IWD2243 Wireless & Mobile Security

Prepared by : Zuraidy Adnan, FITM UNISEL

1

IWD2243Wireless & Mobile Security

Chapter 2 : Security in Traditional Wireless Network


2

2.1 Security in First Generation TWNs 1G TWN – AMPS (Advanced Mobile Phone

System) Designed with very little security – no

encryption Can be intercept using police scanner For authentication – MS send Electronic Serial

Number (ESN) to the network Net verifies valid ESN (clear text) – allows

subscribers access network services. Radio hobbyist – can eavesdrop & capture valid

ESN and use it to commit fraud. Security part been enhanced in 2G TWN


3

2.2 Security in 2nd Generation TWNs Move from analog to digital – design led to

significant improvement in the security Speech coding algorithm, Gaussian Minimum

Shift Keying (GMSK), digital modulation, slow freq hopping, TDMA.

See figure 17.1 : GSM Architecture Network beyond BTS (RBS) is controlled

environment – since it was controlled by service provider

Access network (MS to BTS (RBS)) considered as hostile operating environment


4

2.2 Security in 2nd Generation TWNs (cont.) Anonymity in GSM

ME switch on – identify itself to the network & requesting services from the network.

Location management using IMSI Eavesdropper can capture IMSI over the air, since IMSI and

subscriber identity need to be submitted in location mgmt. Considered as security threat. Anonymity feature – protect the subscriber against someone

who knows the subscriber’s IMSI & try to trace subscribers location + identify call made to or from whom.

Using TMSI – still maintained in VLR/MSC – SIM authenticated with the network, network allocate TMSI to the subscriber.

For all communication with the SIM – used TMSI


5

2.2 Security in 2nd Generation TWNs (cont.) Key establishment in GSM

Key establishment – used to establish some sort of a secret or key between two communicating parties.

GSM security model – uses a128-bit preshared secret key (Ki) for securing ME-to-BTS interface.

Each SIM is embedded with a unique Ki – information which been shared by SIM and the network.

Part of network which hold the unique Ki – AuC


6

2.2 Security in 2nd Generation TWNs (cont.) Authentication in GSM

ME switch on – search for a wireless net to connect to by listening to a certain set of freq.

Found – ME-SIM sends a sign on message to the BTS (RBS) requesting for a network.

BTS contact MSC to decide whether or not to allow the ME-SIM access to the network.

MSC ask HLR to provide it with 5 sets of security triplets.

Sec triplets – 3 numbers – RAND (128bit random number), SRES (32bit signed response to the RAND generated using preshared Ki), and session key Kc (encryption key generated using Ki)


7

2.2 Security in 2nd Generation TWNs (cont.) Authentication in GSM (cont.)

MSC pick one, and use it for current session. RAND sent to the ME via BSC & BTS as a challenge. ME expected to generate SRES to this RAND using A3

algorithm, Ki stored in its SIM. SRES sent back to MSC via BTS & BSC. MSC compares SRES received from ME with SRES

from HLR. Match – MSC safely deduce the ME-SIM has valid Ki.

MSC allow ME to access the network. If SRES do not match – would not allow ME to connect

to the network. See figure 17.2, 17.3 ; page 373.


8

2.2 Security in 2nd Generation TWNs (cont.) Authentication in GSM (cont.)

GSM does not specify how BTS and BSC need to be connected & not specify how to secure it.

GSM authenticate the SIM, not the subscriber. What happen if ME is stolen? GSM core net maintain a database for all valid

equipment (EIR).


9

2.2 Security in 2nd Generation TWNs (cont.) Confidentiality in GSM

Session key Kc been used for providing confidentiality over the wireless ME-BTS interface – A5 algorithm.

A5 – Stream chiper – generates a unique key stream for every packet by using 64bit session key (Kc) and the sequence number of the frame as the input.

What’s wrong with GSM security? No provision for any integrity protection. Limited encryption scope. The GSM chiper algorithm are not published along

with GSM standard.


10

2.2 Security in 2nd Generation TWNs (cont.) What’s wrong with GSM security? (cont.)

Algorithm used for encryption in ME-BTS is no longer secure.

One way authentication. SIM cloning.


11

2.3 Security in 2.5 Generation TWNs Explosive growth of the Internet – Upgrade net

to 2.5G to provide data services. Connecting ME to the Internet GPRS (General Packet Radio Services) –

provide ME with data connectivity to various web servers

GSM – voice call – 1 timeslot GSM – data – multiple timeslots, because the

need of more bandwidth. Interesting implications on the security

architecture.


12

2.3 Security in 2.5 Generation TWNs (cont.) WAP

GPRS provide layer 2 connectivity Constraint for ME for using HTTP and HTML –

bandwidth, memory, CPU, screen size. Wireless Application Protocol (WAP) come in

handy. WAP – open spec that offers standard method to

access internet based content and services from ME

Designed for minimizing bandwidth requirements Information content formatted suitably for ME’s

small screen, low bandwidth, high latency environment – WAE.


13

2.3 Security in 2.5 Generation TWNs (cont.) WAP (cont.)

See figure 17.8 : WAP programming model Client - embedded browser in ME. Server – normal web

server New entity – WAP gateway Embedded browser request using URL – forwarded by

WAP gateway and get info using HTTP & HTML format. WAP gateway role – reformat the content from web

server suitable for WAE transmission and ME display Language used – WML End-to-end security required. Using WTLS in WAP stack. WTLS modeled along the lines of Secure Socket Layer

(SSL)/Transport Layer Security (TLS).


14

2.3 Security in 2.5 Generation TWNs (cont.) WAP (cont.)

TLS – designed for reliable transport layer (ie. TCP), while WTLS – operate for unreliable datagram transport.

WTLS protocol modified to cope with long roundtrip times and limited bandwidth availability.

WTLS optimized to operate with limited processing power and limited memory of ME.


15

2.3 Security in 2.5 Generation TWNs (cont.) Code Security

Applets can be downloaded and can be executed inside ME.

Extremely important to ensure that the applets is not a malicious piece of code that can harm ME.

Its important to have applets been signed by CA. If the subscriber trust the CA, can execute the

applets. In otherwise they can block the execution of the

applets.


16

2.3 Security in 3 Generation TWNs Universal Mobile Telecommunications System

(UMTS) Designed using GSM security as a starting

point – to ensure interoperability between both technologies.

Anonymity in UMTS Builds on the concept of TMSI introduced by GSM. UMTS architecture provides provisions for

encrypting any signaling or subscriber data that might reveal subscriber’s identity.

TMSI located at VLR/MSC, IMSI-TMSI mapping maintain in VLR/MSC


17

2.3 Security in 3 Generation TWNs Key establishment in UMTS

No key establishment protocol, uses 128bit preshared secret key (Ki) between USIM and AuC.

Form the basis for all security in UMTS Authentication in UMTS

Authentication follows GSM authentication model Net authenticate USIM and USIM authenticates the

network See figure 17.10a : UMTS authentication, page 389 See figure 17.10b : UMTS authentication vector

generation, page 390 See figure 17.11 : UMTS response generation at USIM Most provider used COMP128 algorithm for authentication

protocol


18

2.3 Security in 3 Generation TWNs Confidentiality in UMTS

Use KASUMI encryption algorithm, 128bit session key CK.

More secure than A5 – GSM, longer key of encryption

See figure 17.12 : UMTS encryption, page 392. Parameters for f8 (algorithm) :

128bit CK 32bit Count-c – chipering sequence number 5bit Bearer – unique identifier for bearer chanel 1bit Direction – indicates the direction of transmission 16bit Length – indicates the length of key-stream block


19

2.3 Security in 3 Generation TWNs Confidentiality in UMTS (cont.)

The key stream XORed with plaintext = chipertext At the receiving end, chipertext XORed with key

stream = plaintext UMTS security extends the encrypted interface

from BTS back to the RNC


20

2.3 Security in 3 Generation TWNs Integrity protection in UMTS

Using integrity key – IK, derived using authentication process.

See figure 17.13 : UMTS message integrity Parameters in f9 (algorithm) :

128bit IK 32bit integrity sequence number Message Direction 32bit Fresh – perconnection nonce

Output, chipertext MAC-I At the receiving end, the process repeated, XMAC-I The receiver compares XMAC-I with MAC-I, so the receiver

can deduce that the message was not tampered with.


21

2.3 Security in 3 Generation TWNs Putting the pieces together

See figure 17.14 : UMTS Security – Overview, page 396.

Network Domain Security Mobile Application Part (MAP), MAPSEC protocol –

works at the app layer to protect MAP message cryptographically.

See figure 17.15 : MAPSEC, page 399. Key Administration Center (KAC) – establish security

association (SA) with KAC network B. Use Internet Key Exchange (IKE) protocol. 3 mode protection :- no protection, integrity

protection only, integrity with confidentiality.


22

2.3 Security in 3 Generation TWNs Network Domain Security (cont.)

Strongly influenced by IPSec protocol. Instead having MAP in SS7 (MAPSEC), MAP over IP-

based networks. UMTS network designers model MAPSEC along IPSec

lines. See figure 17.16 : MAP over IP-based networks, page

400. KAC replaced by Security Gateway (SEG) Establish SA with Network B, but not distribute SA’s

to its Network Elements (NE) It maintain database of established SAs and database

that specify how and when SAs is going to be used.

Documents

IWD2243 Wireless & Mobile Security