Rad Commendation UMTS Deciphering

8/6/2019 Rad Commendation UMTS Deciphering

1/14

Network Test Solutions

RADCOMmendation

Online UMTS Deciphering Using theCellular Performer

RADCOM Ltd., 2004


2/14

Copyright 2004 by RADCOMThis documentation contains proprietary information of RADCOM Ltd. and RADCOM Equipment Inc. Such

information is hereby supplied solely for the purpose of informing explicitly and properly authorized persons

of the documentation on the operation of RADCOM equipment. Without the express prior written permissionof RADCOM Ltd. and RADCOM Equipment Inc., no part of the contents hereof may be used for any other

purpose, disclosed to persons or firms outside the recipient company, or reproduced by any means.

The text and drawings herein are for the purpose of illustration and reference only. The specifications on which

they are based are subject to change without notice.

Publication Date: November, 2004

Trademark Acknowledgements

RADCOM is a trademark of RADCOM Ltd. in Israel and/or other countries. Microsoft Windows and

Microsoft Windows NT are registered trademarks or of Microsoft Corporation in the US and/ or other

countries. All other brand and product names referred to herein are either registered or unregistered trademarksor service marks belonging to their respective owners.


3/14

Online UMTS Deciphering Using the Cellular Performer 1

Preview

Many service providers are deploying and some have already launched UMTS 3G services. UMTS provides its

users with voice, data and video. UMTS ciphering is used between the End User Mobile Device and the RNC

to protect the privacy of user information, i.e. both dedicated signalling and the user payload (voice, data or

video) from being seen by unauthorized hackers that might be trying to attack the operators more sensitive and

exposed part, the radio interface. Many operators are now deploying ciphering on their GPRS and UMTS

networks. Once ciphering is enabled most of the information over the radio interface and Iub, Iur is not visible

any more.

Therefore, in order to analyze and troubleshoot the Iub interface while the ciphering is active, a protocol

analyzer with deciphering capabilities is needed.

Background

The ciphering mechanism is activated between the MS and the RNC. When the MS accesses the network, it

informs the RNC about the ciphering algorithms than can be supported, then the RNC in the Security ModeCommand will inform which ciphering algorithm will be used and activate the ciphering mechanism. Both the

RNC and MS use a Kc (ciphering key) that is stored in MS and RNC. This Kc is provided from the AuC using

the Iu interface during the process of Authentication and Ciphering of MS in the network..

What is encrypted and what is not:

Encrypts most signaling and all user data

Encrypts only dedicated channels

Signaling radio bearers

Data radio bearers

Managed by the RNC

Ciphered in the MAC layer for transparent RLC Mode.

Ciphering in RLC layer for non-transparent RLC mode.


4/14


5/14


RADCOM provides a wining combination of a UMTS deciphering online package, with the

Multi OC-3/STM-1 LIM with up to 4 ports together with the UMTS Consultants.

The present document will explain how to demonstrate this feature.

Elements Needed to Demonstrate UMTS Online Deciphering:

Cellular Performer Analyzer

GenFEP.

Multi OC3/STM-1 Interface with 2 or 4 OC-3 Ports.

The ciphering keys are provided to the RNC towards the Iu interface. Many vendors use 2 STM-1 linkswith load balancing or load sharing for IU-PS and/or 1 STM-1 for Iu-CS for example. So with the newLIM with 4 OC-3 ports we can capture the STM-1 for Iub, the 2 x STM-1 of Iu-PS and the 1x STM-1

for IuCS using a single GenFEP and LIM

UMTS Deciphering Online application add-on authorization

Iub and Iu Consultants.

Connection SetupA typical connection setup to make a live demo of UMTS deciphering is depicted in the following

figure:


6/14


Configuration:

1. Configuration of Multi OC3/STM-1 interface: To facilitate the complete deciphering of user sessions in

the Iub interface for any kind of service (voice, video call, video streaming or data) it is extremely important tohave the capability to capture the Iu-PS and Iu-CS interfaces at the same time(to read and extract the ciphering

keys) and the Iub interface. The new Multi OC3/STM-1interface brings us this possibility.

In our example 2 Iu-PS STM-1 links in load balancing; another STM-1 link for the Iu-CS and finally a single

STM-1 Iub interface with the aggregated traffic coming from several NodesB to the RNC are used.

Note: The Multi OC3 has two possible configurations, both reflected in the price list.

PA-LIM-LB-OC3-2PLoad Balancing ATM OC-3/STM-1 LIM (optical transceivers not included).

Requires PA-FEP-GenFEP and 4 compatible SFPs. (MM or SM)

PA-CA-LB-2P-SM

OR

PA-CA-LB-2P-MM

2 more ports for Load Balancing ATM OC-3/STM-1 capability add-on with

Single mode transceivers. Requires PA-LIM-LB-OC3-2P(This SFF connectors are built-in and assembled in RADCOM so it is very

important to specify if SM or MM option is needed in the order)

DUAL or (QUAD) ATM OC-3/STM-1 INTERFACE MODULE:

2 full duplex STM-1 ports(requires 4 removableSFPSM or MM)

LC/PC connectors. 2 additional (option) full

duplex STM-1 ports (use2 SFFassembled onboard, customer mustspecify SM or MMtransceivers in purchaseorder)


7/14


The following screen demonstrates the physical configuration of the port of the MultiOC3/STM-1 interface.

- For ports 1,2 and 3,4 you can select either Pass Through or Optical Splitter.

- For ports 5,6 and 7,8 only Rx for a connection with an Optical Splitter is available.

Configure all of the following, and use the Advanced Port Configuration to specify which ports are Uplink and

which are Downlink


8/14


Select the Deciphering button to specify which ports are going to be used for Iub and Iu, and activate the

Deciphering Check box in order to enable the Deciphering option online.

Now you are ready to start to trace the Iub sessions or all User sessions, whether they are ciphered or not.

Notice that only one Consultant can be run at a time for each GenFEP, since initially Iu monitoring is used toextract the ciphering keys. Lets concentrate on the Iub interface to show the deciphered sessions.

Open the Iub Consultant. Ask the customer to provide you with a defined IMSI that they know is ciphered.

Make a Query on this specific IMSI, and show the detailed signaling flows. (At the same time it will be a good

opportunity to explain how deciphering works and the messages involved).


9/14


1. RRC Connection Setup: During this process, the MS informs the RNC in theRRC Connection Setup

Complete about the possible ciphering algorithms supported by the cellular equipment. (In the example we

see that this mobile equipment supports uea1 and uea0 ciphering algorithms)


10/14


2. The MS Starts the Ciphering Key Sequence Number that will be used during the Authentication process, to

receive the RAND and AUTN.

3. Authentication Process: The MSC/VLR (that previously stored the quintuplets for this mobile) sends the

next Ciphering Key Sequence number, the RAND and AUTN vectors for Authentication of the MS to the MS,

in the Authentication Request Message; and the MS completes the Authentication Process sending the RES

vector in the Authentication Response Message.


11/14


After Authentication the MS and RNC already have the Kc generated and stored.

3. Using the RANAP: Security Mode Command message the network informs the RNC of the encryption

algorithm permitted in the communication with the network, and the SGSN or VLR sends the RNC the

Deciphering Key for the RNC. The RNC then informs the UE of the ciphering algorithm chosen in the RRC:

Security Mode Command message sent from RNC to UE.

Ciphering Key Vector

Chosen Ciphering Algorithm


12/14


4. The Security Mode Command Complete message is the starting point and trigger for the encryption

mechanism. The RNC sends this message to the MSC/VLR or SGSN after receiving confirmation from the UE,

to inform about the Chosen Integrity and Ciphering Algorithms.

5. After the dedicated signaling with UE and user payload are encrypted, RADCOMs online deciphering

enables the user to spotlight the next messages on the Iub interface for this MS. As you can see, with the

deciphering, the whole process can be followed on the Performer.

ENCRYPTED


13/14


Summary

Why is the UMTS Deciphering Important?

Once ciphering is activated the only possibility to analyze the ciphered traffic in Iub sessions is by using

deciphering.

Who needs the deciphering?

The vendors: to verify that their ciphering implementation is working correctly in their labs and on customer

premises.

The operators at all the levels of Radio Access Network operations to be able to trace many users while

deciphering the information in real time to be able to see the signalling messages and user data to detect and fix

problems and guarantee QoS to their customers.

Here is RADCOMs best cocktail to make a killer sales application.

Consultants UMTS Deciphering On-Line

.


14/14

US Office:

RADCOM Equipment Inc.6 Forest Avenue, Paramus, NJ 07652, USATel: (201) 518-0033 or 1-800-RADCOM-4, Fax: (201) 556-9030

E-mail: [email protected]

Israel Office:

RADCOM Ltd.24 Raoul Wallenberg St., Tel Aviv, 69719, Israel

Tel: 972-3-6455055, Fax: 972-3-6474681E-mail: [email protected]

China Office:

RADCOM Ltd.

Handerson Center, Office 506, Tower 3,18 Jianguomennei Avenue, Beijing 1000005, P.R. ChinaTel: +86-10-65187723, Fax: +86-10-65187721E-mail: [email protected]

United Kingdom Office:

RADCOM UK2440 The QuadrantAztec West, Almondsbury

Bristol, BS32 4AQ EnglandTel: +44-145-487-8827, Fax: +44-145-487-8788E-mail: [email protected]

Web Site:

http://www.radcom.com

RADCOM, 2004

Documents

Rad Commendation UMTS Deciphering