM,refersasSIM§ InUMTSsystem,runsUSIMsoftware(entirecardisnottheUSIM)
§ Supportsdifferentsoftwaremodules:ISIM(IMS),CSIM(CDMA)
§ R-UIM(RemovableUserIdentityModule)- CDMAsystem
Slide 3
Hardware/OS
§ Hardwareistypicallyasmartcardpunchout (25x15mm)§ UICCcontainsCPU,ROM,RAM,EEPROM,andI/Ocircuits
§ SIMoperatingsystemsareeitherproprietaryorJavaCard
§ JavaCardiscommonlyfoundonbothSIMsandATMcards§ UsesasubsetoftheJavalanguage§ Optimizedbyte-codeformat§ Appletsare“firewalled”fromoneanother
Slide 4
SIMData(1)
§ IntegratedCircuitCardID(ICC-ID)(akaSIMSerialNumber-SSN)
§ UniquelyidentifiesaSIMcard(hardware)§ ConformstoISO/IEC7812(19-20digits)
§ InternationalMobileSubscriberIdentityModule(IMSI)§ Uniquelyidentifiesthemobilesubscriber(15digits,ITUE.212standard)
§ MCC(3digits),MNC(2or3digits),MSIN(9or10digits)§ AuthenticationKey(Ki)
§ Keysharedwithprovider§ NeverleavestheSIMinanycomputation
§ authenticationalgorithmsperformedon-chip
Slide 5
SIMData(2)
§ LocationAreaIdentity(LAI)§ Storesthelastknownlocationarea(savestimeonpowercycle)
§ AddressbookandSMSmessages§ Highercapacityinmoreadvancedcards§ Haveyouseen“Inboxfullmessage”inoldphones?
§ Andmore...§ SMSCnumber§ ServiceProviderName(SPN)§ ServiceDialingNumbers(SDN)§ value-added-services
Slide 6
CurrentSIMarchitecture
Source:ofcom
Slide 7
SIMApplicationToolkit
§ Beforesmartphonesbecamepopular,theSIMApplicationToolkit(STK)wasapopularmethodofdeployingapplicationsonmobilephones
§ Allowedformobilebankingapplications(andothervalueaddedservices)torunofftheSIM(nohandsethardware/OSdependence)
§ CommonlywritteninJava(forJavaCard)usingpredefinedcommands(applicationsaremenudriven)
§ SenddatatoremoteapplicationusingSMS§ OTAupdatemethodwereeventuallyincorporated
§ STKinUMTSdefinedastheUSIMApplicationToolkit(USAT)-3GPPTS31.111,securityis3GPPTS23.048
§ WillnewmobilephoneOSesmakeSTKandUSATobsolete?
Slide 8
SIMCardReaders
§ SIMcardscanbeconnectedtoaPCforvariouspurposes
§ SIMcardreadersarecheap(~$10-20)orbuildyourself§ Provideaserial(TTY)interface(DB9orUSB)
§ Allowsyouto:backupcontactsandSMS,seelistofpreviouslycallednumbers,probekeyingdatatoextractKi ...
§ FrequentlyusedforForensics§ SeeNIST“GuidelinesonCellPhoneForensics”,SpecialPub800-101
§ IncludeslistofSIMtools
Slide 9
LockingSIMandUSSDcodes
§ TheSIMcardrestrictsaccessusingtwoPINs(4-8digits)§ PIN1:Ifset,thePINisrequiredtomakecalls§ PIN2:Protectscertainnetworksettings
§ WhathappensifyouforgetyourPIN?§ Commonly,threefailedattemptslockstheSIM
§ WhatarethewaystounlockSIM?USSDattackstory?
§ UnlockingalockedSIMcard§ PersonalUnblockingCode(PUC)orPersonalUnblockingKey(PUK)§ Commonlyacquiredfromthenetworkprovider§ TenfailedattemptsoftenpermanentlylockstheSIM
Slide 10
SecurityinSIMcards
§ IdentityandAccesscontrol(IMSI,PINcode)
§ Authentication tonetworkoperator(Ki,A3)
§ Confidentiality (Kc,A8)
§ Anonymity(TMSI)
§ SIMapplicationtoolkit
Slide 11
SIMCloning§ SIMCloningistheprocessofextractingKifromoneSIMcardandwritingitontoanother.
§ Itlessfrequentlythanbeforeduetoupdatesincryptoalgorithmsandauthenticationprotocols,butisstillpossibleinsomecases.
§ Manysoftwareandhardwareclonersexist
§ Whyclone?- stealservice,forensics,SIM/networklockcircumvention,noteavesdropping(butknowingKi helps)
§ NetworkcandetectclonedSIMs;protectionsvary§ Simultaneouscallscannotoccur§ CannetworkdetecttheclonedSIMcard?§ WhogetstheSMSincaseofcloning?
Slide 12
PowerAnalysis
§ SIMcardsaresmartcards,therefore,theyarealsovulnerabletopoweranalysisattacks(requiresspecialequipment).
§ Hardwareimplementationscausepowerconsumptionofthechiptobecomeaside-channeltodeterminethekeyusedtoperformsomecryptographicalgorithms.
§ SeeworkbyKocheretal.(DifferentialPowerAnalysis)
§ GoalistorecoverKifromtheanalysis
Slide 13
Securityattacks
� SIMCloning(1998)§ Comp128algorithmleaked§ Reverseengineered&cryptanalyzed
� SIMtoolkitattacks§ FuzzingSMS§ SendpremiumSMS
� CrackingSIMUpdatekeys§ RecoverDESOTAkeys§ Singedmaliciousappletswithkey
Slide 14
ChangingTelcoworld
§ Goalachievedinlat 25years- “billionsusersconnectingeverycontinent”
§ Nextgoal- “Connectingbillionsofdevices(m2mdevices,vehicles,IoT
devices)”
§ SIMtoUSIMtoeSIM
§ EmbeddedSIMvsSoftSIM
§ Newsecurityarchitecture
Slide 15
EmbeddedSIM
� DesignedforM2Mdevices
� Non-removable
� NoSoft/virtualSIM
� Newsecuritystandard
� Nochangeinauthentication/encryptiontotheoperator
� Securityarchitectureforremoteprovisioning
Slide 16
2G,3Gand4GArchitecture
Slide 17
Network Components (GSM)
§ HLR stores records of all mobile subscribers
§ MSC/VLR connect wired and wireless components of the network and responsible handoffs
§ BS communicate with mobile devices over radio link
§ MS is a subscriber’s mobile device
Slide 18
HLR
§ Storesrecordsofmobilesubscribersandtheircurrentlocationservingarea
§ AuthenticationCenter(AuC)§ InternationalMobileSubscriberIdentity(IMSI)ofallsubscribers§ Storescryptokeys(Ki)andperformsoperationsforauthentication
§ Devicelevelauthentication§ EquipmentIdentityRegister(EIR)
§ Includesablacklist(e.g.,forstolenphones)§ InternationalMobileEquipmentIdentity(IMEI)identifiesamobiledevice
Slide 19
MSCandVLR
§ TheMobileSwitchingCenter(MSC)deliverscircuitswitchedtelephonytrafficwithinthecellularnetwork
§ GatewayMSCisthetermgiventoanMSCbridgingthecellularnetworkandanothernetwork,e.g.,PublicSwitchedTelephoneNetwork(PSTN)oranothercellularnetwork.
§ ServingMSCisthetermgiventoanMSCcurrentlyservinganMS§ TheMSCalsoassistshandoffsbetweenbasestationsandbilling
§ TheVisitorLocationRegister(VLR)cachesinformationfromtheHLRforfastlookupbyanMSC
§ AparticularVLRmayservemultipleMSCcomponents(notalways)§ TheVLRstores“triplets”fromHLR(forauthentication)
Slide 20
BSS
§ BaseStationSubsystem(BSS)linksmobiledevicestothecorenetworkandconsistsof
§ BaseTransceiverStation(BTS):thetransmissionradio(multipledirectionalantennasdividingthecellintosectors)
§ BaseStationController(BSC):intelligenceforradios(includeschedulingandencryption),controllingoneormoreBTSs
§ GenerallyreferredasbasestationandoftengroupedintoLocationAreas(LAs)correspondingtogeographicregions
§ DevicescanmovebetweenbasestationsinanLAwithoutre-registering (handover)
Slide 21
PhoneRegistration
Slide 22
3GArchitectureandComponents
Slide 23
3GArchitectureandComponents(Simplified)
Slide 24
4GArchitecture
Slide 25
Authenticationin1G,GSM,3G
Slide 26
Authenticationin1Gnetworks
§ Noauthentication
§ Noencryption
§ Whatarepossiblethreats?
Slide 27
Source:Ericsson
PhoneAuthentication(GSM)
§ threealgorithms(basedon128-bitkey,Ki)§ A3- Authentication§ A8- Generatescipherkey§ A5- Cipheringdata
§ VLRretrievestripletsfromHLR(AuC)§ RAND- randomchallenge§ SRES- expectedresponse§ [SRES=A3(Ki,RAND),32bits]§ Kc - correspondingcipherkey§ [Kc =A8(Ki,RAND),64bits]
§ OnlytheHLRandSIMcardknowKi
Slide 28
SecurityissuesinGSM
§ IMSIistransferredinplaintext
§ IMEIcanberequestedinplaintextandnotauthenticated
§ Nomutualauthentication
§ Encryptionendsatthebasestation
Slide 29
Authentication/EncryptioninGSM
A3
MobileStation RadioLink GSMOperator
A8
A5
A3
A8
A5
Ki Ki
ChallengeRAND
KcKc
mi EncryptedData mi
SIM
Signedresponse(SRES) SRESSRES
Fn Fn
Authentication:areSRESvaluesequal?
Slide 30
AuthenticationandKeyAgreementinUMTS
Slide 31
AKAprotocolissue
Slide 32
Source:Arapinis M,ManciniL,RitterE,RyanM,Golde N,RedonKandBorgaonkarR(2012), "NewPrivacyIssuesinMobileTelephony:FixandVerification",In
Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.,pp.205-216
SecurityissuesinUMTS
§ IMSIistransferredinplaintext
§ IMEIcanberequestedinplaintextandnotauthenticated
§ EncryptionendsatRNCbutstillnotendtoend
§ Privacyissue– allowstrackingofsubscribers
Slide 33
Authenticationin4G
Slide 34
NeedofLTENetworks
§ Higherdatarates
§ upto 100Mbps
§ Highlevelofsecurity
§ strongerthanGSM/3G§ Enhancedqualityofservice
§ Capabilitiesforinternetworkingwithnon3GPPsystems(for
exampleWiMAX)
Slide 35
LTE/SAENetworks
§ RadionetworkE-UTRANwithanewradiointerface
§ FlatIPbasedcorenetworkEPC
§ E-UTRAN:EvolvedUniversalTerrestrialRadioAccessNetwork)§ EPC:EvolvedPacketCore§ LTE:LongTermEvolution§ SAE:SystemArchitectureEvolution
Slide 36
LTESecurityFeatures
§ Reuseof3GAKA
§ Reuseof3GUSIM(2GSIMisnotallowed)
§ Extendedkeyhierarchy
§ Tokeepsecuritybreacheslocal
§ Morecomplexinternetworkingsecurity
§ AdditionalsecurityforeNodeB (comparedtoNBin3GandBTS
inGSM)
Slide 37
LTENetworkArchitecture
Source:ETSIpresentation,CharlesBrookson – ChairmanETSIOCGSecurity
Slide 38
NewNetworkComponents
§ MME– MobileManagementEntity§ Keycontrolnode§ Userauthentication,autherization,NASsignalling,lawfulinterception
etc.
§ eNB§ Radioresourcemanagement§ IPheadercompressionandencryption
§ ServingGateway§ Routesandforwardsuserdatapackets§ Actsasanchorformobillity betweenLTEandothersystems.
Slide 39
Rolesofcomponents
Source:Artiza Networks
Slide 40
AuthenticationandKeyAgreement
Slide 41
LTEAKAprotocol(simplified)
ME+UICC MME HSS
GenerateAV
IMSI,SNid
RAND,XRES,AUTNKASME
RAND,AUTN
VerifyAUTNComputeRES RES
RES≠XRES
ComputeKASME
Authenticationandkeyestablishment
DistributionofAVfromHSStoMME
Slide 42
KeyHierarchy
Slide 43
MotivationforKeyHierarchy
§ Cryptographickeyseparation
§ Keysfromonecontextcannotbeusedinother
§ Keyrenewal
§ Minimizedistributionofsamesecretkeyelements
§ Keyfreshnessisimportantforsecuredsystems
Slide 44
SecurityAlgorithms§ Twosetsofalgorithms– whatIfonebreaksup,otheroneasbackup§ AESandSnow3Galgorithmsarechoosen§ Botharekeptpossiblydifferent,crackingofonealgorithmsshouldnot
revealotherone§ IntegrityAlgorithms
§ 128-EIA1Snow3G§ 128-EIA2AES
§ CipheringAlgorithms§ 128-EEA1Snow3G§ 128-EEA2AES
§ Keysize128bitbutpossibilityofextendingto256bits§ ThirdsetbasedonChineseZUCalgorithmisdeveloped
Slide 45
Attacksin2G,3G,and4G
Slide 46
Securityevolutioninmobilenetworks
Base Station
Phone
nomutualauthentication
mutualauthenticationintegrityprotection
mutualauthenticationdeepermandatoryintegrityprotection
2G
3G
4G
decidesencryption/authenticationrequestsIMSI/IMEI
Slide 47
Securityaspects
Authentication
AvailabilityConfidentialityIntegrity
Slide 48
Securityaspectsandattacks
Authentication
AvailabilityConfidentialityIntegrity
FakeBTS
DoSInterceptionTracking
Securitytradeoffsplayessentialroleinprotocoldesign.
Slide 49
Lowcostattackinginfrastructure
§ 2G/3G/4G*networksetupcost<1000USD§ Opensourcesoftware&hardware§ USRP,Osmocom,OpenBTS,OpenLTE,etc
§ IMSIcatcherdeviceproblem
§ Targetedattacksfromillegalactors
§ Almostnodetectioncapabilitiesfortheend-users
Slide 50
Emergingattackexamples
Slide 51
IMSIcatchers(1)
• Exploitweaknessinauthenticationmethods
• Locationtrackingandinterception
• Protectionfor‘activeattacks’notconsidered
• Lackofsecurityindicatorimplementation
Slide 52
ImplementationissuesonRAN
FromTS124.008v11.8.0:IfMACfailure,thenphoneshouldnotcommunicationwithBTS(2G)Tablefromthepaper“ImplementinganAffordableandEffectiveGSMIMSICatcherwith3GAuthentication”
Slide 53
3GAKAvulnerability(2)
• LinkabilityattackbyArpanisetal
• Affectsin4Gaswell
Slide 54
3GPPSpecificationissues
•RRCprotocol– 3GPPTS36.331
•‘UEMeasurementReport’messages
•Necessaryforhandovers&troubleshooting
•Noauthenticationformessages
•Reportsnotencrypted
Slide 55
Vulnerabilitiesinthefeature
activeattacker
SendmeMeasurement/RLFreport
Specification
UEmeasurementreports– Requestsnotauthenticated– Reportsarenotencrypted
Implementations
RLFreports– Requestsnotauthenticated– Reportsarenotencrypted– Allbasebandvendors
Slide 56
4GFeature:MobilityManagement
TrackingAreaUpdate(TAU)procedure§ DuringTAU,MME&UEagreeonnetworkmode(2G/3G/4G)
§ “TAUReject”usedtorejectsomeservicesservices(e.g.,4G)toUE
Specificationvulnerability:Rejectmessagesarenotintegrityprotected
EMMprotocol– 3GPPTS36.331
Slide 57
3GPPSpecificationissues
• EMMprotocol– 3GPPTS36.331
• ‘TrackingAreaUpdateReject’messages
• NecessaryforUEmobility
• Nointegrityprotectionforrejectmessages
• Recoverymechanismnoteffective
Slide 58
PracticalAttackswithlowcosttools
Slide 59
LocationLeaks:trackingsubscribercoarselevel
Semi-passiveAttacker(TA/cell)
paging
Target
Target
LocationAccuracy:2Sq.Km
MappingGUTItoSocialIdentity
Slide 60
DoSAttacks
• Downgradetonon-LTEnetworkservices(2G/3G)
• Denyallservices(2G/3G/4G)
• Denyselectedservices(blockincomingcalls)
• GSM– IMSIdetach,RACHflood
• FloodingDOSattackstowardsHLR
• Jammingattacks
Slide 61
Tradeofbetweensecurityand
• Performance
• Availability
• Functionality
• Attackingcost
Reasons for differentvulnerabilities
Slide 62
5G Networks Perspective
Authentication
Asymmetric keysforIMSI
protection
Improve AKAprotocols
Availability
Removeunnecessary
protocolmessages
Effectiverecoverymechanisms
Slide 63
5G Networks Perspective
Confidentiality&Integrity
EncryptionIndicators& APIs
DynamicPolicies
Slide 64
Recommended