Cryptography in Public Wireless Networks
-
Upload
virginia-skinner -
Category
Documents
-
view
19 -
download
0
description
Transcript of Cryptography in Public Wireless Networks
![Page 1: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/1.jpg)
Cryptography in Public Wireless Networks
Mats Näslund
Communication Security Lab
Ericsson Research
Feb 27, 2004
![Page 2: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/2.jpg)
Outline
• Overview of GSM Cryptography• Some possible “attacks” on GSM• Overview of WLAN Cryptography• How problems in one technology can spread
to another• How can you in practice fix a crypto problem
when thousands of devices are out there• Overview of “3G” UMTS Cryptography
![Page 3: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/3.jpg)
GSM Security Overview
![Page 4: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/4.jpg)
History – GSM Security
• Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator
• SIM is the entity which is authenticated, basis for roaming• Initial GSM algorithms (were) not publicly available and
under the control of GSM-A, new (3G) algorithms are open• GSM ciphering on “first hop” only: stream ciphers using
54/64 bit keys, future 128 bits • One-sided challenge-response authentication• Basic user privacy support (“pseudonyms”)• No integrity/replay protection
GSM crypto is probably (one of) th
e most
frequently used crypto in the world.
![Page 5: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/5.jpg)
History – GSM SecurityAccess security
Radio Base Station
RBS
MSC
SGSN
Base Station Controller
CS - Confidentiality, A5/1A5/2A5/3 (new, open)
GPRS - Confidentiality:GEA1GEA2GEA3 (new, open)
Authentication:A3 Algorithm
![Page 6: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/6.jpg)
GSM Authentication: Overview
RBSMSC/VLR
AuC/HLR
Visited Network
Home Network
Req(IMSI)
RAND, XRES, KcRES
RES = XRES ?
RAND RAND, Kc
Ki
Ki
![Page 7: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/7.jpg)
GSM Autentication: Details
A3 and A8: Authentication and key derivation (proprietary)A5: encryption (A5/1-4, standardized)
Ki(128)
rand (128)
res (32)
Kc (64)
A5/x
PhoneSIM
encr frame
Radio i/f
Rad
io B
ase
Sta
t ion
A3A8
(No netw auth, no integrity/replay protection)
data/speech
frame#
![Page 8: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/8.jpg)
Cryptographic Transforms in Wireless
Wireless is subject to
• limited bandwidth• bit-errors (up to 1% RBER)
As consequence, most protocols:
• use stream ciphers (no padding, no error-propagation)
• do not use integrity protection (data expansion, loss)
![Page 9: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/9.jpg)
GSM Encryption I: A5/1
output
cc
L1
L2
L3
“shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3”
Sizes: 23, 22, 19 bit (i.e. 64 bit keys)
![Page 10: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/10.jpg)
Status of A5/1
All Ax algorithms initially secret.
A5/1 ”leaked” in mid 90’s. A few attacks found.
[Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext retrieve Kc 1min.
Little “sister”, A5/2 (reverse-engineered @Berkeley)
![Page 11: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/11.jpg)
GSM Encryption II: A5/2 (Export Version)
majority(a, b, c) = ab + bc + ca
![Page 12: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/12.jpg)
August 2003…
Let’s take a closer look…
![Page 13: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/13.jpg)
A5/2 (clock control)
R4 controls clocking
3 ”associated” bits, one per R1-R3
Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits
(At least two clocked)
![Page 14: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/14.jpg)
The A5/2 Algorithm (details)
1. Kc (64 bits) bitwise sequentially XORed onto each Ri
First, set all four Ri to zero.
2. frame # (21 bits) bitwise sequentially XORed onto each Ri
3. Force certain bit in each Ri to ”1”
4. Run for 99 ”clocks” ignoring output
5. Run for 228 ”clocks” producing output
} exploited by attack…
![Page 15: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/15.jpg)
Idea behind the attack
A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc
If plaintext known, each 114-bit frame gives 114 equations
Only difference between frames is that frame numberincreases by one.
After 6 frames (in reality only 4) we have > 660 equations can solve!
If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).
![Page 16: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/16.jpg)
Attack efficiency
Off-line stage (done once):
Storage for ”matrices”: approx 200MB
Pre-processing time: less than 3 hrs on a PC
On-line attack stage:
Requires 4-7 frames sent from UE on SACCH.
Retrieving Kc then takes less than 1 second.
Hardware requirement: normal PC and GSM capable receiver
![Page 17: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/17.jpg)
Consequence 1: Passive attacks in A5/2 Network(Eavesdropping)
2 Cipher start A5/21 RAND, RES (and Kc)
Kc, Plaintext< 1 sec
New attackPC
< 1 sec of traffic
![Page 18: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/18.jpg)
Consequence 2: Active attacks in any Network(False base-station/man-in-the-middle attacks)
6 Cipher start A5/2
2 RAND
8 Cipher stop9 Cipher start A5/1
5 Cipher start A5/1
1 RAND
7 Attack:: Kc
3 RES 4 RES
![Page 19: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/19.jpg)
Consequence 3: Passive + Active attack
2 Cipher start A5/11 RAND, RES (and Kc)
Record
2 Cipher start A5/21 RAND, RES (and Kc)
Kc
![Page 20: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/20.jpg)
WLAN (IEEE 802.11b) Security Overview
![Page 21: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/21.jpg)
Wireless LAN (802.11b, WEP) Security
CRC
CRC(msg)
keystream
RC4
kIV
40-104 bits 24 bitsrandom/per packet
msgcipher
Network fixed!
Will repeat:- for sure, after 224 msgs-after 5000 msgs (average) “two-time pad”
![Page 22: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/22.jpg)
WLAN Security Problem No 2CRC is linear: CRC(msg ) = CRC(msg)CRC)
c’
keystreamm CRC(m )
m CRC(m)
keystream
c
Alice
c’
Bob
and so is any stream cipher:
Encr(k, msg) = Encr k, msg)
CRC()Eve:
![Page 23: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/23.jpg)
WLAN Security Problem No 3
RC4 has only one “input”, the key. RC4kIV
This is “solved” by: RC4kIV append
IV || k
[Fluhrer, Mantin, Shamir, 2001]:The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.
![Page 24: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/24.jpg)
WLAN Security Problem No 4
Authentication protocol:
k
keystream
RC4
chall
k
chall = res
res
Observing a single “authentication”enables impersonation…
![Page 25: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/25.jpg)
WLAN-Cellular Interworking Architecture
UTRANRNC
Node B
Node B
WSN/FA
WRAN
AP
AP
3GPP Home
NetworkSGSN
HLR
AuC
AAA
HSS
GGSN/FA
Gn
Gr(MAP)
Radius/Diameter
IP
Iu
ProxyAAA
Signalling and User DataSignalling Data
Subscriber Mgmt
Charging/Billing
“HOTSPOT”
Internet/Intranet
3GPP Visited
Network
E.g. SIM accessover Bluetoothor SIM reader
Motive: Mobile operators want to offer “hot-spots” for subscriber base.
![Page 26: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/26.jpg)
WLAN/GSM Interworking Problems
GSM Security is not perfect, but “astronomically”better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)?
WLAN improvements under way, but will takesome time.
Major GSM upgrades not feasible (expensive,and we will soon have 3G anyway…)
![Page 27: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/27.jpg)
Security Placement in Protocol Stack
L2 (media access control)
L1 (physical)
L3 (networking)
L4 (transport)
L5 (application)
GSM sec
WLAN sec “IPsec”
“TLS/SSL”
Fix by “gluing” onhigher layers, invisibleto lower layers
Security problems,risk of bad “interaction”
![Page 28: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/28.jpg)
Problem 1: Bad WLAN Encryption/Integrity
Awaiting WLAN fix, use e.g. IPsec and keysderived from SIM
![Page 29: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/29.jpg)
f( )f( )
Problem 2: Key Material Need
SIM can only provide one 64-bit key, goodencryption + integrity might need e.g. 256 bits.
RAND1, RAND2,…
Solution: bootstrap on top of SIM procedure
SIM/Terminal Network
K1 = A8(RAND1)K2 = A8(RAND2)…
f, one-way function, avoid possibly
weak A8 variants
![Page 30: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/30.jpg)
Problem 2: WLAN Replay Attacks
Anybody can put up a “fake” WLAN AP at a very modest cost.
Record-GSM-then-WLAN-replay attacks possible.
Network authentication must be added.
RAND1, RAND2,…,
SIM/Terminal Network
K1 = f(A8(RAND1))K2 = f(A8(RAND2))…
RAND0
MAC(k, RAND0,…)Check MAC
![Page 31: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/31.jpg)
Problem 3: GSM Replay Attacks
GSM has no replay protection either.
Record-WLAN-then-GSM-replay attacks possible.
Too expensive to add GSM network authentication.
Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)
![Page 32: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/32.jpg)
Ideas for GSM (A5/2) Improvements
![Page 33: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/33.jpg)
Requirements
There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible.
RBSMSC/VLR AuC/HLR
Visited Network Home Network
Recall the “security-relevant” nodes:
![Page 34: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/34.jpg)
Possible fix I
1 RAND, RES (and Kc)2 Cipher start A5/x
Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1
+ Simple (Home net+phone)
- 40 bits of RAND ”stolen”, impact on security?
![Page 35: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/35.jpg)
Possible fix II (Ericsson)
+ Simple (visited net+phone)
+ Security ”understood”, key separation
RAND
Phone
SIM
A5/x
encr frame
A5/x
A5/x
Alg_idf
New alg: A5/x’
- Relies more on visited net
![Page 36: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/36.jpg)
UMTS Security Overview
![Page 37: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/37.jpg)
3G Security – UMTS, Improvements to GSM
• Mutual Authentication with Replay Protection• Protection of signalling data
– Secure negotiation of protection algorithms– Integrity protection and origin authentication– Confidentiality
• Protection of user data payload– Confidentiality
• “Open” algorithms (block-ciphers) basis for security– AES for authentication and key agreement– Kasumi for confidentiality/integrity
• Security level (key sizes): 128 bits• Protection further into the network
![Page 38: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/38.jpg)
UMTS – Security
Node B MSC
SGSN
Integrity & ConfidentialityUIA & UEA algorithms (based on KASUMI)
Node B
Radio Network Controller
![Page 39: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/39.jpg)
UMTS – Authentication and Key Agreement AKA
RBSMSC/VLR
AuC/HLR
Visited Network
Home Network
Req(IMSI)
RAND, XRES, CK, IK, AUTNRAND, AUTN
RES
RES = XRES ?
RAND, AUTN
Ki
Ki
Allows check ofauthenticity and “freshness”
Integrity protectionkey
Looks a lot like GSM, but…
![Page 40: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/40.jpg)
UMTS AKA Algorithms
AUTN XRES CK IKEk = AES
![Page 41: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/41.jpg)
UMTS Encryption: UEA/f8
Kasumi
Kasumi Kasumi Kasumi
Kasumi
c = 1 c = 2 c = B
CK(128 bits)
m (const)
keystream
COUNT || BEARER || DIR || 0…0 (64 bits)
“Provably” secure under
assumptions on Kasumi
“Masked” offset avoids known input/output pairs
“Counter” avoidsshort cycles
![Page 42: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/42.jpg)
Inside Kasumi (actually: MISTY)
FI
+
16 bits 16 bits
FI
+
FI
+
8 rounds of:
FO+
32 bits 32 bits
k
security s2
S9
+
S7
+
S9
+
9 bits 7 bits
sec.s
security s4
security s8
(3 rounds)
![Page 43: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/43.jpg)
UMTS Integrity Protection: UIA/f9
Kasumi
Kasumi Kasumi Kasumi
KasumiIK
COUNT || FRESH
M1
M2
MB
MAC (left 32 bits)
m’ Variant of CBC-MAC
(Used only on signaling, not on user data)
![Page 44: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/44.jpg)
Comparison of Security Mechanisms
GSM GPRS WCDMA
Confidentiality
- Algorithm A5/1 & A5/2
A5/3 GEA1 & GEA2
GEA3 UEA (f8)
- Key length 64 (54) 64 (128) 64 (40) 64 (128) 128 - Public review No “Yes” No No Yes - Signalling Yes Yes Yes Yes Yes - User data Yes Yes Yes Yes Yes - Deployed Yes No Yes No ongoing Integrity - Algorithm - - - - UIA (f9) - Key length - - - - 128 - Tag length 32 - Public review - - - - Yes - Signalling - - - - Yes - User data - - - - No - Deployed - - - - ongoing
![Page 45: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/45.jpg)
Any Public Key Techniques?
So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…):
• on “application level”, e.g. WAP
• for inter-operator signaling traffic
In general, too heavy for “bulk” use.
![Page 46: Cryptography in Public Wireless Networks](https://reader036.fdocuments.us/reader036/viewer/2022062304/56812d00550346895d91d7fd/html5/thumbnails/46.jpg)
Summary
• Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story
Main reason: convenience and invisibility to user
• Insecurity in one system can affect another when interacting
• “Fixing” bad crypto is easier said than done, practical cost is an issue
The
End
• “3G” crypto significantly more open and well-studied higher confidence