Network Security Security in Traditional Wireless Networks 1 Network Security Chapter 6. Security in Traditional Wireless Networks

Network Security Security in Traditional Wireless Networks 1

Network Security

Chapter 6. Security in Traditional Wireless Networks


Security in First Generation TWNs

Security in Second Generation TWNs

Security in 2.5 Generation TWNs

Security in 3G TWNs

Summary

Objectives


To the designer, they had too many other problems before security became a priority.

Since AMPS radio interface was analog and AMPS used no encryption.

Authentication–Mobile station sends ESN(Electronic Serial Number) to MTSO in clear text over the air interface.

–Eavesdrop on cellular telephone conversation

–Can capture valid ESN cloning.

Security in 1G TWNs


Security in 2G TWNs


Security in 2G TWNs

use digital system

Beyond the BTS is considered a controlled environment.

Aims to secure only the access network(MS/MEBTS).


IMSI(International Mobile Subscriber Identity)–MS inform the network about IMSI’s new location when it crosses a cell boundary.

–this allows the network to route an incoming call to the correct cell.

–If eavesdropper can capture the IMSI over the air, they can determine the identity of the subscriber and their location.

TMSI(temporary mobile Subscriber Identity)–When a ISIM has authenticated with the network, the VLR allocate a TMSI to the scriber.

– GSM protects against subscriber traceability by using TMIS.

–Has only local significance.

–IMSI-TMSI mapping is maintained in VLR/MSC

–When it is switched off, the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again,

Anonymity in GSM


Anonymity in GSM


No key establishment protocol in the GSM security architecture model.

Use 128-bit pre-shared key Ki

Stored in SIM and AuC

Key Establishment in GSM


Authentication in GSM

(1) MS BTS : sign-on msg {IMSI or TMSI} .

(2) MSC HLR : request 5 triplets { RAND, SRES, Kc}

(3) HLR MSC : send 5 triplets

(4) MSC MS : RAND

(5) MS MTS: SRES

(6) authenticated!! BSC-MSC-HLR channels are assumed to be secure


Why 5 triplets request?

To improve roaming performance.

Instead of contacting the HLR for security triplets each time a ME roams into its coverage, the MSC gets five set of triplets : one for the current authentication process and four for future use.

Authentication in GSM


Authentication and ciphering information transmission


Session Key Kc Generation

A8

Ki(128 bit), RAND(128bit)

Kc (64 bits : appened with10 zeros)


GSM : assume the core network beyond the BSC is secure.

–BTS BSC link is not part of core.

–GSM does not specify how to this link need to be connected.

–In practice, connected by microwave.

–susceptible to attacks.

Protection against equipment theft.–Authenticate SIM card and not the subscriber of the SIM card.

–When a ME was stolen, the user of the ME reports it to the service provider.

–The service provider maintain the compromised SIM card.

Authentication


Provide confidentiality over the wireless(ME-BTS) interface.

A5 : GSM standard stream-ciphering algorithm.

–A5/0 – unencrypted,

–A5/1 (54 bit) – original, used by countries members of CEPT

(CEPT: European Conference of Post and Telecommunication Administrations)

–A5/2 (16 bit)– countries of non CEPT members.

–A5/3 – for 3G

–Implemented in hardware of ME.

–Kc : encryption key.

Confidentiality in GSM


What’s wrong with GSM Security?

No provision for any integrity protection of data and message.

–Open to man-in-the-middle attack.

Only securing the ME-BTS interface.– BTS-BSC interface is not cryptographically protected.

–Sometimes this link is wireless attractive target for attacks.

Cipher algorithms(A5 family) are not published along with the SGM standards. does not allow public review.

Small key length - Kc : 64bits (54bits + 10 zeros)–Big enough to protect against real-time attack, but weak to off-line attack.

–GSM security architecture is inflexible - difficult to replace.


SIM cloning – recover Ki from SIM card

–Chosen plaintext attack – (RAND, SRES) pair, 8 adaptively chosen plaintexts within a minute.

–Recover Ki using differential cryptanalysis or side channel attack.

–(1)Physical access to SIM card and communicate with SIM through smartcard reader.

•Recover in a matter of few hours.

–(2)Wireless contact over the air interface.

•Must be capable of masquerading as a rouge BTS

•ME is moving, not enough time to collect enough (chosen-plaintext, cipher text) pairs



SIM cloning (continue)

–(3)Attempt to have the AuC generate the SRES of given RANDs

instead of using the SIM.

•Exploits the lack of security in the SS7 signaling network.

•Core signaling network is not cryptographically protected and incoming

messages are not verified for authenticity.

•So possible to use the AuC to generate SRESs for chosen RANDs

What’s wrong with GSM Security


Clear transmission of cipher keys and Authentication values within and between networks

–Signaling system vulnerable to interception and impersonation.

One way authentication : no network authentication.–Attacker masquerade as BTS and hijack the ME.

Service provider can choose null encryption(A5/0)–ME is allowed to connect to.



Security in 2.5 Generation TWNs


Security in 2.5G(GPRS) TWNs

For data service : allocate multiple time slotsEncryption/decryption : MSSGSN

−Protect link between BTS-SGSN


GPRS Authentication and Key Derivation


GPSR – provide ME to connect to internet.

End-to-end security is required.

HTTP/HTML is not optimized to ME(CPU-power, screen, bandwidth, memory)

WAP(Wireless Application Protocol)


WAP(Wireless Application Protocol)

• WAP Gateway : WTP/WML HTTP/HTML• WTLS(Wireless Transport Layer Security) :

• provide end-to-end security

• similar to TLS


ME in GPRS can download and run applets.

Malicious applet can harm the ME.

Applets are signed by CAs.–Before executing the applet, the subscriber can be informed of CA which has signed the applet.

–If the subscriber trusts that CA, they can allow the applet be executed on their applet.

Code Security


Security in 3G TWNs


UMTS(Universal Mobile telecommunications System)

Security Architecture

–Designed using the GSM Security as the starting point

–Adopt the GSM features that have proved to be secure

–Redesign the features that have been found to be weak.

–To ensure interoperability between GSM and UMTS.

Security in 3G TWNs


Building on GSM Security-Architecture


UMTS Security Architecture overview


Anonymity in UMTS Chicken and egg situation

–First ME identify(its IMSI) to the network.

–TMSI allocation should be performed after initiation of ciphering to ensure TMSI protection

–Ciphering can not start unless CK(cipher key) has been established between USIM and network.

–CK can not be established unless the network first identifies the subscriber using its IMSI.

VLRo : old VLR (previous VLR), VLRn : new VLR–ME VLRn : TMSI_old (previous one)

–VLRn VLRo : request IMSI corresponding to this TMSI

–If VLRn cannot retrieve, request ME to identify itself by its IMSI

–Now AKA starts or use a previous existing set of keys.

–Can you identify UMTS’s bottom line? See the text book.


After completion of AKA(authentication and key

agreement) procedure, establish the KC between USIM

and network

Now assign a new TMSI to the ME

SQN(sequence number) : can be exploited to trace a

subscriber.

–Network maintains a per-subscriber SQN

–Need to be encrypted.

–AK(Anonymity key) - protect SQN to protect traceability.

AKA


No key establishment protocol in UMTS.

128-bit pre-shared secret key Ki between USIM and AuC.

Authentication in UMTS is mutual.

Key establishment in UMTS


Authentication in UMTS

(1) USIM VLR/MSC : sign-on

(2) VLR AuC/HLR : Auth data req.

(3) AuC VLR : Auth vectors(several

sets of Auth data)

(4) VLR select the first vector and store

the rest.

(5) VLRUSIM : RAND(128bit),

AUTN(128bit)

(6) USIM : if MAC in AUTH ?= XMAC,

SQN is in correct range ?

then authenticated.

(7) If verification is OK,

USIM VLR : RES

(8) VLR : If RES ?= XRES from AuC, then

authenticated


AKA Variables and Functions


UMTS Authentication Vector Generation

• AMF : authentication Management Field

Computation in HLR by VLR request (Step 2 in p.32)


UMTS Response Generation at USIM(1) From VLR

(2) Inside of USIM

(3) Send RES to VRL


Authentication in UMTS

After Mutual authentication has completed,

VLR and USMI establish CK, IK, AK

MILENAGE : recommended function for UMTS

Authentication.(corresponding to COMP-128)

But service provider can choose another function.


Confidentiality in UMTS

• f8 : key stream generation algorithm KASUMI, use 128-bit session key.• Count-C (32-bit) : ciphering sequence number, updated every sequentially every

plaintext block• BARIER (5-bit) : bearer channel number• DIRECTION (1-bit): the direction of link(uplink or downlink)• LENGTH(16-bit) : length of key stream block


UMTS Stream Cipher f8

About KASUMI


Confidentiality in UMTS

Provide confidentiality to the link between ME – RNC–Include BTS-RNC link which is equivalent to BTS-BSC.

–Closing loopholes of GSM Security in BTS-BSC link.

UMTS encryption is applied to all subscriber traffic as well as signaling messages.


GSM security did not provided integrity protection.

MUTS solve this problem using integrity key IK.

MAC-1 : attached to the message by the sender.

Integrity Protection in UMTS

• FRESH: 32-bit per connection nonce.


UMTS Integrity Function f9


Voice data integrity Protection in UMTS

Integrity protection involves a lot of overhead in terms of processing and bandwidth.

For a voice integrity, to integrity protect the number of user packets in conversation is sufficient.

Inserting, deleting or modifying words in a conversation would lead to a change in the number of packets.

In UMTS, periodically RNC send a message containing sequence number to the ME. This message is integrity protected.


The MAC layer offers Data transfer to RLC and higher layers

The RLC(Radio Link Control) layer offers the following services to the higher layers:

–Layer 2 connection establishment/release–Transparent data transfer, i.e., no protocol overhead is appended to the information unit received from the higher layer

–Assured and un assured data transfer

The RRC(Radio Resource Control) layer offers the core network the following services:

–General control service, which is used as an information broadcast service

–Notification service, which is used for paging and notification of a selected UEs

–Dedicated control service, which is used for establishment/release of a connection and transfer of messages using the connection.

Layer in UMTS


Putting the Pieces Together

(1) MS RNC : L2 connection

{User Encryption Algorithms(UEAs)

User Integrity Algorithms(UIAs)…}

(2) MSVRL : L3 connection Msg.(location update

req., routing update req., attach req...)

{IMIS or TMIS, Key set Identifier(KSI) for

CK,IK..,}

(3) Authentication and key generation(CK, IK)

{ new key or old key}

(4) –(11)


Network Domain Security

• MAP(Mobile Application Part) : an SS7 protocol for UMTS.• MAPSEC : protect MAP message – In SS7 Network• KAC(Key Administration Center) establish a SA(Security

Association) with another KAC.• KACs use IKE(Internet Key Exchange) protocol.• KACs distribute SA to NEs ( key distribution )• NE use SAs to protect MAP messages.


Network Domain Security for IP-based Network

UMTS is expected to be more closely tied to IP-based network. Replacing SS7 signaling(MAP) with IP-based signaling(like SIP)

MAP over IP for legacy networks.− SEG(Security Gateway) : establish SA with other SEG.

− Provide MAP message protection for NEs.


GSM SECURITY : http://www.gsm-security.net/– FAQs, Papers, Standars, books, news,….

Resources

Documents

Network Security Security in Traditional Wireless Networks 1 Network Security Chapter 6. Security in Traditional Wireless Networks