Embed Size (px)
Citation preview
Security in Mobile Cellular Networks
@3g4gUK
3GPP Security Architecture
©3G4G
• 3GPP TS 33.102: 3G Security; Security architecture• 3GPP TS 33.401: 3GPP System Architecture Evolution
(SAE); Security architecture
Five security feature groups are defined. Each of these feature groups meets certain threats and accomplishes certain security objectives:
o Network access security (I): the set of security features that provide users with secure access to services, and which in particular protect against attacks on the (radio) access link.
o Network domain security (II): the set of security features that enable nodes to securely exchange signalling data, user data (between AN and SN and within AN), and protect against attacks on the wireline network.
o User domain security (III): the set of security features that secure access to mobile stations.
o Application domain security (IV): the set of security features that enable applications in the user and in the provider domain to securely exchange messages.
o Visibility and configurability of security (V): the set of features that enables the user to inform himself whether a security feature is in operation or not and whether the use and provision of services should depend on the security feature.
Evolution of 3GPP Security (I)
©3G4G
Source: 3GPP - Bengt Sahlin
Evolution of 3GPP Security (II)
©3G4G
Source: 3GPP - Bengt Sahlin
Evolution of 3GPP Security in 5G
©3G4G
Source: Huawei 5G Security Architecture White Paper
Scope of this Presentation
©3G4G
• User Identity Confidentiality
• Authentication
• Ciphering (Confidentiality)
• Integrity Protection
• Signalling examples
• Sample messages (where available)
• Simple examples of hacking of the mobile network
Identities
©3G4G
• Each Mobile device contain IMEI (International Mobile Equipment Identity)
• The SIM card contains IMSI (International Mobile Subscriber Identity)
• During the operation, IMSI has to be hidden with help of temporary identities in order to provide:
• user identity confidentiality
• user location confidentiality
• user untraceability
Temporary Identities
©3G4G
• In 2G/3G:
• TMSI (Temporary Mobile Subscriber Identity)
• P-TMSI (Packet TMSI)
• In 4G/LTE:
• GUTI (Globally Unique Temporary UE Identity)
GUMMEI - Globally Unique MME IdentifierMMEGI - MME Group IDMMEC - MME CodeS-TMSI = SAE Temporary Mobile Subscriber IdentityM-TMSI = MME Temporary Mobile Subscriber Identity
More details: 3GPP TS 23.003
What is Authentication?
©3G4G
• Authentication is to verify everyone is who they claim to be Hello, I am James Bond
Hello, I am the Queen
• Authentication is performed via AKA or Authentication and Key Agreement Procedure
• In 2G, we only had Handset Authentication whereas in 3G & 4G, we perform Mutual Authentication to verify the handset as well as the base station.
2G, 3G, 4G Simple Network Architecture
©3G4G
BSC
BTS
MSC
Voice (PSTN)Network
SGSN
Data (IP)Network
RNC
Node BeNodeB
MME
GGSN
AccessNetwork
CoreNetwork
AirInterface
MSUEUE
BSSRNS
S-GW
P-GW
2G 2.5G
3G 4G
EPC
HLR, HSS & AuC
©3G4G
• HLR – Home Location Register• HSS – Home Subscriber Server• AuC – Authentication Center
4G PS Core Network
2G/3G PS Core Network
2G/3G CS Core Network
HLR/HSS/AuC
DATA
Logic
Further Reading: 3G4G Blog
UICC & SIM
©3G4G
2G SIM UMTS SIM (USIM)
IMSI MSISDN
SMS Data
Address Book
IMSIMSISDN
MSISDNMSISDN
Authentication Data and Keys
Multimedia Messaging Config Data
IMS SIM (ISIM)
Security KeysHome Network Domain
Name (URI)
Private User Identityy
Public User Identity
Administrative Data
Access Rule Reference
Address of P-CSCF
Ki
The Attach Procedure Signalling
©3G4G
UE AN CS CN PS CN
Access Network (AN) Core Network (CN)
PS CN broadcast information
CS CN broadcast informationSystem information messages
Hello, I am UE 1
Hello UE1, please use this channel <…>
Thanks, I am all setup.
Hello, I am UE 1. Want to Attach and let you know that I am now active
Hello UE 1, please authenticate yourself against this vector <…>
No problems, here is my authentication response <…>
The Attach Procedure Signalling
©3G4G
UE AN CS CN PS CN
I trust UE1, please establish security with itEstablish Security using <…>
Thanks, all done.
Security Established
Access Network (AN) Core Network (CN)
UE1 is now connected to us
Attach Accept. Please use this new temporary identity for now
Attach Complete.
What is Ciphering?
©3G4G
• Ciphering is the process of Encryption & Decryption
• Its got nothing to do with compression / decompression
• Example of 2G Ciphering
Actual Security Procedure in GSM
©3G4G
UE BSC MSC/VLR
Authentication Request (CKSN, RAND)
Authentication Response (SRES)
BTS
Authentication Request (CKSN, RAND)
Authentication Request (CKSN, RAND)
Authentication Response (SRES)Authentication Response (SRES)
Cipher Mode Command (Kc, A5x)
Cipher Mode Complete
Cipher Mode CompleteCipher Mode Complete
Cipher Mode Command (Kc, A5x)
Cipher Mode Command (A5x)
CKSN – Cipher Key Sequence NumberRAND – Random Number (128 bits)SRES – Signed Response (32 bits)XRES – Expected Response (32 bits)Kc – Ciphering Key (64 bit)A5 – Encryption Algorithm (A5/0 to A5/7)
Access Network (AN) Core Network (CN)
Actual Security Procedure in GPRS
©3G4G
UE BSC SGSN
Authentication and Ciphering Request (RAND)
Authentication and Ciphering Response (SRES)
BTS
Authentication and Ciphering Request (RAND)
Authentication and Ciphering Request (RAND)
Authentication and Ciphering Response (SRES)Authentication and Ciphering Response (SRES)
CKSN – Cipher Key Sequence NumberRAND – Random Number (128 bits)SRES – Signed Response (32 bits)XRES – Expected Response (32 bits)Kc – Ciphering Key (64 bit)A5 – Encryption Algorithm (A5/0 to A5/7)
Access Network (AN) Core Network (CN)
Security Architecture Evolution
©3G4G
Core Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC
GSM
Handset Authentication
Ciphering (AN CP, UP)
GPRSHandset Authentication + Ciphering (AN CP, UP)
AN – Access NetworkAS – Access StratumRRC – Radio Resource ControlNAS – Non-Access StratumCP – Control PlaneUP – User Plane
Fake Cell Towers on Planes to Gather Data From Phones
©3G4G
Source: MacRumors
What is Integrity Protection?
©3G4G
• A 32 bit (4 octet) number is added to certain signalling messages in 3G & 4G to authenticate individual messages
• In 3G, Integrity protection is done at RRC layer
• In 4G, a Integrity protection happens at PDCP and in NAS.
Example of MAC-I in 3G / UMTS
©3G4G
• Message Authentication Code MAC-I
Example of MAC-I in 4G / LTE
©3G4G
UMTS Security Overview
©3G4G
Further Reading & References: UMTS Security: A Primer
UMTS Security Overview
©3G4G
UE RNC VLR / SGSNNodeB
Access Network (AN) Core Network (CN)
RRC Connection Setup Procedure(Start Value, HFNs and the Security Capability is stored in RNC )
Initial L3 Message (user identity, KSI, etc)
Authentication & Key Agreement (AKA) Procedure
UIA, UEA decision
Security Mode Command (UIAs, IK, UEAs, CK, etc)
Select UIA, UEA Generate FRESHStart Integrity
UMTS Security Overview
©3G4G
UE RNC VLR / SGSNNodeB
Access Network (AN) Core Network (CN)
Security Mode Complete
Verify received message
Security Mode Command (CN domain, UIA, UEA, FRESH, Security Capability, etc)
Start Integrity
Security Mode Complete (selected UIA, UEA)
Key things to remember in UMTS Security
©3G4G
• Integrity protection is mandatory and Ciphering optional
• The user plane (UP) for each domain is protected by its own Ciphering Key while the control plane (CP) is protected by Ciphering & Integrity Keys from the last domain
• Ciphering for CS domain happens in MAC as RLC is in transparent mode (TM)
• Ciphering for PS domain happens in RLC for acknowledged mode (AM) or unacknowledged mode (UM)
• For the first domain
• Authentication messages are not Integrity Protected or Ciphered
• Security Mode Command is the first Integrity protected message
Key things to remember in UMTS Security
©3G4G
• For the second domain
• Authentication messages are Integrity Protected and optionally ciphered with the first domain keys
• Security Mode Command requests modification of Integrity protection and Ciphering for the CP
• The new integrity protection and ciphering takes place after the Security Procedure is complete
• It is possible that ciphering is enabled for one domain and disabled for another
Actual Security Procedure in UMTS – PS
©3G4G
UE RNC SGSN
Authentication and Ciphering Request
Authentication and Ciphering Response (SRES)
Node B
Authentication and Ciphering Request
Authentication and Ciphering Request
Authentication and Ciphering Response (SRES)Authentication and Ciphering Response (SRES)
Security Mode Command
Security Mode Complete
Security Mode CompleteSecurity Mode Complete
Security Mode Command
Security Mode Command
Access Network (AN) Core Network (CN)
UMTS Security for PS Domain - Authentication
©3G4G
DL-DCCH-Message-----> downlinkDirectTransfer
DL-DCCH-Message = message = downlinkDirectTransfer = r3 =
downlinkDirectTransfer-r3 = rrc-TransactionIdentifier = 0cn-DomainIdentity = ps-domainnas-Message = 0812013021D5770C6D363E30C364A4078F1BF8ED3A8028106E323B36C46C5555D5760E6E323B6391
Authentication and Ciphering Request-----> Authentication and Ciphering Request PDU:
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ] Message Type [8 bits] = 0x12 - Authentication and Ciphering Request [ 18 ] IMEISV Request
Spare Bits [1 bit] = 0x0 [ 0 ] value [3 bits] = 0x0 - IMEISV Not Requested [ 0 ]
Ciphering AlgorithmSpare Bits [1 bit] = 0x0 [ 0 ] Type of Algorithm [3 bits] = 0x1 [ 1 ]
A & C Reference Numbervalue [4 bits] = 0x3 [ 3 ]
Force StandbySpare Bits [1 bit] = 0x0 [ 0 ] value [3 bits] = 0x0 - Force to Standby Not Indicated [ 0 ]
Authentication Parameter Rand IE Identifier [8 bits] = 0x21 [ 33 ] Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3A
Ciphering Key Sequence NumberIE Identifier [4 bits] = 0x8 [ 8 ] Spare Bits [1 bit] = 0x0 [ 0 ] Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ]
Authentication Parameter AUTNIE Identifier [8 bits] = 0x28 [ 40 ] IE Length [8 bits] = 0x10 [ 16 ] value = 0x6E323B36C46C5555D5760E6E323B6391
UL-DCCH-Message <----- uplinkDirectTransfer
UL-DCCH-Message = message = uplinkDirectTransfer =
cn-DomainIdentity = ps-domainnas-Message = 08130322D5760E6E290C323B36C46CAD0D8417F5E335
Authentication and Ciphering Response <----- Authentication and Ciphering Response PDU:
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x8 - GPRS Mobility Management [ 8 ] Message Type [8 bits] = 0x13 - Authentication and Ciphering Response [ 19 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] A & C Reference Number
value [4 bits] = 0x3 [ 3 ] Authentication Response Signature
IE Identifier [8 bits] = 0x22 [ 34 ] Value = 0xD5760E6E [ 3581283950 ]
Authentication Response ParameterIE Identifier [8 bits] = 0x29 [ 41 ] IE Length [8 bits] = 0xC [ 12 ] value = 0x323B36C46CAD0D8417F5E335
Source: 3GPP Conformance Test 8.1.7.1c
UMTS Security for PS Domain - Security
©3G4G
DL-DCCH-Message -----> securityModeCommand
DL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 01000111111001000001111101101001rrc-MessageSequenceNumber = 0
message = securityModeCommand = r3 = securityModeCommand-r3 = rrc-TransactionIdentifier = 0securityCapability =
cipheringAlgorithmCap = 0000000000000011integrityProtectionAlgorithmCap = 0000000000000010
cipheringModeInfo = cipheringModeCommand = startRestart = uea1rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfoRB-ActivationTimeInfo(1) =
rb-Identity = 1rlc-SequenceNumber = 0
RB-ActivationTimeInfo(2) = rb-Identity = 2rlc-SequenceNumber = 2
RB-ActivationTimeInfo(3) = rb-Identity = 3rlc-SequenceNumber = 3
RB-ActivationTimeInfo(4) = rb-Identity = 4rlc-SequenceNumber = 0
integrityProtectionModeInfo = integrityProtectionModeCommand = startIntegrityProtection = integrityProtInitNumber = 00000000000000000000000000000000
integrityProtectionAlgorithm = uia1cn-DomainIdentity = ps-domainue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability
InterRAT-UE-SecurityCapability(1) = gsm = gsmSecurityCapability = 0000011
UL-DCCH-Message <----- securityModeComplete
UL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 10000000110110110111011001011001rrc-MessageSequenceNumber = 1
message = securityModeComplete = rrc-TransactionIdentifier = 0ul-IntegProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber
RRC-MessageSequenceNumber(1) = 0RRC-MessageSequenceNumber(2) = 0RRC-MessageSequenceNumber(3) = 0RRC-MessageSequenceNumber(4) = 0RRC-MessageSequenceNumber(5) = 0
rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfoRB-ActivationTimeInfo(1) =
rb-Identity = 1rlc-SequenceNumber = 0
RB-ActivationTimeInfo(2) = rb-Identity = 2rlc-SequenceNumber = 8
RB-ActivationTimeInfo(3) = rb-Identity = 3rlc-SequenceNumber = 5
RB-ActivationTimeInfo(4) = rb-Identity = 4rlc-SequenceNumber = 0
Source: 3GPP Conformance Test 8.1.7.1c
Actual Security Procedure in UMTS - CS
©3G4G
UE RNC MSC/VLR
Authentication Request
Authentication Response (SRES)
Node B
Authentication Request
Authentication Request
Authentication Response (SRES)Authentication Response (SRES)
Security Mode Command
Security Mode Complete
Security Mode CompleteSecurity Mode Complete
Security Mode Command
Security Mode Command
Access Network (AN) Core Network (CN)
UMTS Security for CS Domain on top of PS domain - Authentication
©3G4G
DL-DCCH-Message-----> downlinkDirectTransfer
DL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 10001011101111001101101110110000rrc-MessageSequenceNumber = 1
message = downlinkDirectTransfer = r3 = downlinkDirectTransfer-r3 = rrc-TransactionIdentifier = 0cn-DomainIdentity = cs-domainnas-Message = 051200D5770C6D363E30C364A4078F1BF8ED3A20106E323B36C46C5555D5760E6E323B6391
Authentication Request -----> Authentication Request PDU:
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ] Message Type [8 bits] = 0x12 - Authentication Request [ 18 ] Spare Half Octet [4 bits] = 0x0 [ 0 ] Ciphering Key Sequence Number
Spare Bits [1 bit] = 0x0 [ 0 ] Key Sequence [3 bits] = 0x0 - Ciphering Key Sequence Number [ 0 ]
Authentication Parameter Rand = 0xD5770C6D363E30C364A4078F1BF8ED3AAuthentication Parameter AUTN
IE Identifier [8 bits] = 0x20 [ 32 ] IE Length [8 bits] = 0x10 [ 16 ] value = 0x6E323B36C46C5555D5760E6E323B6391
UL-DCCH-Message<----- uplinkDirectTransfer
UL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 00101110010111100100100101111011rrc-MessageSequenceNumber = 3
message = uplinkDirectTransfer = cn-DomainIdentity = cs-domainnas-Message = 0514D5760E6E210C323B36C46CAD0D8417F5E335
Authentication Response <----- Authentication Response PDU:
Transaction Identifier or Skip Indicator [4 bits] = 0x0 [ 0 ] Protocol Discriminator [4 bits] = 0x5 - Mobility Management [ 5 ] Message Type [8 bits] = 0x14 - Authentication Response [ 20 ] Authentication Response Signature
Value = 0xD5760E6E [ 3581283950 ] Authentication Response Parameter
IE Identifier [8 bits] = 0x21 [ 33 ] IE Length [8 bits] = 0xC [ 12 ] value = 0x323B36C46CAD0D8417F5E335
Source: 3GPP Conformance Test 8.1.7.1c
UMTS Security for CS Domain on top of PS domain - Security
©3G4G
DL-DCCH-Message -----> securityModeCommand
DL-DCCH-Message = integrityCheckInfo = messageAuthenticationCode = 11000100010100111100000101111100rrc-MessageSequenceNumber = 3
message = securityModeCommand = r3 = securityModeCommand-r3 = rrc-TransactionIdentifier = 0securityCapability =
cipheringAlgorithmCap = 0000000000000011integrityProtectionAlgorithmCap = 0000000000000010
cipheringModeInfo = cipheringModeCommand = startRestart = uea1rb-DL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfoRB-ActivationTimeInfo(1) = rb-Identity = 1rlc-SequenceNumber = 0
RB-ActivationTimeInfo(2) = rb-Identity = 2rlc-SequenceNumber = 11
RB-ActivationTimeInfo(3) = rb-Identity = 3rlc-SequenceNumber = 8
RB-ActivationTimeInfo(4) = rb-Identity = 4rlc-SequenceNumber = 0
integrityProtectionModeInfo = integrityProtectionModeCommand = modify = dl-IntegrityProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber
RRC-MessageSequenceNumber(1) = 0RRC-MessageSequenceNumber(2) = 0RRC-MessageSequenceNumber(3) = 3RRC-MessageSequenceNumber(4) = 2RRC-MessageSequenceNumber(5) = 0
integrityProtectionAlgorithm = uia1cn-DomainIdentity = cs-domainue-SystemSpecificSecurityCap = SEQUENCE OF InterRAT-UE-SecurityCapability
InterRAT-UE-SecurityCapability(1) = gsm = gsmSecurityCapability = 0000011
UL-DCCH-Message <----- securityModeComplete
UL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 01011001010010101011010110101100rrc-MessageSequenceNumber = 3
message = securityModeComplete = rrc-TransactionIdentifier = 0ul-IntegProtActivationInfo = rrc-MessageSequenceNumberList = SEQUENCE OF RRC-MessageSequenceNumber
RRC-MessageSequenceNumber(1) = 5RRC-MessageSequenceNumber(2) = 1RRC-MessageSequenceNumber(3) = 3RRC-MessageSequenceNumber(4) = 4RRC-MessageSequenceNumber(5) = 1
rb-UL-CiphActivationTimeInfo = SEQUENCE OF RB-ActivationTimeInfoRB-ActivationTimeInfo(1) =
rb-Identity = 1rlc-SequenceNumber = 0
RB-ActivationTimeInfo(2) = rb-Identity = 2rlc-SequenceNumber = 11
RB-ActivationTimeInfo(3) = rb-Identity = 3rlc-SequenceNumber = 11
RB-ActivationTimeInfo(4) = rb-Identity = 4rlc-SequenceNumber = 0
Source: 3GPP Conformance Test 8.1.7.1c
UMTS Security for CS Domain on top of PS domain – Voice Radio Bearers Setup
©3G4G
DL-DCCH-Message -----> radioBearerSetup
DL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 10100011001100001001101011010110rrc-MessageSequenceNumber = 4
message = radioBearerSetup = r3 = radioBearerSetup-r3 = rrc-TransactionIdentifier = 0activationTime = 184rrc-StateIndicator = cell-DCHrab-InformationSetupList = SEQUENCE OF RAB-InformationSetup
RAB-InformationSetup(1) = rab-Info =
rab-Identity = gsm-MAP-RAB-Identity = 00000001cn-DomainIdentity = cs-domainre-EstablishmentTimer = useT314
rb-InformationSetupList = SEQUENCE OF RB-InformationSetupRB-InformationSetup(1) = rb-Identity = 10rlc-InfoChoice = rlc-Info =
ul-RLC-Mode = ul-TM-RLC-Mode = segmentationIndication = FALSE
dl-RLC-Mode = dl-TM-RLC-Mode = segmentationIndication = FALSE
rb-MappingInfo = SEQUENCE OF RB-MappingOptionRB-MappingOption(1) = ul-LogicalChannelMappings = oneLogicalChannel =
ul-TransportChannelType = dch = 1rlc-SizeList = configured = NULLmac-LogicalChannelPriority = 6
dl-LogicalChannelMappingList = SEQUENCE OF DL-LogicalChannelMappingDL-LogicalChannelMapping(1) = dl-TransportChannelType = dch = 6
RB-InformationSetup(2) = rb-Identity = 11
…
UL-DCCH-Message<----- radioBearerSetupComplete
UL-DCCH-Message = integrityCheckInfo =
messageAuthenticationCode = 10101010000100111100011111001010rrc-MessageSequenceNumber = 4
message = radioBearerSetupComplete = rrc-TransactionIdentifier = 0start-Value = 00000000000000000010count-C-ActivationTime = 168
Source: 3GPP Conformance Test 8.1.7.1c
Security Architecture Evolution
©3G4G
Core Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC
GSM
Handset Authentication
Ciphering (AN CP, UP)
GPRSHandset Authentication + Ciphering (AN CP, UP)
UMTS
Mutual Authentication
Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC)
AN – Access NetworkAS – Access StratumRRC – Radio Resource ControlNAS – Non-Access StratumCP – Control PlaneUP – User Plane
IPSec (Optional)
Hacking The Femtocells - UMTS
©3G4G
More Info: Femto Hacking in UMTS and LTE
Hacking The Femtocells - LTE
©3G4G
More Info: Femto Hacking in UMTS and LTE
Key Hierarchy in LTE / E-UTRAN
©3G4G
Picture Source: RedYoda 3GPP Spec Reference: TS 33.401
K - Master keyCK - Cipher KeyIK - Integrity KeyKASME - Key-Access Security Management EntityKNASenc - Key-NAS encryptionKNASint - Key-NAS integrityKeNB - Key-eNodeBNH - Next HopKUPint - Key-User Plane integrityKUPenc - Key-User Plane encryptionKRRCint - Key-Radio Resource Control integrityKRRCenc - Key-Radio Resource Control encryption
EPS Authentication and Key Agreement (EPS-AKA) procedure
©3G4G
Picture Source: RedYoda 3GPP Spec Reference: TS 33.401
AUTN - Authentication TokenRAND - A 128 bit random numberSQN - 48 bit sequence number RES - ResponseXRES - Expected ResponseKDF - Key Derivation FunctionKSI - Key Set IdentifierSN Id - Serving Network IdK - Master keyCK - Cipher KeyIK - Integrity KeyKASME - Key-Access Security Management Entity
Actual Security Procedure in LTE
©3G4G
UE eNodeB MME
Authentication Request
Authentication Response (SRES)
Authentication Request
Authentication Response (SRES)
Security Mode Command
NAS: Security Mode Complete
Security Mode Complete
NAS: Security Mode Command
Access Network (AN) Core Network (CN)
RRC: Security Mode Complete
RRC: Security Mode Command
LTE Security Signaling - Authentication
©3G4G
Authentication Request PDUSecurity header type [4 bits] = 0x0 [ 0 ]Protocol Discriminator [4 bits] = 0x7 [ 7 ]Message Type [8 bits] = 0x52 - Authentication Request [ 82 ]Spare Half Octet [4 bits] = 0x0 [ 0 ]NAS key set identifierASME
Type of security context flag [1 bit] = 0x0 [ 0 ]ksi [3 bits] = 0x0 [ 0 ]
Authentication Parameter Rand Authentication Parameter Rand = 0xA3DE0C6D363E30C364A4078F1BF8D577
Authentication Parameter AUTNIE Length [8 bits] = 0x10 [ 16 ]value = 0x6E323B36C46C5555A3DF0E6E323B6391
075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391
DL-DCCH-Message dlInformationTransfer
DL-DCCH-Message = message = c1 = dlInformationTransfer =
rrc-TransactionIdentifier = 0criticalExtensions = c1 = dlInformationTransfer-r8 =
dedicatedInfoType = dedicatedInfoNAS = 075200A3DE0C6D363E30C364A4078F1BF8D577106E323B36C46C5555A3DF0E6E323B6391
0801203A90051EF06369B1F1861B25203C78DFC6ABB8837191D9B62362AAAD1EF8737191DB1C88
UL-DCCH-Message ulInformationTransfer
UL-DCCH-Message = message = c1 = ulInformationTransfer =
criticalExtensions = c1 = ulInformationTransfer-r8 = dedicatedInformationType = dedicatedInfoNAS = 075308A3DF0E6E323B36C4
480160EA61147BE1CDC64766D880
Authentication Response Authentication Response PDU
Security header type [4 bits] = 0x0 [ 0 ]Protocol Discriminator [4 bits] = 0x7 [ 7 ]Message Type [8 bits] = 0x53 - Authentication Response [ 83 ]Authentication response parameter
IE Length [8 bits] = 0x8 [ 8 ]Authentication response parameter information = 0xA3DF0E6E323B36C4
075308A3DF0E6E323B36C4
Source: 3GPP Conformance Test 8.1.2.1
LTE Security Signaling – NAS Security 1
©3G4G
Security Mode Command Security Mode Command PDU
Security Mode Command PDU[1]Security header type [4 bits] = 0x0 [ 0 ]
Protocol Discriminator [4 bits] = 0x7 [ 7 ]Message Type [8 bits] = 0x5D - Security Mode Command [ 93 ]Selected NAS security algorithms
Spare Bits [1 bit] = 0x0 [ 0 ]Type of ciphering algorithm [3 bits] = 0x0 [ 0 ]Spare Padding [1 bit] = 0x0 [ 0 ]Type of integrity protection algorithm [3 bits] = 0x1 [ 1 ]
Spare Half Octet [4 bits] = 0x0 [ 0 ]NAS key set identifierASME
Type of security context flag [1 bit] = 0x0 [ 0 ]ksi [3 bits] = 0x0 [ 0 ]
Replayed UE security capabilitiesIE Length [8 bits] = 0x2 [ 2 ]eea0_128 [1 bit] = 0x1 [ 1 ]eea1_128 [1 bit] = 0x1 [ 1 ]eea2_128 [1 bit] = 0x0 [ 0 ]eea3 [1 bit] = 0x0 [ 0 ]eea4 [1 bit] = 0x0 [ 0 ]eea5 [1 bit] = 0x0 [ 0 ]eea6 [1 bit] = 0x0 [ 0 ]eea7 [1 bit] = 0x0 [ 0 ]Spare Bits [1 bit] = 0x1 [ 1 ]eia1_128 [1 bit] = 0x1 [ 1 ]eia2_128 [1 bit] = 0x0 [ 0 ]eia3 [1 bit] = 0x0 [ 0 ]eia4 [1 bit] = 0x0 [ 0 ]eia5 [1 bit] = 0x0 [ 0 ]eia6 [1 bit] = 0x0 [ 0 ]eia7 [1 bit] = 0x0 [ 0 ]
075D010002C0C0
Continued…
Security Protected NAS Message Security Protected NAS Message PDU
Security header type [4 bits] = 0x3 [ 3 ]Protocol Discriminator [4 bits] = 0x7 [ 7 ]MAC = 0x0B4DAFA8 [ 189640616 ]Sequence Number = 0x00 [ 0 ]NAS message = 0x075D010002C0C0
370B4DAFA800075D010002C0C0
DL-DCCH-Message dlInformationTransfer
DL-DCCH-Message = message = c1 = dlInformationTransfer =
rrc-TransactionIdentifier = 0criticalExtensions = c1 = dlInformationTransfer-r8 =
dedicatedInfoType = dedicatedInfoNAS = 370B4DAFA800075D010002C0C0080069B85A6D7D40003AE80800160600
Source: 3GPP Conformance Test 8.1.2.1
LTE Security Signaling – NAS Security 2
©3G4G
UL-DCCH-Message ulInformationTransfer
UL-DCCH-Message = message = c1 = ulInformationTransfer =
criticalExtensions = c1 = ulInformationTransfer-r8 = dedicatedInformationType = dedicatedInfoNAS = 4794E585C000075E
480108F29CB0B80000EBC0
Security Protected NAS Message Security Protected NAS Message PDU
Security header type [4 bits] = 0x4 [ 4 ]Protocol Discriminator [4 bits] = 0x7 [ 7 ]MAC = 0x94E585C0 [ 2498069952 ]Sequence Number = 0x00 [ 0 ]NAS message = 0x075E [ 1886 ]
4794E585C000075E
Security Mode Complete Security Mode Complete PDU
Security header type [4 bits] = 0x0 [ 0 ]Protocol Discriminator [4 bits] = 0x7 [ 7 ]Message Type [8 bits] = 0x5E - Security Mode Complete [ 94 ]
075E
Security header type (octet 1)
8 7 6 50 0 0 0 Plain NAS message, not security protected
Security protected NAS message:0 0 0 1 Integrity protected0 0 1 0 Integrity protected and ciphered0 0 1 1 Integrity protected with new EPS security context (NOTE 1)0 1 0 0 Integrity protected and ciphered with new EPS security context (NOTE 2)
Non-standard L3 message:1 1 0 0 Security header for the SERVICE REQUEST message
1 1 0 1 These values are not used in this version of the protocol.to If received they shall be interpreted as '1100'. (NOTE 3)
1 1 1 1
All other values are reserved.
NOTE 1: This codepoint may be used only for a SECURITY MODE COMMAND message.NOTE 2: This codepoint may be used only for a SECURITY MODE COMPLETE message.NOTE 3: When bits 7 and 8 are set to '11', bits 5 and 6 can be used for future extensions of
the SERVICE REQUEST message.
Table 9.3.1: Security header type
3GPP TS 24.301 V10.10.0 (2013-03)
Source: 3GPP Conformance Test 8.1.2.1
LTE Security Signaling – RRC Security
©3G4G
DL-DCCH-Message securityModeCommand
DL-DCCH-Message = message = c1 = securityModeCommand =
rrc-TransactionIdentifier = 0criticalExtensions = c1 = securityModeCommand-r8 =
securityConfigSMC = securityAlgorithmConfig =
cipheringAlgorithm = eea0integrityProtAlgorithm = eia1
300010
PDCPDataReqPDU
PLANE = 1 (Control)SeqNum = 3
Data Packet = 30 00 10 65 3E 8C...03300010653E8C00
PDCPDataIndPDU
PLANE = 1 (Control)SeqNum = 4
Data Packet = 28 00 CC E1 31 D1042800CCE131D1
UL-DCCH-Message securityModeComplete
UL-DCCH-Message = message = c1 = securityModeComplete =
rrc-TransactionIdentifier = 0criticalExtensions = securityModeComplete-r8 =
2800
Source: 3GPP Conformance Test 8.1.2.1
Mapped Security (Applicable for PS Only)
©3G4G
1. No need for Authentication
2. Map security keys from
previous Authentication
LTE2G/3G
HLR/HSS/AuC
DATA
Logic
1. Performs Authentication
2. Performs security
Handover
or
Cell Re-selection
‘Native’ UTRAN to ‘Mapped’ E-UTRAN
Mapped Security (Applicable for PS Only)
©3G4G
‘Native’ E-UTRAN to ‘Mapped’ UTRAN
1. No need for Authentication
2. Map security keys from
previous Authentication
LTE2G/3G
HLR/HSS/AuC
DATA
Logic
1. Performs Authentication
2. Performs security
Handover
or
Cell Re-selection More details
Security Architecture Evolution
©3G4G
Core Network
MS / UE BTS / NodeB BSC / RNC / eNodeB MSC/SGSN/EPC
GSM
Handset Authentication
Ciphering (AN CP, UP)
GPRSHandset Authentication + Ciphering (AN CP, UP)
UMTS
Mutual Authentication
Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC)
LTE
Mutual Authentication
Ciphering (RRC / AN CP, UP) + Signalling Integrity (RRC) IPSec (Optional)
Ciphering (NAS) + Signalling Integrity (NAS)
AN – Access NetworkAS – Access StratumRRC – Radio Resource ControlNAS – Non-Access StratumCP – Control PlaneUP – User Plane
IPSec (Optional)
Summary of Algorithms for 2G, 3G & 4G
©3G4G
GSM GPRS UMTS LTE
AuthenticationAlgorithms
GSM Milenage GSM Milenage MilenageTUAK
MilenageTUAK
Integrity Algorithms UIA0 – NULL UIA1 – KasumiUIA2 – Snow3G
EIA0 – NULL EIA1 – Snow3G EIA2 – AES EIA3 – ZUC
Ciphering Algorithms
A5/1A5/2A5/3A5/4
GEA3GEA4
UEA0 - NULLUEA1 – KasumiUEA2 – Snow3G
EEA0 – NULL EEA1 – Snow3GEEA2 – AES EEA3 – ZUC
GSM Milenage - 3GPP TS 55.205, Milenage - 3GPP TS 35.206, TUAK - 3GPP TS 35.231, A5/3 & GEA3 - 3GPP TS 55.216, A5/4 & GE4 - 3GPP TS 55.226For other specifications see GSMA Security Algorithms
Further Reading Material
©3G4G
• 3GPP: Confidentiality Algorithms
• GSMA: Security Algorithms
• Netmanias
• LTE Security I: Concept and Authentication
• LTE Security II: NAS and AS Security
• 3G4G Website
• GSM, GPRS and EDGE
• 3G/UMTS Tutorials
• 3GPP LTE/SAE
• Security in Mobile Cellular Systems
• EventHelix:
• GSM, LTE, UMTS and IMS Call Flows
• LTE Security: Encryption and Integrity Protection Call Flows
Hacking: Papers, Talks, Materials
©3G4G
• The SS7 flaws that allows hackers to snoop on your calls and SMS
• Video: LTE & IMSI Catcher Myths - by Ravishankar Borgaonkar & Altaf Shaik & N. Asokan& Valtteri Niemi & Jean-Pierre Seifert
• Video: Understanding IMSI Privacy - By Ravishankar Borgaonkar and Swapnil Udar
• Video: Femtocells: A Poisonous Needle in the Operator's Hay Stack - Ravishankar Borgaonkar, Kevin Redon and Nico Golde
• Breaking Band - reverse engineering and exploiting the shannon baseband
• Huawei: Security Advisory - UE Measurement Leak Vulnerability in Huawei P8 Phones
• LTE protocol exploits – IMSI catchers, blocking devices and location leaks - Roger PiquerasJover
• WiFi-Based IMSI Catcher
• ‘Small Cells’ and the City
• Long Term Exploitation: “Baseband security? 4Get about it.”
3GPP Specifications
©3G4G
• 3GPP TS 33.102: 3G Security; Security architecture
• 3GPP TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture
• 3GPP TS 23.401: General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network (E-UTRAN) access
• 3GPP TS 36.323: E-UTRA; Packet Data Convergence Protocol (PDCP) specification
• 3GPP TS 25.331: UTRA RRC Protocol Specification
• 3GPP TS 36.331:E-UTRA RRC Protocol specification
• 3GPP TS 24.008: Mobile Radio Interface Layer 3 specification; Core Network Protocols; Stage 3
• 3GPP TS 24.301: Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3
Thank You
To learn more, visit:
3G4G Website – http://www.3g4g.co.uk/
3G4G Blog – http://blog.3g4g.co.uk/
3G4G Small Cells Blog – http://smallcells.3g4g.co.uk/
Operator Watch - http://operatorwatch.3g4g.co.uk/
Follow us on Twitter: https://twitter.com/3g4gUK
Follow us on Facebook: https://www.facebook.com/3g4gUK/
Follow us on Linkedin: https://www.linkedin.com/company/3g4g
Follow us on Slideshare: https://www.slideshare.net/3G4GLtd
Follow us on Youtube: https://www.youtube.com/3G4G5G
Follow us on Storify: https://storify.com/3g4gUK
©3G4G
