Post on 14-Dec-2015
Network Security: Cellular Security
Tuomas AuraT-110.5241 Network security
Aalto University, Nov-Dec 2014
2
OutlineCellular networks, 3GCounters for freshnessUMTS AKA and session protocols
Cellular networks
6
UMTS architectureUMTS terrestrial radio network (UTRAN)
Home location register HLR / Authentication center AuC
Base station BS = Node B
BS
BS
Terminal
Public switched telephone network
PSTN
CS domain
MSC
MSC
Serving GPRS support node (SGRN)
Internet
Radio network controller RNC
Mobile switching center MSC /
Visitor location register VLR
Core network
PS domain
IMS domain etc.
7
Threats against cellular networksDiscussion: What are the threats?
Charging fraud, unauthorized use Charging disputesHandset cloning (impersonation attack)
→ multiple handsets on one subscription→ let someone else pay for your calls
Voice interception → casual eavesdropping and industrial espionageLocation trackingCall and location data retention Handset theftHandset unlocking (locked to a specific operator)Network service disruption (DoS)What about integrity?
Security architectureHome location register (HLR) of the subscriber’s home operator keeps track of the mobile’s locationVisitor location register (VLR) keeps track of roaming (visiting) mobiles at each networkSIM card has a globally unique international mobile subscriber identifier (IMSI)
Shorter, temporary identifier TMSI allocated by the current network
Shared key between SIM and authentication center (HRL/AuC) at the home network
Only symmetric cryptography
VLR of the visited network obtains authentication tuples (triplets in 2G) from AuC of the mobile’s home network and authenticates the mobile Main goals: authentication of the mobile for charging purposes, and encryption of the radio channel
GSM security (2G)
We’ll start with the GSM protocol because its is so simple. It is easier to understand the 3G security protocol by following the historical development. Besides, the networks and phones are still backward compatible.
10
GSM authentication
Encryption with Kc
HLR/AuCMSC/VLRMS =
ME + SIM
IMSI
Challenge: RAND
Response: RES
RES = SRES ?
KiKi
SRES = A3 (Ki, RAND)Kc = A8 (Ki, RAND)
On or more authentication triplets:
< RAND, SRES, Kc >
IMSI or TMSI
RES = A3 (Ki, RAND)Kc = A8 (Ki, RAND)
BS
Kc
TMSI
!
11
GSM authenticationAlice-and-Bob notation:1. Network → MS: RAND2. MS → Network: A3 (Ki, RAND)Ki = shared master key between SIM and AuCKc = A8 (Ki, RAND) = session keyAfter authentication, BS asks mobile to turn on encryption on the radio interface
Kc is generated in the SIM, used by the mobile equipmentEncryption: A5 cipher with the key Kc
12
GSM securityMobile authenticated → prevents charging fraudEncryption on the air interface
→ No casual sniffing→ Encryption of signalling gives some integrity protection
Temporary identifier TMSI used instead of the globally unique IMSITMSI → not easy to track mobile with a passive radioHash algorithms A3, A8 can be replaced by home operator
AuC and SIM must use the same algorithms
Encryption algorithm A5 implemented in the phone and BSMany versions of the algorithm
Non-protocol features:Subscriber identity module (SIM) is separate from the handset → Flexibility → Thiefs and phone unlockers don’t even try to break the SIM International mobile equipment identity (IMEI) to track stolen devices
Counters for freshness
15
Using counters for freshnessSimple shared-key authentication with nonces:1. A → B: NA
2. B → A: NB, MACK(Tag2, A, B, NA, NB)
3. A → B: MACK(Tag3, A, B, NA, NB)
K = master key shared between A and BSK = h(K, NA, NB)
Using counters can save one message or roundtrip:1. A → B:2. B → A: NB, SQN, MACK(Tag2, A, B, SQN, NB)
3. A → B: MACK(Tag3, A, B, SQN, NB)
SK = h(K, SQN, NB)
Another benefit: B can pre-compute message 2A must check that the counter always increases
16
Using countersCounters must be monotonically increasing
Absolutely never accept previously used valuesPersistent counter storage needed
Recovering from lost synchronization:Verifier can maintain a window of acceptable counter values to recover from message loss or reorderingNonce-based protocol for resynchronization if counters get badly out of sync
Counter values must not run out or wrap to zeroLimit the rate at which values can be consumedBut support bursts of activityUse long enough counter to last the equipment lifetime or lifetime of the shared key in use
UMTS (3G) authentication and key agreement (AKA)
The AKA protocol is used in 3G/4G networks
19
UMTS AKA (simplified)
Encryption and integrity protection with CK, IK
Network
Phone
RAND, AUTN [SQN, MAC]
RES
RES= XRES?
MAC = XMAC?
XMAC = f1 (K, RAND,SQN)RES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)
K, SQN
K, SQN
MAC = f1 (K, RAND,SQN)XRES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)
20
UMTS AKA (simplified)
Encryption and integrity protection with CK, IK
MSC/VLR AuCRNCPhone
IMSI
RAND, AUTN [SQN, MAC], XRES, CK, IK
RAND, AUTN [SQN, MAC]
RES
RES= XRES?
MAC = XMAC?
MAC = f1 (K, RAND,SQN)XRES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)
K, SQN
K, SQN
CK, IK
MAC = f1 (K, RAND,SQN)XRES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)
22
Encryption and integrity protection with CK, IK
MSC/VLR AuCRNCUE =
ME + USIM
MAP authentication data request: IMSI
User authentication request:RAND, AUTN [SQN⊕AK, AMF, MAC]
User authentication response: RES
RES= XRES?
MAC = XMAC?
MAC = f1 (K, RAND,SQN,AMF)XRES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)AK = f5 (K, RAND)
K, SQN
K, SQN
RANAP security mode command: CK, IK
RRC security mode command
MAC = f1 (K, RAND,SQN,AMF)XRES = f2 (K, RAND)CK = f3 (K, RAND)IK = f4 (K, RAND)AK = f5 (K, RAND)
MAP authentication data response: one of more
authentication vectors<RAND, AUTN [SQN⊕AK, AMF,
MAC], XRES, CK, IK, AK>
UMTS AKA
!
26
RSQ Resynchronization
MSC/VLR AuCUE =
ME + USIM
IMSI
RAND, AUTN [SQN⊕AK, AMF, MAC], XRES, CK,IK,AK
RAND, AUTN [SQN⊕AK, AMF, MAC]
AUTS [ SQN⊕AK, MAC-S ]
MAC = XMAC?
MAC = f1 (K, RAND,SQN,AMF)AK = f5 (K, RAND)
K, SQN
K, SQN
SQN too high!MAC-S = f1* (K, RAND,SQN,AMF)
RAND, AUTS [ SQN⊕AK, MAC-S ]
Update stored SQN
Resynchronization needed if the sequence number gets out of sync between USIM and AuC.
32
Remaining UMTS security weaknesses
IMSI may still be sent in clear, when requested by base stationAuthentication tuples available to thousands of operators around the world, and all they can create fake base stationsEquipment identity IMEI still not authenticatedNon-repudiation for call and roaming charges is still based on server logs, not on public-key signaturesStill no end-to-end security
Thousands of legitimate radio network operators Any government or big business gain control of one and intercept calls at RNC
User authentication with mobile phone
33
34
Generic bootstrapping architecture (GBA)
The mobile operator provides an authentication service for the mobile subscriber to third parties e.g. to web-based servicesAuthentication is based on AKA and the secret key K in the USIM3GPP standard, implemented but not widely deployed
35
GBA architecture
Mobile operator functions for GBA:Home Subscriber Server (HSS) / AuC has the subscriber master key K, which is also in the USIM (=UICC)Bootstrapping Server Function (BSF) performs AKA to derive a session key Ks with the user equipment UE
Application server that wants to authenticate users with GBA:Implements the Network Application Function (NAF)Has a contract with the operator and typically pays for each authentication event
[Image source: Abu Shohel Ahmed 2010]
36
GBA message flow
[Image source: Abu Shohel Ahmed 2010]
37
Mobile signatureMobile signature service (MSS) = “mobile certificate”
Standardized by ETSICompeting idea with GBA
SIM card contains a public signature key pair and certificate, which is used to authenticate to third partiesYou can register as MSS use with any Finnish mobile operator (may require a new SIM card)
Use it e.g. at http://password.aalto.fi/
Detailed documentation: http://www.mobiilivarmenne.fi/en/, http://www.mobiilivarmenne.fi/documents/MSS_FiCom_Implementation_guideline_2.2.pdf
38
MSS message flowHome operator’s mobile signature service provider (MSSP) needed every time to send an authentication request to the SIMApplication provider (AP) can have a contract with one mobile operator, subscriber with another (four-corner model)
Cross-operator authentication works within Finland, not between countries
Typically, both subscriber and AP pay a fee for each authentication event [Image source: Ficom]
39
Text messages for authenticationAssumes that text messages cannot be interceptedGoogle, Microsoft etc. send a secret code to the user’s mobile phone for a second method of authentication (used in addition to a password)Banks send transaction details and a secret code to the phone (used in addition to the password and one-time passcode)
40
ExercisesWho could create false location traces in the GSM HLR and how? Is this possible in UMTS?Consider replacing the counter with the phone’s nonce in AKA. What would be lost?Try to design a protocol where the IMSI is never sent over the air interface, i.e. the subscriber identity is never sent in clear. Remember that the terminal may have just landed from an intercontinental flight, and the terminal does not know whether it has or notFind the current cost of an IMSI catcher and fake GSM/3G base station for intercepting callsUser authentication with GBA and MSS requires interaction with the operator. Could the protocols have been designed differently, to support offline authentication? In GBA and MSS, there is a concept called four-corner model. Tupas authentication follows the three-corner model. What do they mean? Can you find a link between roaming and the four-corner model.
41
Related readingGollmann, Computer security, 3rd ed. chaptes 19.2–19.3