Mobile Phone Security

Worldwide wireless phone users

In-Stat/MDR Report• The next five years(2002-2007) will see a slowing of worldwide cellul

ar subscriber growth.• However, there will be more than 931 million new subscribers over t

he next 5 years. • By 2007, the total worldwide wireless population will exceed two billi

on subscribers.• China, in the Eastern Asia region, continues to lead the world in over

all subscriber growth, the new percentage growth leaders are found in Southern Asia and Southeast Asia.

• “It is rather remarkable that the fastest numerically growing country, China, is trailing Africa, Eastern Europe, and the Middle East in Compound Annual Growth Rate,” says Ken Hyers, a Senior Analyst with In-Stat/MDR.

In-Stat/MDR Report• Western Europe’s growth virtually stops during In-Stat/MDR’s 2002-2

007 forecast period, with a CAGR of 1.2%. This can be expected, as the penetration rate in 2007 will be 83.6%.

• Analog will be completely phased out of Western Europe by 2004, and does not expect CDMA to make any inroads in Western Europe. UMTS subscriber growth will come at the expense of GSM.

• In Europe, overall, GSM’s overall market share will decline, from 99.1% in 2002 to 91.4% in 2007. In-Stat/MDR continues to believe that UMTS will not achieve significant market share during this forecast period.

In-Stat/MDR Report

• CDMA will continue to be the single most dominant air link in the US throughout the forecast period. TDMA will be phased out, in favor of GSM, and by the end of the forecast period, TDMA networks will no longer be operational in the US.

• Despite NTT DoCoMo’s strong support for FOMA in Japan, the service faces stiff competition for KDDI’s AU. NTT DoCoMo will not be able to leverage its dominant Share-Of-Market (SOM) vis-à-vis FOMA to surpass AU before 2006.

Characteristics of selected wireless link standards

384 Kbps384 Kbps

56 Kbps56 Kbps

54 Mbps54 Mbps

5-11 Mbps5-11 Mbps

1 Mbps1 Mbps

802.15

802.11b

802.11{a,g}

IS-95 CDMA, GSM

UMTS/WCDMA, CDMA2000

.11 p-to-p link

2G

3G

Indoor

10 – 30m

Outdoor

50 – 200m

Mid rangeoutdoor

200m – 4Km

Long rangeoutdoor

5Km – 20Km

History of Mobile phone technology

Technology 1G 2G 2.5G 3G 4G

Design Began 1970 1980 1985 1990 2000

Implementation

1984 1991 1999 2002 2010?

Service Analog Voice, synchronous data to 9.6kbps

Digital voice, short messages

Higher capacity, packetized data

Higher capacity, broadband data up to 2 Mbps

Higher capacity, completely IP-oriented, multimedia, data to hundreds of megabits

Standards AMPS, TACS, NMT, etc.

TDMA, CDMA,GSM,PDC

GPRS, EDGE,1xRTT

WCDMA, CDMA2000

Single standard

Data Bandwidth

1.9kbps 14.4kbps

384kbps 2Mbps 200Mbps

Multiplexing FDMA TDMA,CDMA

TDMA,CDMA

CDMA CDMA?

Core Network PSTN PSTN PSTN, packet network

Packet network

Internet

History of Mobile phone technology

• Legend:– 1xRTT = 2.5G CDMA data service up to 384 kbps– AMPS = advanced mobile phone service– CDMA = code division multiple access– EDGE = enhanced data for global evolution– FDMA = frequency division multiple access– GPRS = general packet radio system– GSM = global system for mobile– NMT = Nordic mobile telephone– PDC = personal digital cellular– PSTN = pubic switched telephone network– TACS = total access communications system– TDMA = time division multiple access– WCDMA = wideband CDMA

UMTS and all that (2G, 2.5G, 3G)

• Third Generation Mobile Phones: Digital Voice and Data

• ITU-Standard “International Mobile• Telecommunications“ (IMT-2000):

– High-quality voice transmission– Messaging (replace email, fax, SMS, chat, etc.)– Multimedia (music, videos, films, TV, etc.)– Internet access (web surfing + multimedia)

• Single worldwide technology envisioned by ITU, but:– Europe: GSM-based UMTS– US: IS-95 based CDMA2000 (different chip rate, frame time,

spectrum, ..)• Intermediate solutions (2.5G):

– Enhanced Data rates for GSM Evolution (EDGE): GSM with more bits per baud

– General Packet Radio Service (GPRS): packet network over D-AMPS or GSM

• Success of WLAN hotspots endangers 3G solutions!Note: wireless =security hazard

The emerging network of 21st century

CDMA2000 Family of 3G CDMA2000 Family of 3G standardsstandards

•CDMA2000 1X: Double voice capacity; up to 307 kbps packet data speeds; supports advanced services such as MMS, games, location services, picture and music download.

•CDMA2000 1xEV:

– CDMA2000 1xEV-DO: Optimized for packet data services; up to 2.4 Mbps packet data speeds; leverages IP; “always-on” services supporting Internet and Intranet.

– CDMA2000 1xEV-DV: Will provide integrated voice with high-speed packet data services, such as video-conferencing and other multimedia services, at speeds of up to 3.09 Mbps.

First launchedFirst launchedOctober 2000October 2000SK Telecom SK Telecom LG TelecomLG Telecom

First launched First launched

January 2002January 2002SK TelecomSK Telecom

Approved by the ITU Approved by the ITU as part of the IMT-2000 as part of the IMT-2000

family; anticipated family; anticipated commercial commercial

deployment in 2005deployment in 2005

Privacy and Security in GSM

• Criteria that GSM has to meet• GSM services• GSM architecture• GSM security issues

Criteria that GSM has to meet

• GSM– 유럽 표준 이동 통신 규격– Global System for Mobile Communication

• Criteria that GSM has to meet– Good subjective speech quality– Support for international roaming

• GSM 서비스– Bearer service: 음성 , 데이터 , 동화상 등의 정보를

실시간으로 전송할 수 있는 기능– Tele-services: 위의 기능에 정보처리 기능을 추가한 서비스– Supplementary service: 부가 서비스

GSM Architecture

• The geographic area is divided into cells

• Each cell has a Base Station managing the communications

• A set of cells managed by a single MSC is called Location Area

Base Station

VLRMSC

VLR MSC

HLR

MSC Mobile Switching Center

VLR Visitor Location Register

HLR Home Location Register

land link

land link

Radio link

Databases

Switches

Radio Systems

BTS

BSC

MS

MSC MSC GMSC SSP

PSTN

BSS

BSS

HLRVLR VLREIR

SSP

AuC

NSS

PLMNNSS: Network and Switching

Subsystem

EIR: Equipment Identity

Register

AuC: Authentication Center

GMSC: Gateway MSC

BSS: Base Station System

BSC: Base Station

Controller

BTS: Base Transceiver

Station

MS: Mobile Station

SSP: Service Switching Point

GSM Architecture

Databases

Switches

Radio Systems

BTS

BSC

MS

MSC MSC GMSC SSP

PSTN

BSS

BSS

HLRVLR VLREIR

SSP

AuC

NSS

PLMN

GSM Hack

Hard to break

Easy to break

GSM Security

• Security service provided by GSM– Anonymity: not easy to identify the user of

the system– Authentication: operator knows who is using

the system for billing purpose– User Data and Signaling protection: user

data passing over the radio path is protected

• Two security architectures in GSM– Architecture I: uses proprietary algorithms– Architecture II: uses public algorithms

Security Architecture IMobile Device Air Interface Base Station

A3

Km Random # R

A3Km

SRES (Signed RESponse)=?

A8

SRES

A8

KiKi

A5

Message mi

A5

Message mi

Encrypted data

A3: authentication, A8: Key generation, A5: encryption/decryption

GSM Protocol

MOBILE RADIO INTERFACE Base Station / AC

Challenge R (128bit)

Response SRES (32 bit)A3

KI (128 bit)

A3

A5 A5

ENCRYPTED DATA

A8

KC(64 bit)

A8

KC (64 bit)

KI (128 bit)

SIM

?

Authentication and Data Privacy

A random challenge (R) is issued to the mobile

Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (KI)

Mobile sends response back (SRES) Network checks that the response to the

challenge is correct. A8 algorithm is used to compute session

key ( KC) Data is encrypted using A5 series privacy

algorithms by session key (KC)

Cryptographic Algorithms• Authentication algorithm (A3) and key

generation algorithm (A8) – Implemented in the SIM– Operators can choose their own A3/A8– COMP-128 provided as example algorithm– Can securely pass (RAND,SRES,Kc) while roaming

• Encryption algorithm (A5)– Implemented in the handset– A5/0 - unencrypted– A5/1 - more secure– A5/2 - less secure– A5/3 - 3G mobiles ( coming soon)

GSM Attacks

• Algorithms were kept secret• After reverse-engineering, many attacks:

– Golic, 1997 (A5/1)– Goldberg+Wagner, 1998 (COMP128)– Goldberg+Wagner+Briceno, 1999 (A5/2)– Biryukov+Shamir+Wagner, 2000 (A5/1)– Biham +Dunkelman, 2000 (A5/1)– Ekdahl+Johansson, 2002 (A5/1)– Barkan+Biham+Keller, 2003 (A5/2)+

• COMP128 and A5/2 completely broken, A5/1 weak

SIM Attacks

• Secret key KI is compromised.

• Physical access to SIM is needed.

• COMP-128 leaks KI (April 1998)– Requires about 50K challenges

• Side-channel attacks– Power consumption– Timing of operation– Electromagnetic emanations

• Cloning of SIM is possible

GSM Security Implementation

• A3 implemented within a Smart Card– Tamper proof smart card containing the key

• A5 is in the data path and must be fast (in the phone hardware)– Implemented in low cost, custom ASICs for sp

eed– A5/1 is strong encryption– Weaker A5/2 for export-level encryption

GSM Security Issues• A3 standard has been compromised

– Leaked by accident, vulnerabilities exposed– Can extract key from a SIM -> cloning possible

• A5 standard has also been leaked

• Recently a strong attack against A5/2 and A5/1 was found [CRYPTO 2003]

• Protocol vulnerabilities– Standard supports non-encrypted channel– Could be used by rogue BTS to spoof access– No authenticaton of BTS-> Mobile

GSM Hack [Anderson’97]

• Operator proposes silly challenge– Break my network for money!

• Cambridge University research group– Found nifty solution for problem

• Go after the easy part, not the hard part– Break the network, not the link

GSM Hack

• Equipment– About $20,000 worth of equipment to

intercept authentication information on links btw MSC <-> BSC or BSC <-> BTS

– Operator Response• What challenge?

– PacBell’s “Can’t be cloned” slogan for GSM• Didn’t last long

– Solutions?

Possible solutions

• Aziz & Diffie, Wireless LANs, 1994• Brown, Privacy and Authentication for PCS,

1995• Sam, Identity Privacy for Mobile Users, 19

95• R. Molva, Authentication of Mobile Users,

1994 …

Cryptanalytic Attack

• Weakness in the encryption algorithm

• Session key KC is compromised

• Over the air attack (physical access not required)

A5/2 AlgorithmMajority Function

Majority Function

Majority Function

11011010

100111

10111011

101101

R1 - 19bit

R2 - 22bit

R3 – 23bit

R4 - 17bit

KC (

64 b

it)

+ F

ram

e N

o (2

2 bi

t)

Key

str

eam

(22

8 bi

t)

Clocking Unit

Description of A5/2

• 4 LFSR R1,R2,R3,R4.

• R4 controls the clocking of R1,R2,R3.

• LFSRs are initialized using KC and frame # f.

• After key is loaded, one bit of each register is forced to be set.

• Output (228 bit key stream) is quadratic function of R1,R2,R3.

• 114 bits of key stream are used to encrypt uplink and rest 114 are used for downlink.

Known Plaintext Attack on A5/2

• Session key KC can be found, if internal states of R1,R2,R3,R4 and frame #f are known.– Each bit of registers is represented as variable

• 18+21+22=61 variables.

– Output is quadratic in these variables, linearise them using new variables.• 18+(18*17)/2+21+(21*20)/2+22+(22*21)/2+1 = 656

variables.

– Get 656 linearly independent equations and solve them to get the internal state of the registers.

Known Plaintext Attack (Contd.)

• To get linearly independent equations– C = P key-stream– Output of A5/2: key-stream = C P– For each bit of output one linear equation can

be formed. – Each frame can give 114 equations.– Though there are 656 equations only 61 are

linear and other variables depend upon them. – Around 450 linear equations (4 frames) are

sufficient to get 61 linear variables.

Known Plaintext Attack (Contd.)

• Complexity– Time to solve set of linear equations:

• 6563 228 bit XOR operations for each possible guess of R4.

– Total time for computation:• 244 bit XOR operations. • 239 register XOR operations on 32 bit machine.

– Implementation on PIII 800 MHz required approximately 40 minutes and 54KB memory.

– Complexity can be reduced by doing some pre-computation.

Ciphertext-only Attack on A5/2

• Error correction codes are employed in GSM before encryption.

• Plaintext has highly structured redundancy.

• Complexity– Implementation on a personal computer

recovers KC in less than a second and takes less than 5.5hours for one time pre-computation.

Possible Attack Scenarios

• Eavesdropping conversation (passive listening)

• Call hijacking (man in the middle)• Altering of data messages (SMS)• Call theft (parallel session)

What Went Wrong

• GSM security design process was conducted in secrecy.

• The A5 encryption algorithm was never published.

• The key calculated does not depend on which of the A5 algorithms it is destined to be used with.

• Real time cryptanalysis of A5/2.• The encryption is done after coding for

error correction.

Our Observations

• Attack takes lesser time than authentication timeout.

• No authentication for base station.• Replay attack is possible as nonce or time

stamp are not used.• A5/2 is already broken and A5/1 is weak. Even

changing to A5/3 won’t help.• GSM interceptor/scanners are easily available.• Security problems in mobile communications

are keeping the applications like m-commerce from deployment.

Security Architecture IIMobile Device Air Interface Base Station

C3 C3

M

C8 C8

KiKi

C5

Message mi

C5

Message mi

Encrypted data

C3: authentication, C8: Key generation, C5: encryption/decryption

Mutual Authentication Key Exchange

M

mimi

Architecture – Authentication protocol (C3)

Mobile Device Air Interface Base Station

C3 C3

M

SVC_REQ_PARMS, R1, Certificate(m)

M

Certificate(s), ENCpub_m(SIGpri_s(SVC_REQ_PARMS, R1, M, R2))

ENCpub_s(SIGpri_m(SVC_REQ_PARMS, R2), SIGpri_m(M))

m: mobile user, s: base stationSVC_REQ_PARMS: (IDm,IDs, service_id_key, key_len)R1: rand. # generated by mR2: rand. # generated by sM: rand. bit string generated by s

Authentication Phase

Architecture – Authentication protocol (C3) (Cont’d)

Mobile Device Air Interface Base Station

C3 C3

REL_REQ, IDs, IDm, ENCpub_s(R2,R3)

IDm, IDs, BILL_INFO, R3

Release Phase

Goal : non-repudiation

Architecture – Key generation (C8)

• C8 algorithm processes input data on a byte-by-byte basis.

• Some simulation results show that the key stream generated by C8 algorithm maintain a maximal periods, regardless of input patterns.– We can expect that C8 algorithm

provides strong security property

Architecture – Message Encryption/Decryption (C5)

• C5 algorithm uses stream cipher for encryption/decryption

• The simplest stream cipher is using only the XOR operation– Message Key_stream

Comparison of two architectures

Architecture I Architecture II

Complexity • Fast authentication• Fast key exchange• Fast encryption

• Slow authentication• Key exchange depends on key length• Fast encryption

Security • Authentication is not secure enough• Only the mobile user is authenticated

• Secure authentication• Mutual authentication• Key generation has a long period

Flexibility • A3, A5, A8 are proprietary• SIM stores user’s personal information and A3 algorithm

• C1, C8, C5 are publicly available• SIM only stores user’s personal information

Security Services

• Subscriber identity authentication– Through challenge-response

• User data confidentiality– Through encryption

• Signaling data confidentiality– Through encryption

• Subscriber identity confidentiality– Through temporary identification number

Part IICode Division Multiple

Access (CDMA) Systems

Security Standards in CDMA2000 1XRTT

• Electronic Serial Number (ESN)• Authentication Key (A-key)• CAVE

– dedicated hash with 64-bit key (A-key)

– Challenge response authentication protocol

– Key generation

Security Standards (Contd.)

• Voice privacy – XOR with 520-bit mask for voice data

confidentiality

• ORYX– LFSR-based stream cipher for data

traffic

• CMEA – variable-width block cipher with 2

rounds for control channel

Overview of CDMA Protocol

CAVE

A-key (64)ESN (32)

CAVE

A-key (64)

ESN (32)Rand SSD (56)

SSD_B (64) SSD_A (64) SSD_A (64) SSD_B(64)

CAVE

VPM

CAVE

VPMScrambled Voice

ORYX ORYXEncrypted DATA

CMEA CMEAEncrypted Signaling

Message

CAVE

Broadcast Random

CAVE

?

RAND

AUTHU(18)

Security of A-key

• Security of A-key is important component

• Re-programmable– Factory– Dealer at the point of sale– Subscriber via telephone– Over the air service provisioning

(OTASP)• 512-bit Diffie-Hellman key exchange

Additional Features

• Global challenge – All mobiles are challenged with same random

number– Allows rapid authentication

• Unique challenge – A specific RAND is used for each requesting mobile

• Call history count (6-bit)– Tracked by both, mobile and the network – Provides a way to detect cloning, as the operator

gets alerted if there is a mismatch.

• Anonymity– Temporary Mobile Station Identifier (TMSI)

Cellular Crypto Algorithms

Confidentiality

Authentication

Key Generation

CDMA XOR mask & CMEA (ORYX)

CAVE CAVE

GSM A5/2 or A5/1 (soon: A5/3)

COMP128 (COMP128-2, 3DES-CBC-MAC)

COMP128 (same)

Key: = insecure

Our Observation

• CDMA 2000 1XRTT are comparatively strong

• The problems are due to inefficient implementation.– A-key is kept weak– Call history count is not implemented