GSM Attack 2

8/19/2019 GSM Attack 2

1/71

GSM and UMTS Security


2/71

Contents

• Introduction to mobile telecommunications

• Second generation systems - GSM security

• Third generation systems - UMTS security

• Focus is on security features for network

access


3/71


4/71

Cellular "adio #etwork $rchitecture

• "adio base stations form a %atchwork of radio cells o!er agi!en geogra%hic co!erage area

• "adio base stations are connected to switching centres !ia

fi&ed or microwa!e transmission links• Switching centres are connected to the %ublic networks

'fi&ed tele%hone network( other GSM networks( Internet(etc)*

• Mobile terminals ha!e a relationshi% with one homenetwork but may be allowed to roam in other visitednetworks when outside the home network co!erage area


5/71

Cellular "adio #etwork $rchitecture

Home

networkSwitching

and

routing

Other Networks

(GSM, fixed,Internet, etc.)

Interconnect

Radio ase station

!isited network

Roaming


6/71

ocation Management

• The network must know a mobile+s location so that incomingcalls can be routed to the correct destination

• ,hen a mobile is switched on( it registers its current location

in a Home Location Register (HLR) o%erated by themobile+s home o%erator

• $ mobile is always roaming( either in the home o%erator+sown network or in another network where a roaming

agreement e&ists with the home o%erator• ,hen a mobile registers in a network( information is retrie!edfrom the " and stored in a Visitor Location Register(VLR) associated with the local switching centre


7/71

ocation Management

Home

networkSwitching

and

routing

Other Networks


!isited network

H"R!"R

Interconnect

Roaming

Radio ase station


8/71

Call .stablishment and ando!er

• For mobile originating 'outgoing* calls( the mobileestablishes a radio connection with a nearby base station

which routes the call to a switching centre

• For mobile terminated 'incoming* calls( the network firsttries to contact the mobile by paging it across its currentlocation area, the mobile res%onds by initiating theestablishment of a radio connection

• If the mobile mo!es( the radio connection may be re-established with a different base station without anyinterru%tion to user communication / this is calledhandover


9/71

First Generation Mobile 0hones

• First generation analogue %hones '1234 onwards* werehorribly insecure

• Cloning5 your %hone 6ust announced its identity in clear o!er

the radio link/ easy for me to %ick u% your %hone+s identity o!er the air

/ easy for me to re%rogram my %hone with your %hone+s identity

/ then all my calls are charged to your bill

• .a!esdro%%ing/ all you ha!e to do is tune a radio recei!er until you can hear

someone talking


10/71

Second Generation Mobile 0hones /

The GSM Standard• Second generation mobile %hones are characterised by the

fact that data transmission o!er the radio link uses digital techni7ues

• 8e!elo%ment of the GSM 'Global System for Mobilecommunications* standard began in 1239

• First ser!ices launched in 1221

• GSM is the technology that under%ins most of the world:s

mobile %hone networks / 1); billion customers/


11/71

General 0acket "adio Ser!ice 'G0"S*

• The original GSM system was based on circuit-switchedtransmission and switching/ !oice ser!ices o!er circuit-switched bearers

/ te&t messaging

/ circuit-switched data ser!ices• charges usually based on duration of connection

• G0"S is the %acket-switched e&tension to GSM/ sometimes referred to as 9);G

/ %acket-switched data ser!ices

• suited to bursty traffic• charges usually based on data !olume or content-based

• Ty%ical data ser!ices/ browsing( messaging( download( cor%orate $# access


12/71

Third Generation Mobile 0hones / The

UMTS Standard• Third generation '>G* mobile %hones are characterised by higher

rates of data transmission and a richer range of ser!ices• Two main standards in use today

/ UMTS 'Uni!ersal Mobile Telecommunications System*/ C8M$9444

• UMTS is the one that belongs to the GSM family• UMTS uses a radio technology called ,ideband Code 8i!ision

Multi%le $ccess ',-C8M$* which is connected to an e!olution of

the GSM?G0"S core network• UMTS statistics

/ o!er @4 million subscribers at end Se%tember 944;/


13/71

GSM Security A The Goals

• GSM was intended to be no more !ulnerable to cloning orea!esdro%%ing than a fi&ed %hone

/ it+s a %hone not a Bsecure communications de!ice

• GSM uses integrated cry%togra%hic mechanisms to achie!ethese goals/ 6ust about the first mass market e7ui%ment to do this

/ %re!iously cry%togra%hy had been the domain of the military(

security agencies( and businesses worried about industriales%ionage( and then banks 'but not in mass market e7ui%ment*


14/71

GSM Security Features

• $uthentication/ network o%erator can !erify the identity of the subscriber making

it infeasible to clone someone else+s mobile %hone

• Confidentiality/ %rotects !oice( data and sensiti!e signalling information 'e)g)dialled digits* against ea!esdro%%ing on the radio %ath

• $nonymity

/ %rotects against someone tracking the location of the user oridentifying calls made to or from the user by ea!esdro%%ing onthe radio %ath


15/71

GSM Security Mechanisms

• $uthentication/ challenge-res%onse authentication %rotocol

/ encry%tion of the radio channel

• Confidentiality/ encry%tion of the radio channel

• $nonymity

/ use of tem%orary identities


16/71

GSM Security $rchitecture

• .ach mobile subscriber is issued with a uni7ue 193-bit secret key 'Di*

• This is stored on a Subscriber Identity odule (SI) which must be inserted intothe mobile %hone

• .ach subscriber+s Di is also stored in an !uthentication "entre (!u") associated with the " in the home network

• The SIM is a tam%er resistant smart card designed to make it infeasible to e&tractthe customer+s Di

• GSM security relies on the secrecy of Di/ if the Di could be e&tracted then the subscri%tion could be cloned and the subscriber+s calls

could be ea!esdro%%ed/ e!en the customer should not be able to obtain Di


17/71

GSM Security $rchitecture

Home

networkSwitching

and

routing

Other Networks


!isited network

H"R#$u%!"R

SIM


18/71

GSM $uthentication 0rinci%les

• #etwork authenticates the SIM to %rotect against cloning

• Challenge-res%onse %rotocol/ SIM demonstrates knowledge of Di

/ infeasible for an intruder to obtain information about Di whichcould be used to clone the SIM

• .ncry%tion key agreement/ a key 'Dc* for radio interface encry%tion is deri!ed as %art of the

%rotocol• $uthentication can be %erformed at call establishment

allowing a new Dc to be used for each call


19/71

HLR HLR

AuCAuC

Visited Access Network Visited

Core Network

Mobile

Station (MS)

BSCBTSSIM

SIM

ME

ME

SGSNSGSN

MSCMSC

Home

Network

(#) !uthentication

($) %istribution o&authentication data

GSM $uthentication

S" ' circuit switched

services

SS ' packet switchedservices (*RS)


20/71

GSM $uthentication5 0rere7uisites

• $uthentication centre in home network '$uC* and

security module 'SIM* inserted into mobile %hone share

/subscriber s%ecific secret key( Di

/ authentication algorithm consisting of

• authentication function( $>

• key generating function( $3

• $uC has a random number generator


21/71

.ntities In!ol!ed in GSM $uthentication

SIM Subscriber Identity Module

MSC Mobile Switching Centre 'circuit ser!ices*

SGS# Ser!ing G0"S Su%%ort #ode '%acketser!ices*

"?$uC ome ocation "egister ? $uthentication

Centre


22/71

GSM $uthentication 0rotocol

MSC or

SGSN

HLR/AuCSIM

R$N&

R'S

R$N&, R'S, *c+

$uthentication &ata

Reuest A3 A8

*i R$N&

*c

*c R'S

A3 A8

*i

R$N&

R'S

R'S - R'S


23/71

GSM $uthentication 0arameters

Di E Subscriber authentication key '193 bit*

"$#8 E $uthentication challenge '193 bit*

'*".S E $>Di '"$#8*E '.&%ected* authentication res%onse '>9 bit*

Dc E $3Di '"$#8*

E Ci%her key '@ bit*

$uthentication tri%let E H"$#8( ".S( Dc '99@ bit*J Ty%ically sent in batches to MSC or SGS#


24/71

GSM $uthentication $lgorithm

• Com%osed of two algorithms which are often

combined

/ $> for user authentication

/ $3 for encry%tion key 'Dc* generation

• ocated in the customer+s SIM and in the home

network+s $uC

• Standardisation of $>?$3 not re7uired and each

o%erator can choose their own


25/71

GSM .ncry%tion

• 8ifferent mechanisms for GSM 'circuit-switched

ser!ices* and G0"S '%acket-switched ser!ices*


26/71

GSM .ncry%tion 0rinci%les

'circuit-switched ser!ices*• 8ata on the radio %ath is encry%ted between the

Mobile .7ui%ment 'M.* and the Kase Transcei!erStation 'KTS*

/ %rotects user traffic and sensiti!e signalling data againstea!esdro%%ing

/ e&tends the influence of authentication to the entireduration of the call

• Uses the encry%tion key 'Dc* deri!ed duringauthentication


27/71

.ncry%tion Mechanism

• .ncry%tion is %erformed by a%%lying a stream

ci%her called $; to the GSM T8M$ frames( the

choice being influenced by

/ s%eech coder

/ error %ro%agation

/ delay

/ hando!er


28/71

Time 8i!ision Multi%le $ccess 'T8M$*

User 1

User 9

Frames #-1 Frame # Frame #L1

Time Slots @ 1 9 > @ 1 9 > @ 1

User 9 User 1


29/71

.ncry%tion Function

• For each T8M$ frame( $; generates consecuti!e se7uences of

11@ bits for encry%ting?decry%ting in the transmit?recei!e time slots

/ encry%tion and decry%tion is %erformed by a%%lying the 11@ bit keystream

se7uences to the contents of each frame using a bitwise " o%eration

• $; generates the keystream as a function of the ci%her key and

the Nframe number+ - so the ci%her is re-synchronised to e!ery

frame

•The T8M$ frame number re%eats after about >); hours( hence thekeystream starts to re%eat after >); hours

/ new ci%her keys can be established to a!oid keystream re%eat


30/71

Managing the .ncry%tion

• KTS instructs M. to start ci%hering using the cipher

command

• $t same time KTS starts decry%ting

• M. starts encry%ting and decry%ting when it

recei!es the cipher command

• KTS starts encry%ting when cipher command isacknowledged


31/71

Strength of the .ncry%tion

• Ci%her key 'Kc* @ bits long but 14 bits are ty%ically

forced to Oero in SIM and $uC

/ ;@ bits effecti!e key length• Full length @ bit key now %ossible

• The strength also de%ends on which $; algorithm is

used


32/71

GSM .ncry%tion $lgorithms

• Currently defined algorithms are5 $;?1( $;?9 and $;?>

• The $; algorithms are standardised so that mobiles and networkscan intero%erate globally

• $ll GSM %hones currently su%%ort $;?1 and $;?9• Most networks use $;?1( some use $;?9

• $;?1 and $;?9 s%ecifications ha!e restricted distribution but thedetails of the algorithms ha!e been disco!ered and some

cry%tanalysis has been %ublished• $;?> is new - e&%ect it to be %hased in o!er the ne&t few years


33/71

G0"S .ncry%tion

• 8ifferences com%ared with GSM circuit-switched/ .ncry%tion terminated further back in network at SGS#

/ .ncry%tion a%%lied at higher layer in %rotocol stack• ogical ink ayer 'C*

/ #ew stream ci%her with different in%ut?out%ut %arameters• G0"S .ncry%tion $lgorithm 'G.$*

/ G.$ generates the keystream as a function of the ci%her key andthe NC frame number+ - so the ci%her is re-synchronised to

e!ery C frame/ C frame number is !ery large so keystream re%eat is not an

issue


34/71

G0"S .ncry%tion $lgorithms

• Currently defined algorithms are5 G.$1( G.$9 andG.$>

• The G.$ algorithms are standardised so that

mobiles and networks can intero%erate globally• G.$1 and G.$9 s%ecifications ha!e restricted

distribution

• G.$> is new - e&%ect it to be %hased in o!er thene&t few years


35/71

GSM User Identity Confidentiality '1*

• User identity confidentiality on the radio access link/ tem%orary identities 'TMSIs* are allocated and used

instead of %ermanent identities 'IMSIs*

• el%s %rotect against5/ tracking a user+s location

/ obtaining information about a user+s calling %attern

IMSI5 International Mobile Subscriber Identity

TMSI5 Tem%orary Mobile Subscriber Identity


36/71

GSM User Identity Confidentiality '9*

• ,hen a user first arri!es on a network he uses his IMSI to

identify himself

• ,hen network has switched on encry%tion it assigns a

tem%orary identity TMSI 1• ,hen the user ne&t accesses the network he uses TMSI 1

to identify himself

• The network assigns TMSI 9 once an encry%ted channelhas been established


37/71

HLR HLR

AuCAuC

Access Network

(GSM BSS)

Visited

Network

Mobile

Station (MS)

BSCBTSSIMSIM

MEME A

SGSNSGSN

MSCMSC

Home

Network

(#) !uthentication

($) %istribution o&authentication data

GSM "adio $ccess ink Security

(+a) *rotection o& the S circuitswitched access link (-./S)

(0) 1c

(0a) 1c

(+b) *rotection o& the *RS packetswitched access link (-SS)


services

SS ' packet switchedservices (*RS)


38/71


39/71

GSM Security and the 0ress

• Some of the concerns were well founded( others were grossly e&aggerated

• Significance of Nacademic breakthroughs+ on cry%togra%hic algorithms is often wildly o!er%layed


40/71

imitations of GSM Security '1*

• Security %roblems in GSM stem by and large fromdesign limitations on what is %rotected/ design only %ro!ides access security - communications

and signalling in the fi&ed network %ortion aren+t%rotected

/ design does not address active attacks( wherebynetwork elements may be im%ersonated

/ design goal was only e!er to be as secure as the fixednetworks to which GSM systems connect


41/71

imitations of GSM Security '9*

• Failure to acknowledge limitations/ the terminal is an unsecured en!ironment - so trust in

the terminal identity is mis%laced

/ disabling encry%tion does not 6ust remo!e confidentiality%rotection / it also increases risk of radio channel hi6ack

/ standards don+t address e!erything - o%erators mustthemsel!es secure the systems that are used to manage

subscriber authentication key• awful interce%tion only considered as an

afterthought


42/71

S%ecific GSM Security 0roblems '1*

• Ill ad!ised use of CM0 193 as the $>?$3 algorithmby some o%erators/ !ulnerable to collision attack - key can be determined if

the res%onses to about 14(444 chosen challenges areknown

• later im%ro!ed to about ;4(444

/ attack %ublished on Internet in 1223 by Kriceno and

Goldberg


43/71

S%ecific GSM Security 0roblems '9*

• The GSM ci%her $;?1 is becoming !ulnerable to/ e&hausti!e search on its key

/ ad!ances in cry%tanalysis

• time-memory trade-off attacks by Kiryuko!( Shamir and,agner '9444* and Karkan( Kiham and Deller '944>*

• statistical attack by .kdahl and Pohansson '9449* andMa&imo!( Pohansson and Kabbage '944@*


44/71

S%ecific GSM Security 0roblems '>*

• The GSM ci%her $;?9/ cry%tanalysis

• leaked and broken in $ugust 1222

• im%ro!ements by Karkan( Kiham and Deller '944>*( including ci%herte&t

only attack/ $;?9 now offers !irtually no %rotection against %assi!e

ea!esdro%%ing

/ $;?9 is now so weak that the ci%her key can be disco!ered innear real time using a !ery small amount of known %lainte&t


45/71

False Kase Station $ttacks '1*

• IMSI catching/ force mobile to re!eal its IMSI in clear

• Interce%ting mobile-originated calls by disabling encry%tion

/ encry%tion controlled by network and user generally unaware if it is noton

/ false base station mas7uerades as network with encry%tion switchedoff

/ calls relayed to called %arty e)g) !ia fi&ed connection/ ci%her indicator on %hone hel%s guard against attack


46/71

False Kase Station $ttacks '9*

• Interce%ting mobile-originated calls by forcing use of a known ci%her key

/ mobile is unable to check freshness of ci%her key

/ attacker obtains !alid '"$#8( Dc* %air for target+s SIM

/ false base station mas7uerades as network with encry%tion switched on butforces use of known ci%her key by using corres%onding "$#8 in the

authentication challenge

/ calls relayed to called %arty e)g) !ia fi&ed connection

/ ci%her indicator on %hone does not guard against attack( but the need to obtain

a !alid '"$#8( Dc* %air is a significant obstacle for the attacker


47/71

False Kase Station $ttacks '>*

• 8ynamic cloning attacks

/ relay authentication messages between target and network( then

dro% target and hi6ack the channel

• solution5 enforce encry%tion

/ relay authentication messages( then force mobile to encry%t with

$;?9 to disco!er ci%her key using Karkan( Kiham and Deller

attack( then dro% target and hi6ack the channel

• solution5 remo!e $;?9 from new %hones


48/71

essons earnt from GSM .&%erience

• Security must o%erate

without user assistance(

but the user should know it

is ha%%ening• Kase user security on

smart cards

• 0ossibility of an attack is a

%roblem e!en if attack is

unlikely

• 8on+t relegate lawful

interce%tion to an

afterthought - es%ecially as

one considers end-to-endsecurity

• 8e!elo% o%en international

standards

• Use %ublished algorithms(or %ublish any s%ecially

de!elo%ed algorithms


49/71

Third Generation Mobile 0hones /

The UMTS Standard


50/71

0rinci%les of UMTS Security

• Kuild on the security of GSM/ ado%t the security features from GSM that ha!e %ro!ed to be

needed and that are robust

/ try to ensure com%atibility with GSM to ease inter-working and

hando!er

• Correct the %roblems with GSM by addressing security weaknesses

• $dd new security features/ to secure new ser!ices offered by UMTS

/ to address changes in network architecture


51/71

UMTS #etwork $rchitecture

Home

networkSwitching

and routing

Other Networks

(GSM, fixed,

Internet, etc.)

!isited core network

(GSM/ased)

H"R#$u%

RN%

RN%

0SIM

New radio access

network

!"R

GSM S it F t t " t i d


52/71

GSM Security Features to "etain and

.nhance in UMTS

• $uthentication of the user to the network

• .ncry%tion of user traffic and signalling data o!er the radio link

/ new algorithm / o%en design and %ublication

/ encry%tion terminates at the radio network controller '"#C*

• further back in network com%ared with GSM

/ longer key length '193-bit*

• User identity confidentiality o!er the radio access link

/ same mechanism as GSM


53/71

#ew Security Features for UMTS

• Mutual authentication and key agreement/ e&tension of user authentication mechanism

/ %ro!ides enhanced %rotection against false base station attacks byallowing the mobile to authenticate the network

• Integrity %rotection of critical signalling between mobile andradio network controller/ %ro!ides enhanced %rotection against false base station attacks by

allowing the mobile to check the authenticity of certain signalling

messages/ e&tends the influence of user authentication when encry%tion is not

a%%lied by allowing the network to check the authenticity of certainsignalling messages

UMTS $uthentication 5


54/71

UMTS $uthentication 5

0rotocol b6ecti!es• 0ro!ides authentication of user 'USIM* to network and

network to user

• .stablishes a ci%her key and integrity key

• $ssures user that ci%her?integrity keys were not usedbefore

• Inter-system roaming and hando!er

/com%atible with GSM5 similar %rotocol

/ com%atible with other >G systems due to the fact that C8M$9444

has ado%ted the same authentication %rotocol


55/71

UMTS $uthentication 5 0rere7uisites

• $uC and USIM share/ subscriber s%ecific secret key( D

/ authentication algorithm consisting of• authentication functions( f1( f1Q( f9

• key generating functions( f>( f@( f;( f;Q

• $uC has a random number generator

• $uC has a se7uence number generator

• USIM has a scheme to !erify freshness of recei!edse7uence numbers

UMTS $uthentication


56/71

UMTS $uthenticationMSC or SGSN HLR/AuCUSIM

R$N&,S1N⊕ $*

22 $M322M$%

R'S

R$N&, R'S, %*, I*,

S1N⊕ $*22$M322M$%+

$uthentication &ata

Reuest

R'S, %*,I*, $*, M$%

R$N&

* f1f!

S1N

&ecr45t S1N using f6

!erif4 M$% using f7

%heck S1N freshness

R'S, %*, I*

R$N&

f"f#*

$M3

R'S - R'S


57/71

UMTS $uthentication 0arameters

D E Subscriber authentication key '193 bit*"$#8 E User authentication challenge '193 bit*

SR# E Se7uence number '@3 bit*

$MF E $uthentication management field '1 bit*

M$C E f1D 'SR#"$#8$MF* E Message $uthentication Code '@ bit*

'*".S E f9D '"$#8*

E '.&%ected* user res%onse '>9-193 bit*

CD E f>D '"$#8* E Ci%her key '193 bit*

ID E f@D '"$#8* E Integrity key '193 bit*

$D E f;D '"$#8* E $nonymity key '@3 bit*

$UT# E SR#⊕$D $MFM$C E $uthentication Token '193 bit*

$uthentication 7uintet E H"$#8( ".S( CD( ID( $UT# ';@@-@4 bit*J ty%ically sent in batches to MSC or SGS#


58/71

UMTS Mutual $uthentication $lgorithm

• ocated in the customer+s USIM and in the home network+s$uC

• Standardisation not re7uired and each o%erator can choosetheir own

• $n e&am%le algorithm( called MI.#$G.( has been madea!ailable/ o%en design and e!aluation by .TSI+s algorithm design grou%(

S$G.

/ o%en %ublication of s%ecifications and e!aluation re%orts

/ based on "i6ndael which was later selected as the $.S


59/71

UMTS .ncry%tion 0rinci%les

• 8ata on the radio %ath is encry%ted between theMobile .7ui%ment 'M.* and the "adio #etworkController '"#C*

/ %rotects user traffic and sensiti!e signalling data againstea!esdro%%ing

/ e&tends the influence of authentication to the entireduration of the call

• Uses the 193-bit encry%tion key 'CD* deri!ed duringauthentication


60/71

UMTS .ncry%tion Mechanism

• .ncry%tion a%%lied at M$C or "C layer of the UMTS radio%rotocol stack de%ending on the transmission mode/ M$C E Medium $ccess Control

/ "C E "adio ink Control

• Stream ci%her used( UMTS .ncry%tion $lgorithm 'U.$*

• U.$ generates the keystream as a function of the ci%her key(the bearer identity( the direction of the transmission and theNframe number+ - so the ci%her is re-synchronised to e!eryM$C?"C frame

• The frame number is !ery large so keystream re%eat is not anissue


61/71

UMTS .ncry%tion $lgorithm

• Currently one standardised algorithm5 U.$1

/ located in the customer+s %hone 'not the USIM* and in

e!ery radio network controller

/ standardised so that mobiles and radio networkcontrollers can intero%erate globally

/ based on a mode of o%eration of a block ci%her called

D$SUMI


62/71

UMTS Integrity 0rotection 0rinci%les

• 0rotection of some radio interface signalling/ %rotects against unauthorised modification( insertion and re%lay of

messages

/ a%%lies to security mode establishment and other critical signalling

%rocedures• el%s e&tend the influence of authentication when encry%tion is

not a%%lied

• Uses the 193-bit integrity key 'ID* deri!ed during authentication

• Integrity a%%lied at the "adio "esource Control '""C* layer ofthe UMTS radio %rotocol stack/ signalling traffic only


63/71

UMTS Integrity 0rotection $lgorithm

• Currently one standardised algorithm5 UI$1

/ located in the customer+s %hone 'not the USIM* and in

e!ery radio network controller

/ standardised so that mobiles and radio networkcontrollers can intero%erate globally

/ based on a mode of o%eration of a block ci%her called

D$SUMI

UMTS .ncry%tion and Integrity


64/71

UMTS .ncry%tion and Integrity

$lgorithms• Two modes of o%eration of D$SUMI

/ stream ci%her for encry%tion

/ Message $uthentication Code 'M$C* algorithm for integrity

%rotection

• %en design and e!aluation by .TSI S$G.

• %en %ublication of s%ecifications and e!aluation re%orts

• $ second set of encry%tion?integrity algorithms 'U.$9 and

UI$9* are currently being designed

/ To be de%loyed as a back-u% in case the Dasumi-based

algorithms become com%romised in the future

Ci%hering $nd Integrity $lgorithm


65/71

Ci%hering $nd Integrity $lgorithm

"e7uirements• Stream ci%her f3 and integrity function f2

• Suitable for im%lementation on M. and "#C

/ low %ower with low gate-count hardware im%lementation

as well as efficient in software

• #o e&%ort restrictions on terminals( and network

e7ui%ment e&%ortable under licence in accordance

with international regulations

General $%%roach To 8esign of U.$1


66/71

General $%%roach To 8esign of U.$1

and UI$1• .TSI S$G. a%%ointed as design authority

• Koth f3 and f2 constructed using a new block ci%her called

D$SUMI as a kernel

• $n e&isting block ci%her MIST1 was used as a starting%oint to de!elo% D$SUMI

/ MIST1 was designed by Mitsubishi

/ MIST1 was fairly well studied and has some %ro!ably secure

as%ects/ modifications make it sim%ler but no less secure

• .TSI S$G. is also the design authority for U.$9 and UI$9


67/71

HLR HLR

AuCAuC

Access Network

($%&AN)

Visited

Network

$ser

'i*ment

+

RNCBTSUSIMUSIM

MEME

SGSNSGSN

HMSCMSC

Home

Network

(#) !uthentication

($) %istribution o&authentication vectors

UMTS "adio $ccess ink Security

(+) *rotection o& the

access link (-R")

(0) "1,I1 (0) "1, I1


services

SS ' packet switched

services

Summary of UMTS "adio $ccess ink


68/71

Summary of UMTS "adio $ccess ink

Security• #ew and enhanced radio access link security

features in UMTS/ new algorithms / o%en design and %ublication

/ encry%tion terminates at the radio network controller/ mutual authentication and integrity %rotection of critical

signalling %rocedures to gi!e greater %rotection againstfalse base station attacks

/ longer key lengths '193-bit*


69/71


70/71

Further "eading

8 9G:: standards,

htt5;##www.9g55.org#ft5#s5ecs#S ?9.@A@ = for GSM securit4 features

= >S 99.7@A = for 0M>S securit4 features


71/71

GSM and UMTS Security

GSM Attack 2

Documents

Transcript of GSM Attack 2