Wireless security: securing mobile UMTS communications ... · security of wireless networks without replacing the legacy hardware. There was a rush to create a more secure wireless

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2013; 6:498–508

Published online 17 December 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.674

SPECIAL ISSUE PAPER

Wireless security: securing mobile UMTScommunications from interoperation of GSMEric Southern, Abdelkader Ouda and Abdallah Shami*

Electrical and Computer Engineering, University of Western Ontario, London, Canada

ABSTRACT

Wireless communications have revolutionized the way the world communicates. An important process used to secure thatcommunication is authentication. As flaws in the security of a wireless network are discovered, new protocols andalgorithms are required to meet those security issues. When creating new algorithms and systems, it is possible that theexisting equipment may not be able to implement the new protocols, which means that integration may be required totransition from an old security protocol to the new more secure protocol. Stationary wireless networks were created withouta strong need to integrate protocols and have simply developed slightly more secure protocols to protect old equipment. Newprotocols in stationary wireless networks are implemented without integration as a requirement. Mobile wireless networkshave the requirement of allowing old equipment to use the entire network as it is advantageous to allow new mobile equip-ment to connect to old networking equipment to increase coverage areas and for old equipment to connect to new towers forroaming and billing. This requirement for mobile networks means that integration is required. There are flaws in this inte-gration of Global System for Mobile Communications (GSM) into Universal Mobile Telecommunications System (UMTS)networks. Those flaws are analyzed, and two practical solutions are proposed. Copyright © 2012 John Wiley & Sons, Ltd.

KEYWORDS

wireless security; GSM; UMTS

*Correspondence

Abdallah Shami, Electrical and Computer Engineering, University of Western Ontario, London, Canada.E-mail: [email protected]

1. INTRODUCTION

Wireless communication allows for easy connectivity ofdevices without the expensive requirements of laying aphysical network. One of the main difficulties in deployingwireless networks is the ability to secure information andresources on a medium that by its very nature broadcastsall information. A key aspect of securing wireless commu-nication is the authentication protocol used to allow accessto the network. The two major types of wireless networksare the stationary networks generally defined by the802.11 standards and the mobile networks defined as 2G,3G, and 4G networks. As security requirements havechanged, the protocols for authentication have adaptedwith those changes. Authentication is the process ofdetermining whether someone or something is, in fact,who or what it is declared to be. The traditional methodof authentication in computing is the challenge–responsemechanism. There is a shared secret between the twoparties that is used in an algorithm so that one party posesa question as a challenge and the other party must replywith a correct answer as a response. Both of these network

498

types have faced significant security problems that haveneeded to be addressed with stronger protocols and moresecure cryptographic algorithms. When creating the newmore powerful algorithms and protocols, the older hardwarecannot implement them because of the more strenuousrequirements.

This work discusses authentication in wireless networksas well as the needs of those networks to interoperate andthe security issues brought about by that integration. Theauthentication in 802.11 stationary wireless networks willbe described with a focus on wired equivalent privacy(WEP) security flaws and the related solutions offered byWi-Fi protected access (WPA) and WPA2. The aim ofthis discussion is to give an understanding on how theauthentication in the stationary wireless networks haschanged because of the problems found in the earlieralgorithms and protocols. In contrast with this 802.11security replacement, the authentication protocols in thenew generations of mobile wireless networks are designedto interoperate (not replace) the existing protocols. Therefore,the integration of the different protocols to allow thisinteroperation will be described considering security flaws

Copyright © 2012 John Wiley & Sons, Ltd.

Securing mobile UMTS communications from interoperation of GSME. Southern, A. Ouda and A. Shami

brought about by integrating the old protocols into the newsystems. This will include Global System for Mobile Com-munications (GSM) 2G networks and Universal MobileTelecommunications System (UMTS) 3G networks. 4Gnetworks are not discussed in this work because Eric et al.[1] had described the authentication and key agreement pro-tocols of the Universal Subscriber Identity Module(USIM)-based 4G security protocols, including Long TermEvolution (LTE) networks and WiMAX networks.

This paper is organized as follows. Section 2 describesthe authentication protocols in 802.1. The authenticationprotocols in GSM 2G networks and UMTS 3G networksare described in Section 3. Section 4 describes the mobileuser handover between different network and the relatedsecurity issues. Two solutions are proposed to the problemof integration in mobile wireless networks in Section 5.Section 6 concludes this work.

2. AUTHENTICATION IN 802.11WIRELESS NETWORKS

To understand the security environment in mobile wirelessnetworks, it is worthwhile to review the security instationary networks because both types of networks haveundergone a phase of broken security and a migration ofequipment from the less secure to more secure environ-ments. Stationary wireless networks allow user equipmentto connect to a network without the need of a physicalwire. This allows for more user mobility and to create anetwork quickly and in environments where it is difficultor expensive to deploy physical networks. Generally,there is no need in these types of networks to manage themobility of the user from one network access point (AP)to another as the connection does not need to be maintainedif a user roams from one network area to another. The maindifference for stationary networks is that the wireless usersgenerally have modern or more powerful equipment thatconnects to the network and the network operator will

Encrypted

Authenticatio

User Equipment

Challenge RInitialization

Encrypte

Figure 1. WEP authen

Security Comm. Networks 2013; 6:498–508 © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

generally have more control over all devices on thenetwork. Stationary network providers did not have thesame need to make their network allow access to olddevices. Another major consideration in the evolution ofsecurity in stationary networks is that the equipment manu-facturers were in control of the development and migrationof the security framework and therefore did not have astrong vested interest in maintaining older hardware andwould prefer to sell the new hardware that meets the newstandard.

2.1. Wired equivalent privacy

The first type of security devised for wireless communica-tion in the 802.11 standard is WEP. The algorithm relies ona shared key (WEP key) of 40 bits or 104 bits as well as aninitiation vector (IV) of 24 bits. As can be seen in Figure 1,WEP authentication process starts when a user equipmentUE requests to associate with the AP, where user equip-ment (UE) must authenticate itself to the AP. On the basisof this request, AP sends a challenge nonce R (randomnumber) to the UE and waits for the response. The UE thenencrypt the challenge R by using a stream symmetric ci-pher RC4 as follows.

• The challenge R is first checksummed using CRC32that is added to R to form the data payload.

• Then, the UC creates a 24-bit random initializationvector (IV).

• The IV along with WEP key is used as a seed togenerate RC4 key stream K.

• The ciphertext is produced by XORing the key streamK with the data payload.

UC then transmits the ciphertext and the IV to the AP asits response. The AP uses the IV that it received andthe shared WEP key to decrypt the data and verify thechecksum. If a match is found, the authentication isdeclared successful, and the association is formed.

channel

n request

, Vector IV

d R, IV

tication protocol.

499

Securing mobile UMTS communications from interoperation of GSM E. Southern, A. Ouda and A. Shami

Note that the cryptosystem used in WEP is a streamsymmetric cipher RC4 and the key that encrypts the datais the same key that will be used for decryption to recoverthe data.

Scott Fluhrer et al. [2] described in their work titled“Weaknesses in the key scheduling algorithm of RC4”the number of weakness in WEP protocol. The flaws wererelated to the way RC4 was implemented. They havementioned that WEP can be cracked if enough traffic canbe intercepted. This is because there are only 16 millionpossible IVs (24-bit), so after intercepting enough packets,there are sure to be repeats in the IVs. When IVs repeat, theRC4 key stream can be easily discovered, and hence, aknown plaintext attack can be utilized to recover theplaintext without the need for the WEP key. The end resultis that WEP has suffered from key management problems,implementation errors, and the overall weakness in theencryption mechanism.

2.2. Wi-Fi protected access

The major flaws in WEP made it necessary for the Wi-FiAlliance to create a stronger protocol to increase thesecurity of wireless networks without replacing the legacyhardware. There was a rush to create a more securewireless network, and therefore, WPA was developed asa prestandard 802.11i protocol that would be loaded asan update to most WEP firmware and would improve thesecurity of existing wireless networks until the 802.11iprotocol could be ratified. WPA has the endorsement of

A-nonc

S-nonce,

A-nonce,GTK

Ack

Secucommuni

Generated UE

S-nonce

Received AP

A-nonce

PairwiseMaster Key

(PMK)

PRF-512

Pairwise Transient key (PTK) 512 bits

Key Config . Key Encryption Temporal KeyKey (KCK) Key (KEK) (TK)128 bits 128 bits 256 bits

HMAC-MD5 MIC

User Equipment UE

UE MAC

AP MAC

Figure 2. WPA authentication

500 Sec

the temporal key integrity protocol (TKIP) and messageintegrity check (MIC) by the Wi-Fi Alliance. Authenticationunder WPA is completely different than that in WEP asshown in Figure 2.

The AP sends a random A-nonce to the UE. The UEtakes the pairwise master key; a preshared key givento the UE and AP, the received A-nonce, and a generatedS-nonce, along with AP and UE Media Access Control(MAC) addresses to compute a pairwise transient key(PTK). This is carried out by using the pseudo-randomfunction PRF-512. The PTK is then used to create ahash-based message authentication code created by themessage-digest algorithm (MD5) by giving the key confir-mation key, which is the first 128 bits of the PTK and theS-nonce as the input into the hash-based message authentica-tion code–MD5 algorithm. The S-nonce and producedMIC are then sent to the AP. The AP can perform the samePRF-512 performed by the user equipment to generate thePTK and then use the PTK to verify the MIC. Once verified,the AP will send an encapsulated group TK andMIC back tothe UE for verification. The UE will then respond with anacknowledgement of successful authentication. The PTK isalso used to generate the key encryption key and the TK.The key encryption key is used to encapsulate the groupTK and other handshaking encryptions, and the TK is usedfor encrypting the communication over the link. Theencryption in TKIP is carried out using RC4 similar tothe encryption in WEP. The methodology used for theencryption of packets in TKIP greatly increases the securitycompared with WEP as the TK is constantly updated by thelarger IV.

e

MIC

MIC,

re cation

ReceivedUE

S-nonce

GeneratedAP

A-nonce

PairwiseMaster Key

(PMK)

PRF-512

Pairwise Transient key (PTK) 512 bits

Key Config . Key Encryption Temporal KeyKey (KCK) Key (KEK) (TK)128 bits 128 bits 256 bits

HMAC-MD5 =?MIC’ Received

MIC

Access Point AP

UE MAC

AP MAC

against the access point.

urity Comm. Networks 2013; 6:498–508 © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec


2.3. Wi-Fi protected access 2

The Wi-Fi Alliance completed 802.11i as WPA2 to securecommunication on wireless networks because the weak-nesses of WEP and WPA. The protocol relies on a sharedkey called the same pairwise master key generated inWPA, which is designed to last the entire session and isexposed as little as possible. WPA2 uses the same four-way handshake to authenticate the user equipment (UE)to the AP and create keys for communication that canbe seen in Figure 2. Similar to WPA using TKIP, WPA2uses counter mode with cipher-block chaining messageauthentication code protocol (CCMP) to perform manyoperations including securing the communication channel.There are some differences in the authentication betweenWPA and WPA2 such as the PRF used to generate thePTK in WPA2 is 384 bits. The MIC in the authenticationis SHA-1. The encryption in CCMP uses the advancedencryption standard. There are major differences in theway the encryption is completed in CCMP compared withTKIP, but those differences are not being investigated inthis paper as we are focusing on authentication. Thechange to using the more secure SHA-1 for the MICinstead of MD5 creates a much more secure authentication.

The migration from WEP/WPA to WPA2 could beaccomplished relatively quickly because of the fact thatmost mobile equipment (laptops and other powerfulequipment) is upgraded frequently and has very fewrequirements to run on minimal resources. The migrationof the network from WEP/WPA to WPA2 is handled bythe network provider, which was only limited by eachorganization mandate and could be accomplished whenneeded. Overall, the cost of the upgrade has involveda massive replacement of equipment on a very largeworldwide scale. The capacity of network devices has alsogrown with the migration from 802.11a to b to g to n;therefore, most providers would have upgraded theirnetworks with the new technology and most users wouldupgrade their devices at the same time as well to makeuse of new computing power. The mobile networkshave very different considerations when upgrading orintegrating protocols. Mobile network operators haveagreements with many other operators to allow almostany devices onto their network. To facilitate this require-ment, the network needs to operate in both 2G and 3Gsecurity contexts, which we will show in the followingsection.

3. AUTHENTICATION IN MOBILEWIRELESS NETWORKS

When authenticating against a mobile wireless network,the mobile equipment needs to send from one base station(BS) to another without a loss of communication orinterruption to an active connection. The requirement toroam without interruption forced the development of anetwork that would allow a user to authenticate to and


use all parts of the network seamlessly. A major difficultyfaced by mobile networks is the ability for a user to roamfrom one network to another network operator, whichallows mobile network providers to bill foreign users andsystems. This support limits the control a network providerhas over the hardware connecting to their network. Thesenetworks also tend to be built out nationally a very largeinvestment, which needs to be leveraged as long aspossible to have connectivity for all users. Some usersare also likely to keep a functioning phone for a muchlonger time than a functioning laptop. GSM phones willoperate as a worthwhile and functioning phone for morethan a decade to many users that see no reason to upgradetheir device.

3.1. GSM authentication

The authentication in GSM is a one-way authenticationalgorithm to authenticate the mobile device to the serviceprovider network. As shown in Figure 3, the algorithmuses a secret key K that is shared between the GSMhome network and the mobile device. The mobile deviceidentifies itself to the network by sending its internationalmobile subscriber identity (IMSI) to the BS. The BSforwards the IMSI to the home network of the device. Onthe basis of the IMSI, the home network recognizes thecorresponding key K that is used along with a randomchallenge (RAND) to generate a session key Kc =A8(RAND, K) and the expected response to the challengeSRES=A3(RAND, K),where A8 and A3 are two hashingfunctions.. The home network sends the authenticationvector (RAND, SRES, Kc) to the BS who will retain SRESand Kc and sends the RAND to the mobile device as achallenge. By using the shared secret key K along withthe received RAND, the mobile generates the responseSRES0 and generates the same session key Kc. The BSresponds to the BS with the SRES, which the BS thenmatches against the SRES to verify the identity of themobile device. This authentication in GSM gave theservice providers the ability to address the issue of cellphone cloning by issuing a challenge to the device thatwould appropriately be responded to with the SRES0.GSM also added encryption by using the key Kc to thechannel to allow the confidentiality on the informationtransmitted across the air interface.

Even with all of these new security enhancements towireless communication, there are many problems withthe authentication and security in GSM. The encryptionand hashing algorithms were developed in secret design,in violation of the Kerckhoff’s principle [3] (a cryptosystemshould be secure even if everything about the system,except the key, is public knowledge.), which led to thesystem being less secure than if they had used knownalgorithms that had been vetted by cryptographers notinvolved in the design. In addition, the stream cipher A5is used for encrypting the communication channels. Theadopted A5/1 encryption algorithm in GSM can be brokenin real time [4], and the A5/2 algorithm is easily broken in

501

K

A3 A8

SRES` Kc

RANDK

A3 A8

SRES Kc

RAND

RAND

GSM AUC Home

Network

RAND, SRES,Kc

IMSI

IMSI

RAND

SRES`

EncryptionKc Kc

Figure 3. GSM authentication.


seconds [5] meaning that the intent to keep communicationof the customer on the network private is no longer trulyprovided by the protocol. The GSM framework does allowproviders to choose different algorithms for both thehashing and encryption, but because of the established baseand weaknesses in the protocol, this is not entirely feasiblefor the encryption protocol (hashing protocols can be set spe-cifically for each device at the discretion of the provider).The expected response (XRES) and other values are alsolimited by their length as required in the GSM protocol.

The authentication protocol has many flaws that allowfor denial of service and false BS attacks because thesubscriber does not authenticate the network. Note thatGSM uses one-way authentication. A false BS attack isvisible because of the mobile device not authenticatingthe network. The false BS attack is a classic man-in-the-middle attack that generally passes most of the communi-cation from the handset to the tower but will modify someof the transactions to attack the network. These attackshave a method that can retrieve the IMSI of the device,and they can have the false tower also force the device tonot use encryption for communication that allows theattacker to listen to the conversation and possibly injectinformation into the channel. Again, the fact that GSMprotocol authenticates only the phone and leaves thenetwork unauthenticated allows for these BS attacks toneutralize any increase in the quality of the encryptionalgorithms because the devices will support the olderimplemented algorithms and no encryption. The insecuritybrought about by the protocol allows these attacks tocompromise the confidentiality and integrity of the usercommunication with the network.

3.2. UMTS authentication

UMTS networks have mutual authentication in which themobile devices are authenticated to the network as well

502 Sec

as the network authenticating the phone as shown inFigure 4. This mutual authentication allows the device todiscern whether or not the network they are connecting tois a legitimate network. The authentication protocol alsomakes use of integrity to ensure that the communicationis not modified when selecting algorithms for encryptionand integrity. The authentication protocol follows manyof the same network steps in the GSM protocol with someimportant changes. The authentication (AUTN) tokenas well as the integrity key (IK) is sent from the homenetwork. The AUTN token along with the RAND is thensent to the mobile device that processes the RAND withthe key to verify the AUTN token by validating theMAC section of the token sent from the network against theexpected response for mutual authentication (XMAC) createdby using the key, sequence, authenticationmanagement field,and RAND. Note that authentication management field is asection of the AUTN token. The mobile equipment alsodoes a validation of the sequence to ensure that it is withinthe desired range. This verification allows the mobiledevice to trust the connection to the network.

The algorithms are at the discretion of the providers, butgenerally, the Kasumi [6] algorithm is used for both integrityand encryption with an option of no encryption. The UMTSprotocol does not allow the system to operate withoutintegrity, which in conjunction with the authenticationallows the mobile device and network to have a reasonableexpectation that there has been no modification of thecommunication. This method of authentication with integritylimits many attacks in a purely UMTS network. The Kasumialgorithm is a modified MISTY1 algorithm [6] that waschosen for its suitability for implementation in hardware.The algorithm has some weaknesses but is not susceptibleto real-time attacks [7]. Currently, the International Telecom-munication Union is still developing the standards for 4Gmobile communications, but the authentication protocolsare the same as those of the UMTS network [8].


UMTS AUCHome

Network

RAND, XRES,CK, IK, AUTN

IMSI

IMSI

RAND, AUTN

RES

Encryption

K

F5

RAND

F4F3F2F1

AMF

MAC XRES CK IK AK

Generate Rand

Generate SQN

SQN

AUTN = SQN AK AMF MAC

CK CK

K

F5

RAND

F4F3F2F1

MACSQN AK AMF

AUTN

XMAC RES CK IK

AK

Figure 4. UMTS authentication.


4. LEGACY INTEGRATION OFAUTHENTICATION PROTOCOLS

To make use of existing hardware and equipment, it maybe required to update protocols or create an integrationprotocol because of the cost or effort required to replacethe equipment. Network providers for each type of networkneed to adapt to the changing security environment. The802.11 protocols exist side by side on the same equipment,which allowed network providers to stage the upgrading oftheir networks to the new protocols. The protocols inmobile networks were integrated to allow for the maximumuse of existing equipment while roaming and to giveusers and providers as much flexibility as possible whenconnecting to mobile networks.

4.1. WPA as an upgrade to legacy WEPequipment

Wi-Fi protected access was created as a measure toincrease the security of WEP equipment. WPA does notaddress all of the security flaws in WEP but was able tobe installed on equipment that supports WEP allowingnetwork administrators to increase the security of theirexisting equipment. The new WPA protocol can beattacked and broken with only slightly more difficulty thanWEP. The overall network would only be as secure as theweakest connection, which means that the existing WEPand WPA equipment would need to be segregated fromthe rest of a secure WPA2 network until the equipmentcan be upgraded. WPA did give network operators asignificant increase in the security of their networkswhile they could prepare to deploy new WPA2 equipment.


Most new 802.11 equipment will support any of thesecurity protocols depending on the needs of the networkoperator, allowing them to stage their integration of thenew WPA2 security protocol to meet the needs of theirusers. Mobile providers could also stage the upgrade oftheir networking equipment but will have an extendedperiod where they will be hampered by the needs of usersto connect using the GSM protocols. The integration alsoallowed providers to use their existing networks to provideservice to the new UMTS devices by having themimplement the GSM protocol, which will be shown in thenext section.

4.2. Legacy integration of GSM with UMTS

When the time came for industry to move to UMTSnetworks, the market was already saturated with a largenumber of GSM devices and network equipment. Theintegration offered by the protocol allows for the providersto make use of the already embedded systems. To make thetransition cost effective and to make maximum use of theexisting user and network hardware, GSM backwardscompatibility was built into the UMTS protocols [9].The interoperation between the two systems allows GSMdevices on the UMTS network and allows the network tobe slowly upgraded to the new infrastructure. A providercan then support the large number of devices owned bycustomers as well as have a planned strategy for upgradingtheir network infrastructure.

To achieve the integration, there are some equationsthat are used to convert the keys from UMTS CK and IKto GSM Kc and vice versa. Those equations allow themobile device and network to continue to operate without

503


requiring reauthentication to roam from one networkconfiguration to another. Those equations to create Kc are

Kc ¼ CK1�CK2�IK1�IK2 (1)

where CK ¼ CK1jjCK2 (2)

and IK ¼ IK1jjIK2 (3)

To create CK and IK from Kc when moving from aGSM context to a UMTS context, the following equationsare used:

CK ¼ KcjjKc (4)

IK ¼ Kc1�Kc2jjKcjjKc1�Kc2 (5)

where Kc ¼ Kc1jjKc2 (6)

The following subsection will be exploring threedifferent authentication scenarios of GSM and UMTSequipment to show the methods of integrating these twogenerations of mobile communications.

4.2.1. GSM mobile device with UMTS networkWhen a GSM mobile device is on a UMTS network as

shown in Figure 5, and as per the order of the circlednumbers, GSM mobile subscriber requests a secureconnection to UMTS Base Transceiver Station (BTS).The UMTS Mobile Switching Center (MSC) requests fromthe GSM home network the authentication vector (RAND,XRES, Kc). The UMTS MSC receives and then forwardsthe authentication vector to the UMTS BTS. The UMTSBTS then perform the GSM authentication protocol withGSM mobile subscriber as described in Section 3.1 andFigure 3. If this authentication process succeeded, theGSM mobile and the UMTS BTS can communicate

UMS

CeGSM Mobile subscriber

Visited Net

UMTS Base Transceiver Station (BTS)

(1) GSM Mobile subscriber requests a secure conn(2) UMTS MSC requests from the GSM home netw(3) UMTS MSC receives the GSM authentication v(4) UMTS BTS perform the GSM Authentication pro(5) When the authentication process in (4) succeed

can communicate securely applying the UMTS eand the integrity key IK. These keys are generate

1 4

5

Figure 5. The GSM mobile subscriber is authenticated via

504 Sec

securely applying the UMTS encryption algorithms byusing the UMTS key CK and the integrity key IK.

Note that the system will create Kc at the home AUC ofthe GSM, which will then be expanded with Equations (4)and (5) to create CK and IK in an enhanced GSM mode toincrease the security of the communication. The issuebrought about by this configuration is that when Kc hasalready been discovered by an attacker when the phone isoperating in a fully GSM context, the expanded CK andIK are easy to discern from the equations, and all of UMTScommunication can be discovered by an attacker.

4.2.2. UMTS mobile device with GSM BTSWhen connecting to the network, it is possible for a

UMTS mobile device to connect to a GSM BTS. As shownin Figure 6, and as per the order of the circled numbers, theUMTS mobile subscriber requests a secure connection toGSM BTS. Accordingly, the UMTS MSC requests fromthe UMTS home network the authentication vector(RAND, XRES, CK, IK, AUTN). The UMTS MSCreceives the UMTS authentication vector and proceeds togenerate a GSM Kc by using Equation (1) and thenforwards it to the GSM BTS. The GSM BTS performsthe GSM authentication protocol with UMTS mobilesubscriber as described in Section 3.1 and Figure 3. If thisauthentication process succeeded, the UMTS mobile andthe GSM BTS communicate using the GSM encryptionalgorithms by using the GSM Kc.

This type of connection is created either during authen-tication or during handover to this type of network. Theonly network device that uses the GSM protocols in thistype of connection is the BTS. The MSC, mobile andAUC are all UMTS devices. The MSC will retain the CKand IK generated by the UMTS authentication, but allencryption between the mobile and the GSM BTS iscarried out using the Kc created with Equation (1). Kc iscreated by the mobile and by the UMTS MSC, and the

TS Mobile witching nter (MSC)

GSM AUC

Home Network

work

ection to UMTS BTS ork the authentication vector (RAND,XRES,Kc).ector and forward it to the UMTS BTStocol with GSM Mobile subscriber ed, the GSM Mobile and the UMTS BTS ncryption algorithms using the UMTS key CK d using the GSM Kc

2

3

RAND,XRES,Kc

a UMTS BTS, which is connected to a UMTS MSC.


UMTS Mobile Switching

Center (MSC)

UMTS AUC

Home NetworkUMTS Mobile subscriber

Visited Network

GSM Base Transceiver Station (BTS)

(1) UMTS Mobile subscriber requests a secure connection to GSM BTS (2) UMTS MSC requests from the UMTS home network the authentication vector (RAND,XRES, CK, IK, AUTN).(3) UMTS MSC receives the UMTS authentication vector and proceeds to generate a

GSM Kc and forwards Kc to the GSM BTS (4) GSM BTS performs the GSM Authentication protocol with UMTS Mobile subscriber (5) When the authentication process in (4) succeeds, the UMTS Mobile and the GSM BTS

communicate using the GSM encryption algorithms using the GSM Kc. Which is insecure due to the attacksavailable against the GSM algorithms.

12

3

RAND,XRES, CK, IK, AUTN

4

5

Figure 6. The UMTS mobile subscriber is authenticated via a GSM BTS, which is connected to a UMTS MSC.


GSM BTS is oblivious to this operation. The communica-tion between the mobile and the BTS can be consideredas secure as that of normal GSM communication. Whenmoving to other network configurations, the MSC willuse the CK and IK that were originally generated insteadof using the Kc generated for the BTS. We know that Kc

can be compromised during communication with theBTS and will therefore give 64 bits of information relatingto the original CK and IK.

4.2.3. UMTSmobile devicewithGSMBTS andMSCFigure 7 shows another scenario when a UMTS mobile

device is connecting to a GSM network. Following theorder of the circled number in the Figure, the UMTSmobile subscriber requests a secure connection to GSMBTS. Accordingly, the GSM MSC requests from theUMTS home network the authentication vector (RAND,XRES, Kc) where it is generated using the UMTSauthentication vector (RAND, XRES, CK, IK, AUTN).

GSM MSwitch

Center (UMTS Mobilesubscriber

Visited Network

GSM BaseTransceiver Station (BTS)

(1) UMTS Mobile subscriber requests a secure connectio(2) GSM MSC requests from the UMTS home network th

generated by using the UMTS authentication vector ((3) GSM MSC receives the GSM authentication vector a(4) GSM BTS performs the GSM Authentication protocol(5) When the authentication process in (4) succeeds, the

communicate using the GSM encryption algorithms usavailable against the GSM algorithms.

1 4

5

Figure 7. The UMTS mobile subscriber is authenticated


The GSM MSC receives the GSM authentication vectorand forwards Kc to the GSM BTS. The GSM BTS thenperforms the GSM authentication protocol with UMTSmobile subscriber as described in Section 3.2 and Figure 4.If this authentication process succeeded the UMTSmobile and the GSM BTS communicate using the GSMencryption algorithms using the GSM Kc.

In this type of connection, authentication or handoveroccurs when a UMTS-authenticated session moves to aGSM network. The GSM MSC and GSM BTS can onlyhandle the Kc for GSM communication. Therefore, theUMTS-authenticated network transfers Kc derived fromEquation (1) to the GSM MSC. The new Kc will be usedto create any future CK and IK as well as for all communi-cation between the GSM BTS and the mobile by usingEquations (5) and (6). This decreases the security of thesystem beyond the 64 bits of knowledge shown in theprevious weakness to a full break of all future communica-tion. All future communication until a new authentication

obile ing MSC)

UMTS AUC

Home Network

n to GSM BTS e authentication vector (RAND,XRES, Kc) which is RAND,XRES, CK, IK, AUTN).nd forwards Kc to the GSM BTS

with UMTS Mobile subscriber UMTS Mobile and the GSM BTS ing the GSM Kc. Which is insecure due to the attacks

2

3

RAND,XRES,Kc

via a GSM BTS, which is connected to a GSM MSC.

505


request can be discovered and modified by a false BS.This is the worst case scenario for a UMTS device as itis fully compromised.

5. PROPOSED SOLUTION TOPROBLEM OF GSM INTEGRATIONIN UMTS

To solve the issues brought about by integrating the largeinstall base of the GSM platform and network equipmentinto the new and more secure UMTS system, we havetwo solutions. We cannot do large modifications to theexisting GSM system to protect the communication thatwill happen when in a GSM context and will thereforeassume that when communication happens in a GSMcontext thatKc will be compromised and known to attackers.Our focus is on protecting the UMTS communication fromattacks through the integration with GSM. First, we show amodification to GSM that will allow future communicationto be secure when on an UMTS network. Our secondproposal is a larger modification to the UMTS protocols toharden the communication in UMTS from attacks becauseof the GSM integration. It is worth mentioning that both ofthe proposals do nothing to increase the security in GSM.GSM is still insecure, but we are protecting UMTS fromthe integration with GSM.

5.1. Proposed modification to GSM

The change we are proposing to the GSM authenticationprotocol shown in Figure 8 is simple and yet very effective.As all GSM devices have a hashing algorithm available,such as A3 and A8, and this operation need only happenonce when moving from tower to tower, the overheadshould be minimal. It may be simple to implement thischange to existing GSM system hardware. A hashing

GSM AUCHome

Network

RAND, SRES, Kc

IMSIIMSI

RAND

SRES`

EncryptionKh= hash (Kc) Kh= hash (Kc)

Figure 8. Proposed modification to GSM protocol.

506 Sec

algorithm is able to keep the source material unknownwhile creating the same output if given identical input.

This is because it is computationally hard to discoverthe input if the output is known. Therefore, we propose thatthe encryption in GSM is carried out with a new key Kh,which is a hash of Kc instead of Kc directly, as it is shownin Equation (7).

Kh ¼ hash Kcð Þ (7)

This would leave the GSM communication open to allof the previous attacks but when compromised would givethe attacker access to Kh instead of Kc. We will nowdescribe how this change protects the communication ineach of the previously described scenarios.

5.1.1. GSM mobile device with UMTS networkFigure 9 shows how GSM authentication takes place

with the proposed modification; we see that the airinterface between the mobile subscriber and the BTS isencrypted using shared key Kh. If we assumed that anattacker has successfully compromised Kh because of theinsecurity of GSM, still, the attacker has no access to thevalue of KC. This means that the values of CK and IK thatare derived from Kc (see Equations (4) and (5)) are notcompromised. Therefore, in this scenario, UMTS securitywill not compromised, and its strength depends on thesecurity of the cryptographic hash function used inEquation (7).

5.1.2. UMTS mobile device with GSM BTSWhen encrypting the communication again between

the mobile and the GSM BTS by using the key Kh

(see Figure 7), the value of Kc will be shielded by the cryp-tographic hash function. This hash would keep the attackerfar from deriving 64 bits of CK and IK when the usermoves to other networks as the attacker would not beable to discern anything beyond Kh when the system iscommunicating in this scenario. Again, knowing the valueof Kh gives no significant knowledge of KC and thereforeno partial knowledge of CK and IK.

5.1.3. UMTS mobile device with GSM BTS andMSC

Similarly in this scenario, the cryptographic hashfunction protects Kc from the attacker. This has a muchlarger implication in this scenario as the CK and IK thatwill be used in the future are completely derived from Kc

and will be protected from attack because the hash functionis a one-way function. Therefore, the compromised Kh willnot give the attacker significant knowledge of Kc andthrough that will protect all future communication usingCK and IK that are derived directly from Kc.

5.2. Proposed modification to UMTS

The change to the UMTS protocol is twofold as it needs toprotect information when moving to a GSM network and


UMTS AUC Home

Network

CK, IK, RAND

TMSI, Kc

RAND

Encryption

CK, IKCK, IK

Figure 9. Request/response to retrieve new CK and IK.


protect the user when moving back to a UMTS networkcontext. First, we recommend that instead of using theequations developed for integration of the legacy GSMprotocols, we propose that a hash of CK and IK be usedto create the key Kc to be used when communicating inthe GSM network. That is, Equation (1) will be modifiedas follows:

Kc ¼ CH1�CH2�IH1�IH2 (8)

where hash CKð Þ ¼ CH1jjCH2 (9)

and hash IKð Þ ¼ IH1jjIH2 (10)

The advantage to using this equation as opposed toEquation (1) is that the attacker will be unable to findinformation relating to CK and IK by knowing the valueof Kc. This modification would protect the information sentbefore moving to the GSM context by securing the valuesof CK and IK from creating the value of Kc.

The second change to the protocol is to have the UMTSmobile device, and the network does a simple hash of Kc,K, and a RAND to create a new CK and IK for useafter leaving the GSM context. This would be a simplerequest/response from the new UMTS network to theUMTS AUC to create the new CK and IK to be used forcommunication similar to a location update as can be seenin Figure 7. The small request would be much lessoverhead than a full reauthentication in UMTS to limitresource utilization on the network. The message sentwould be similar to the location update by sending theTemporary Mobile Subscriber Identity (TMSI) along withKc to the UMTS AUC. The UMTS AUC would then per-form a hashing operation as to create a new set of keysfor IK and CK that we will call KCK||IK shown as follows:

KCKjjIK ¼ hash KcjjKjjRANDð Þ (11)

where KCKjjIK ¼ CKjjIK (12)

The AUC will proceed to respond with the new KCK||IK

and a RAND to be sent to the mobile device to perform the


same operation. This would by necessity have to occurbefore or immediately after handover to a fully UMTScontext. The mobile device and the UMTS network wouldthen be able to communicate securely without consideringthe fact that the Kc could have been compromised duringthe GSM communication context. The next sections willdescribe the impact of this change on the different networkscenarios.

5.2.1. GSM mobile device with UMTS networkThis context would use the new KCK||IK created in

Equation (11) for the keys CK and IK to be used in theUMTS-encrypted communication. This would makethe communication secure from any possible attack if thevalue of Kc had been discovered previously during a fullyGSM context. The new values of CK and IK are notderived with Equation (1) and therefore do not directlycome from Kc, which makes future communication securefrom a compromised GSM context.

5.2.2. UMTS mobile device with GSM BTSThe communication in this context would be encrypted

using a Kc derived from Equation (8). The communicationduring this GSM-based context would be compromised,but communication that occurred before this point wouldbe secure because of the hash in Equation (8) that createsthe key Kc, and communication after this context wouldbe secure because Kc would have been created from a hash,and therefore, the existing CK and IK can be used withconfidence for future communications as no informationon the existing CK and IK has been discovered.

5.2.3. UMTS mobile device with GSM BTS andMSC

In this context, once again, the hash in Equation (8)protects CK and IK from the attacker, and therefore, allprevious communication is secure, and no significantknowledge of CK and IK is available to the attacker. Kc

is still available to be compromised by an attacker in thisconfiguration, and therefore, when moving to anothercontext from this context, we will be creating a new CK

507


and IK from Equation (11) that will make future communi-cation secure.

6. CONCLUSION

Wireless network communication requires that user equip-ment be able to securely connect to the network andmaintain integrity of that communication. In stationarynetworks, there is no requirement for user equipment touse all APs and to communicate while roaming betweenAPs. Mobile networks have different requirement, andlegacy protocols needed to be integrated into new networksystems.

To help manage the transition from the legacy GSMsystem, protocols were devised to integrate the billions ofexisting devices into the new UMTS network. Theintegration protocols that allow for the integration of thoselegacy devices also inadvertently brought the insecurity ofthe GSM system into the new much more secure UMTSsystem. The GSM key Kc can be compromised, andtherefore, because of the method of integrating the twosystems together that uses simple Equations (1), (4), and(5) to create the keys CK, IK, and Kc used for encryptionand integrity, an attacker that has discovered Kc candiscern either all or part of CK and IK. This integrationhas allowed previous attacks on the GSM system to beeffective against attacking the UMTS network negatingthe positive changes brought about by the mutual authenti-cation in UMTS.

We have proposed two different changes to the proto-cols in mobile networks to protect against the legacyintegration of GSM. One is a very simple change to theGSM protocol to protect Kc by creating Kh a hash of Kc

shown in Equation (7), which is to be used when encrypting.This will protect Kc from attackers and therefore, protect theUMTS communication that depends on the keys devisedfrom Equations (1), (4), and (5). The other change wepropose is for the UMTS protocol to be modified to removeEquations (2), (5), and (6) used to generate CK, IK, and Kc

and replaces those equations with Equations (8) and (11),which both use a hash function. We also create a simplerequest/response protocol to generate a new CK, IK pairgenerated from Equation (11) to be used in future communi-cation. The changes we have proposed will help resolve theinsecurity brought about by the legacy integration of theGSM equipment and protocols into the new UMTS system.The integration that was required because of the large andgrowing install-base of GSM devices.

Out of the two solutions proposed, we recommend thesolution of a GSM hash because it changes the protocolthat has introduced the problems with a minimal amountof effort. GSM already has cryptographically strong hashfunctions available for use and should be modified to dothe single hash of the Kc value to increase the security of

508 Sec

communication. We have not performed a full evaluationof the security scheme, but it does resolve the issues thatcome about because of the GSM and UMTS integrationas shown in the previous sections. The modification shouldbe easily applied to UMTS devices in their support ofthe GSM protocols and add the increased security thatthe change would provide. The other advantage of thismodification is that when the GSM protocols are no longerrequired in the future, this change will then be removed aswell making it much more self-contained than the changesto the UMTS protocol that we propose. The deploymentof this solution would require software updates to becarried out over multiple world wide networks andwould need to be a large managed project for the networkoperators.

REFERENCES

1. Southern E, Ouda A, Shami A. Securing USIM-basedmobile communications from interoperation of SIM-based communications. The International Journal forInformation Security Research (IJISR) 2012; 2(1/2):313–324. ISSN: 2042–4639.

2. Fluhrer S, Mantin I, Shamir A. Weaknesses in thekey scheduling algorithm of RC4. Lecture Notes inComputer Science 2001; 2259:1–24.

3. Kerckhoffs A. La cryptographie militaire. Journal desSciences Militaires 1883; IX:538.

4. Biryukov A, Shamir A, Wagner D. Real time cryptanal-ysis of a5/1 on a PC. In FSE: Fast Software Encryption.Springer-Verlag: New York, NY, USA, 2000; 1–18.

5. Barkan E, Biham E, Keller N. Instant ciphertext-onlycryptanalysis of GSM encrypted communication. Journalof Cryptology 2008; 21(3): 392–429.

6. 3GPP. Security Objectives and Principles. 3rd Genera-tion Partnership Project (3GPP), TS 33.120, Apr. 2001.Available: http://www.3gpp.org/ftp/Specs/html-info/33120.htm

7. Dunkelman O, Keller N, Shamir A. A practical-time at-tack on the a5/3 cryptosystem used in third generationgsm telephony, Cryptology ePrint Archive, Report2010/013, 2010. Available: http://eprint.iacr.org/.

8. Mapp G, Aiash M, Lasebae A, Phan R. Security modelsfor heterogeneous networking. In Security and Cryptog-raphy (SECRYPT). Proceedings of the 2010 Interna-tional Conference on, July 2010; 1–4.

9. 3GPP. 3G security; Security architecture. 3rd Genera-tion Partnership Project (3GPP), TS 33.102, Jun. 2008.Available: http://www.3gpp.org/ftp/Specs/html-info/33102.htm


http://www.3gpp.org/ftp/Specs/html-info/33120.htm


http://eprint.iacr.org/



Documents

Wireless security: securing mobile UMTS communications ... · security of wireless networks without replacing the legacy hardware. There was a rush to create a more secure wireless