Cryptography in Public Wireless Networks

Mats Näslund

Communication Security Lab

Ericsson Research

mats.naslund@ericsson.com

Feb 27, 2004

Outline

• Overview of GSM Cryptography• Some possible “attacks” on GSM• Overview of WLAN Cryptography• How problems in one technology can spread

to another• How can you in practice fix a crypto problem

when thousands of devices are out there• Overview of “3G” UMTS Cryptography

GSM Security Overview

History – GSM Security

• Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator

• SIM is the entity which is authenticated, basis for roaming• Initial GSM algorithms (were) not publicly available and

under the control of GSM-A, new (3G) algorithms are open• GSM ciphering on “first hop” only: stream ciphers using

54/64 bit keys, future 128 bits • One-sided challenge-response authentication• Basic user privacy support (“pseudonyms”)• No integrity/replay protection

GSM crypto is probably (one of) th

e most

frequently used crypto in the world.

History – GSM SecurityAccess security

Radio Base Station

RBS

MSC

SGSN

Base Station Controller

CS - Confidentiality, A5/1A5/2A5/3 (new, open)

GPRS - Confidentiality:GEA1GEA2GEA3 (new, open)

Authentication:A3 Algorithm

GSM Authentication: Overview

RBSMSC/VLR

AuC/HLR

Visited Network

Home Network

Req(IMSI)

RAND, XRES, KcRES

RES = XRES ?

RAND RAND, Kc

Ki

Ki

GSM Autentication: Details

A3 and A8: Authentication and key derivation (proprietary)A5: encryption (A5/1-4, standardized)

Ki(128)

rand (128)

res (32)

Kc (64)

A5/x

PhoneSIM

encr frame

Radio i/f

Rad

io B

ase

Sta

t ion

A3A8

(No netw auth, no integrity/replay protection)

data/speech

frame#

Cryptographic Transforms in Wireless

Wireless is subject to

• limited bandwidth• bit-errors (up to 1% RBER)

As consequence, most protocols:

• use stream ciphers (no padding, no error-propagation)

• do not use integrity protection (data expansion, loss)

GSM Encryption I: A5/1

output

cc

L1

L2

L3

“shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3”

Sizes: 23, 22, 19 bit (i.e. 64 bit keys)

Status of A5/1

All Ax algorithms initially secret.

A5/1 ”leaked” in mid 90’s. A few attacks found.

[Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext retrieve Kc 1min.

Little “sister”, A5/2 (reverse-engineered @Berkeley)

GSM Encryption II: A5/2 (Export Version)

majority(a, b, c) = ab + bc + ca

August 2003…

Let’s take a closer look…

A5/2 (clock control)

R4 controls clocking

3 ”associated” bits, one per R1-R3

Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits

(At least two clocked)

The A5/2 Algorithm (details)

1. Kc (64 bits) bitwise sequentially XORed onto each Ri

First, set all four Ri to zero.

2. frame # (21 bits) bitwise sequentially XORed onto each Ri

3. Force certain bit in each Ri to ”1”

4. Run for 99 ”clocks” ignoring output

5. Run for 228 ”clocks” producing output

} exploited by attack…

Idea behind the attack

A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc

If plaintext known, each 114-bit frame gives 114 equations

Only difference between frames is that frame numberincreases by one.

After 6 frames (in reality only 4) we have > 660 equations can solve!

If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).

Attack efficiency

Off-line stage (done once):

Storage for ”matrices”: approx 200MB

Pre-processing time: less than 3 hrs on a PC

On-line attack stage:

Requires 4-7 frames sent from UE on SACCH.

Retrieving Kc then takes less than 1 second.

Hardware requirement: normal PC and GSM capable receiver

Consequence 1: Passive attacks in A5/2 Network(Eavesdropping)

2 Cipher start A5/21 RAND, RES (and Kc)

Kc, Plaintext< 1 sec

New attackPC

< 1 sec of traffic

Consequence 2: Active attacks in any Network(False base-station/man-in-the-middle attacks)

6 Cipher start A5/2

2 RAND

8 Cipher stop9 Cipher start A5/1

5 Cipher start A5/1

1 RAND

7 Attack:: Kc

3 RES 4 RES

Consequence 3: Passive + Active attack

2 Cipher start A5/11 RAND, RES (and Kc)

Record

2 Cipher start A5/21 RAND, RES (and Kc)

Kc

WLAN (IEEE 802.11b) Security Overview

Wireless LAN (802.11b, WEP) Security

CRC

CRC(msg)

keystream

RC4

kIV

40-104 bits 24 bitsrandom/per packet

msgcipher

Network fixed!

Will repeat:- for sure, after 224 msgs-after 5000 msgs (average) “two-time pad”

WLAN Security Problem No 2CRC is linear: CRC(msg ) = CRC(msg)CRC)

c’

keystreamm CRC(m )

m CRC(m)

keystream

c

Alice

c’

Bob

and so is any stream cipher:

Encr(k, msg) = Encr k, msg)

CRC()Eve:

WLAN Security Problem No 3

RC4 has only one “input”, the key. RC4kIV

This is “solved” by: RC4kIV append

IV || k

[Fluhrer, Mantin, Shamir, 2001]:The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.

WLAN Security Problem No 4

Authentication protocol:

k

keystream

RC4

chall

k

chall = res

res

Observing a single “authentication”enables impersonation…

WLAN-Cellular Interworking Architecture

UTRANRNC

Node B

Node B

WSN/FA

WRAN

AP

AP

3GPP Home

NetworkSGSN

HLR

AuC

AAA

HSS

GGSN/FA

Gn

Gr(MAP)

Radius/Diameter

IP

Iu

ProxyAAA

Signalling and User DataSignalling Data

Subscriber Mgmt

Charging/Billing

“HOTSPOT”

Internet/Intranet

3GPP Visited

Network

E.g. SIM accessover Bluetoothor SIM reader

Motive: Mobile operators want to offer “hot-spots” for subscriber base.

WLAN/GSM Interworking Problems

GSM Security is not perfect, but “astronomically”better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)?

WLAN improvements under way, but will takesome time.

Major GSM upgrades not feasible (expensive,and we will soon have 3G anyway…)

Security Placement in Protocol Stack

L2 (media access control)

L1 (physical)

L3 (networking)

L4 (transport)

L5 (application)

GSM sec

WLAN sec “IPsec”

“TLS/SSL”

Fix by “gluing” onhigher layers, invisibleto lower layers

Security problems,risk of bad “interaction”

Problem 1: Bad WLAN Encryption/Integrity

Awaiting WLAN fix, use e.g. IPsec and keysderived from SIM

f( )f( )

Problem 2: Key Material Need

SIM can only provide one 64-bit key, goodencryption + integrity might need e.g. 256 bits.

RAND1, RAND2,…

Solution: bootstrap on top of SIM procedure

SIM/Terminal Network

K1 = A8(RAND1)K2 = A8(RAND2)…

f, one-way function, avoid possibly

weak A8 variants

Problem 2: WLAN Replay Attacks

Anybody can put up a “fake” WLAN AP at a very modest cost.

Record-GSM-then-WLAN-replay attacks possible.

Network authentication must be added.

RAND1, RAND2,…,

SIM/Terminal Network

K1 = f(A8(RAND1))K2 = f(A8(RAND2))…

RAND0

MAC(k, RAND0,…)Check MAC

Problem 3: GSM Replay Attacks

GSM has no replay protection either.

Record-WLAN-then-GSM-replay attacks possible.

Too expensive to add GSM network authentication.

Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)

Ideas for GSM (A5/2) Improvements

Requirements

There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible.

RBSMSC/VLR AuC/HLR

Visited Network Home Network

Recall the “security-relevant” nodes:

Possible fix I

1 RAND, RES (and Kc)2 Cipher start A5/x

Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1

+ Simple (Home net+phone)

- 40 bits of RAND ”stolen”, impact on security?

Possible fix II (Ericsson)

+ Simple (visited net+phone)

+ Security ”understood”, key separation

RAND

Phone

SIM

A5/x

encr frame

A5/x

A5/x

Alg_idf

New alg: A5/x’

- Relies more on visited net

UMTS Security Overview

3G Security – UMTS, Improvements to GSM

• Mutual Authentication with Replay Protection• Protection of signalling data

– Secure negotiation of protection algorithms– Integrity protection and origin authentication– Confidentiality

• Protection of user data payload– Confidentiality

• “Open” algorithms (block-ciphers) basis for security– AES for authentication and key agreement– Kasumi for confidentiality/integrity

• Security level (key sizes): 128 bits• Protection further into the network

UMTS – Security

Node B MSC

SGSN

Integrity & ConfidentialityUIA & UEA algorithms (based on KASUMI)

Node B

Radio Network Controller

UMTS – Authentication and Key Agreement AKA

RBSMSC/VLR

AuC/HLR

Visited Network

Home Network

Req(IMSI)

RAND, XRES, CK, IK, AUTNRAND, AUTN

RES

RES = XRES ?

RAND, AUTN

Ki

Ki

Allows check ofauthenticity and “freshness”

Integrity protectionkey

Looks a lot like GSM, but…

UMTS AKA Algorithms

AUTN XRES CK IKEk = AES

UMTS Encryption: UEA/f8

Kasumi

Kasumi Kasumi Kasumi

Kasumi

c = 1 c = 2 c = B

CK(128 bits)

m (const)

keystream

COUNT || BEARER || DIR || 0…0 (64 bits)

“Provably” secure under

assumptions on Kasumi

“Masked” offset avoids known input/output pairs

“Counter” avoidsshort cycles

Inside Kasumi (actually: MISTY)

FI

+

16 bits 16 bits

FI

+

FI

+

8 rounds of:

FO+

32 bits 32 bits

k

security s2

S9

+

S7

+

S9

+

9 bits 7 bits

sec.s

security s4

security s8

(3 rounds)

UMTS Integrity Protection: UIA/f9

Kasumi

Kasumi Kasumi Kasumi

KasumiIK

COUNT || FRESH

M1

M2

MB

MAC (left 32 bits)

m’ Variant of CBC-MAC

(Used only on signaling, not on user data)

Comparison of Security Mechanisms

GSM GPRS WCDMA

Confidentiality

- Algorithm A5/1 & A5/2

A5/3 GEA1 & GEA2

GEA3 UEA (f8)

- Key length 64 (54) 64 (128) 64 (40) 64 (128) 128 - Public review No “Yes” No No Yes - Signalling Yes Yes Yes Yes Yes - User data Yes Yes Yes Yes Yes - Deployed Yes No Yes No ongoing Integrity - Algorithm - - - - UIA (f9) - Key length - - - - 128 - Tag length 32 - Public review - - - - Yes - Signalling - - - - Yes - User data - - - - No - Deployed - - - - ongoing

Any Public Key Techniques?

So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…):

• on “application level”, e.g. WAP

• for inter-operator signaling traffic

In general, too heavy for “bulk” use.

Summary

• Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story

Main reason: convenience and invisibility to user

• Insecurity in one system can affect another when interacting

• “Fixing” bad crypto is easier said than done, practical cost is an issue

The

End

• “3G” crypto significantly more open and well-studied higher confidence