GSM Attack 2
Transcript of GSM Attack 2
-
8/19/2019 GSM Attack 2
1/71
GSM and UMTS Security
-
8/19/2019 GSM Attack 2
2/71
Contents
• Introduction to mobile telecommunications
• Second generation systems - GSM security
• Third generation systems - UMTS security
• Focus is on security features for network
access
-
8/19/2019 GSM Attack 2
3/71
-
8/19/2019 GSM Attack 2
4/71
Cellular "adio #etwork $rchitecture
• "adio base stations form a %atchwork of radio cells o!er agi!en geogra%hic co!erage area
• "adio base stations are connected to switching centres !ia
fi&ed or microwa!e transmission links• Switching centres are connected to the %ublic networks
'fi&ed tele%hone network( other GSM networks( Internet(etc)*
• Mobile terminals ha!e a relationshi% with one homenetwork but may be allowed to roam in other visitednetworks when outside the home network co!erage area
-
8/19/2019 GSM Attack 2
5/71
Cellular "adio #etwork $rchitecture
Home
networkSwitching
and
routing
Other Networks
(GSM, fixed,Internet, etc.)
Interconnect
Radio ase station
!isited network
Roaming
-
8/19/2019 GSM Attack 2
6/71
ocation Management
• The network must know a mobile+s location so that incomingcalls can be routed to the correct destination
• ,hen a mobile is switched on( it registers its current location
in a Home Location Register (HLR) o%erated by themobile+s home o%erator
• $ mobile is always roaming( either in the home o%erator+sown network or in another network where a roaming
agreement e&ists with the home o%erator• ,hen a mobile registers in a network( information is retrie!edfrom the " and stored in a Visitor Location Register(VLR) associated with the local switching centre
-
8/19/2019 GSM Attack 2
7/71
ocation Management
Home
networkSwitching
and
routing
Other Networks
(GSM, fixed,Internet, etc.)
!isited network
H"R!"R
Interconnect
Roaming
Radio ase station
-
8/19/2019 GSM Attack 2
8/71
Call .stablishment and ando!er
• For mobile originating 'outgoing* calls( the mobileestablishes a radio connection with a nearby base station
which routes the call to a switching centre
• For mobile terminated 'incoming* calls( the network firsttries to contact the mobile by paging it across its currentlocation area, the mobile res%onds by initiating theestablishment of a radio connection
• If the mobile mo!es( the radio connection may be re-established with a different base station without anyinterru%tion to user communication / this is calledhandover
-
8/19/2019 GSM Attack 2
9/71
First Generation Mobile 0hones
• First generation analogue %hones '1234 onwards* werehorribly insecure
• Cloning5 your %hone 6ust announced its identity in clear o!er
the radio link/ easy for me to %ick u% your %hone+s identity o!er the air
/ easy for me to re%rogram my %hone with your %hone+s identity
/ then all my calls are charged to your bill
• .a!esdro%%ing/ all you ha!e to do is tune a radio recei!er until you can hear
someone talking
-
8/19/2019 GSM Attack 2
10/71
Second Generation Mobile 0hones /
The GSM Standard• Second generation mobile %hones are characterised by the
fact that data transmission o!er the radio link uses digital techni7ues
• 8e!elo%ment of the GSM 'Global System for Mobilecommunications* standard began in 1239
• First ser!ices launched in 1221
• GSM is the technology that under%ins most of the world:s
mobile %hone networks / 1); billion customers/
-
8/19/2019 GSM Attack 2
11/71
General 0acket "adio Ser!ice 'G0"S*
• The original GSM system was based on circuit-switchedtransmission and switching/ !oice ser!ices o!er circuit-switched bearers
/ te&t messaging
/ circuit-switched data ser!ices• charges usually based on duration of connection
• G0"S is the %acket-switched e&tension to GSM/ sometimes referred to as 9);G
/ %acket-switched data ser!ices
• suited to bursty traffic• charges usually based on data !olume or content-based
• Ty%ical data ser!ices/ browsing( messaging( download( cor%orate $# access
-
8/19/2019 GSM Attack 2
12/71
Third Generation Mobile 0hones / The
UMTS Standard• Third generation '>G* mobile %hones are characterised by higher
rates of data transmission and a richer range of ser!ices• Two main standards in use today
/ UMTS 'Uni!ersal Mobile Telecommunications System*/ C8M$9444
• UMTS is the one that belongs to the GSM family• UMTS uses a radio technology called ,ideband Code 8i!ision
Multi%le $ccess ',-C8M$* which is connected to an e!olution of
the GSM?G0"S core network• UMTS statistics
/ o!er @4 million subscribers at end Se%tember 944;/
-
8/19/2019 GSM Attack 2
13/71
GSM Security A The Goals
• GSM was intended to be no more !ulnerable to cloning orea!esdro%%ing than a fi&ed %hone
/ it+s a %hone not a Bsecure communications de!ice
• GSM uses integrated cry%togra%hic mechanisms to achie!ethese goals/ 6ust about the first mass market e7ui%ment to do this
/ %re!iously cry%togra%hy had been the domain of the military(
security agencies( and businesses worried about industriales%ionage( and then banks 'but not in mass market e7ui%ment*
-
8/19/2019 GSM Attack 2
14/71
GSM Security Features
• $uthentication/ network o%erator can !erify the identity of the subscriber making
it infeasible to clone someone else+s mobile %hone
• Confidentiality/ %rotects !oice( data and sensiti!e signalling information 'e)g)dialled digits* against ea!esdro%%ing on the radio %ath
• $nonymity
/ %rotects against someone tracking the location of the user oridentifying calls made to or from the user by ea!esdro%%ing onthe radio %ath
-
8/19/2019 GSM Attack 2
15/71
GSM Security Mechanisms
• $uthentication/ challenge-res%onse authentication %rotocol
/ encry%tion of the radio channel
• Confidentiality/ encry%tion of the radio channel
• $nonymity
/ use of tem%orary identities
-
8/19/2019 GSM Attack 2
16/71
GSM Security $rchitecture
• .ach mobile subscriber is issued with a uni7ue 193-bit secret key 'Di*
• This is stored on a Subscriber Identity odule (SI) which must be inserted intothe mobile %hone
• .ach subscriber+s Di is also stored in an !uthentication "entre (!u") associated with the " in the home network
• The SIM is a tam%er resistant smart card designed to make it infeasible to e&tractthe customer+s Di
• GSM security relies on the secrecy of Di/ if the Di could be e&tracted then the subscri%tion could be cloned and the subscriber+s calls
could be ea!esdro%%ed/ e!en the customer should not be able to obtain Di
-
8/19/2019 GSM Attack 2
17/71
GSM Security $rchitecture
Home
networkSwitching
and
routing
Other Networks
(GSM, fixed,Internet, etc.)
!isited network
H"R#$u%!"R
SIM
-
8/19/2019 GSM Attack 2
18/71
GSM $uthentication 0rinci%les
• #etwork authenticates the SIM to %rotect against cloning
• Challenge-res%onse %rotocol/ SIM demonstrates knowledge of Di
/ infeasible for an intruder to obtain information about Di whichcould be used to clone the SIM
• .ncry%tion key agreement/ a key 'Dc* for radio interface encry%tion is deri!ed as %art of the
%rotocol• $uthentication can be %erformed at call establishment
allowing a new Dc to be used for each call
-
8/19/2019 GSM Attack 2
19/71
HLR HLR
AuCAuC
Visited Access Network Visited
Core Network
Mobile
Station (MS)
BSCBTSSIM
SIM
ME
ME
SGSNSGSN
MSCMSC
Home
Network
(#) !uthentication
($) %istribution o&authentication data
GSM $uthentication
S" ' circuit switched
services
SS ' packet switchedservices (*RS)
-
8/19/2019 GSM Attack 2
20/71
GSM $uthentication5 0rere7uisites
• $uthentication centre in home network '$uC* and
security module 'SIM* inserted into mobile %hone share
/subscriber s%ecific secret key( Di
/ authentication algorithm consisting of
• authentication function( $>
• key generating function( $3
• $uC has a random number generator
-
8/19/2019 GSM Attack 2
21/71
.ntities In!ol!ed in GSM $uthentication
SIM Subscriber Identity Module
MSC Mobile Switching Centre 'circuit ser!ices*
SGS# Ser!ing G0"S Su%%ort #ode '%acketser!ices*
"?$uC ome ocation "egister ? $uthentication
Centre
-
8/19/2019 GSM Attack 2
22/71
GSM $uthentication 0rotocol
MSC or
SGSN
HLR/AuCSIM
R$N&
R'S
R$N&, R'S, *c+
$uthentication &ata
Reuest A3 A8
*i R$N&
*c
*c R'S
A3 A8
*i
R$N&
R'S
R'S - R'S
-
8/19/2019 GSM Attack 2
23/71
GSM $uthentication 0arameters
Di E Subscriber authentication key '193 bit*
"$#8 E $uthentication challenge '193 bit*
'*".S E $>Di '"$#8*E '.&%ected* authentication res%onse '>9 bit*
Dc E $3Di '"$#8*
E Ci%her key '@ bit*
$uthentication tri%let E H"$#8( ".S( Dc '99@ bit*J Ty%ically sent in batches to MSC or SGS#
-
8/19/2019 GSM Attack 2
24/71
GSM $uthentication $lgorithm
• Com%osed of two algorithms which are often
combined
/ $> for user authentication
/ $3 for encry%tion key 'Dc* generation
• ocated in the customer+s SIM and in the home
network+s $uC
• Standardisation of $>?$3 not re7uired and each
o%erator can choose their own
-
8/19/2019 GSM Attack 2
25/71
GSM .ncry%tion
• 8ifferent mechanisms for GSM 'circuit-switched
ser!ices* and G0"S '%acket-switched ser!ices*
-
8/19/2019 GSM Attack 2
26/71
GSM .ncry%tion 0rinci%les
'circuit-switched ser!ices*• 8ata on the radio %ath is encry%ted between the
Mobile .7ui%ment 'M.* and the Kase Transcei!erStation 'KTS*
/ %rotects user traffic and sensiti!e signalling data againstea!esdro%%ing
/ e&tends the influence of authentication to the entireduration of the call
• Uses the encry%tion key 'Dc* deri!ed duringauthentication
-
8/19/2019 GSM Attack 2
27/71
.ncry%tion Mechanism
• .ncry%tion is %erformed by a%%lying a stream
ci%her called $; to the GSM T8M$ frames( the
choice being influenced by
/ s%eech coder
/ error %ro%agation
/ delay
/ hando!er
-
8/19/2019 GSM Attack 2
28/71
Time 8i!ision Multi%le $ccess 'T8M$*
User 1
User 9
Frames #-1 Frame # Frame #L1
Time Slots @ 1 9 > @ 1 9 > @ 1
User 9 User 1
-
8/19/2019 GSM Attack 2
29/71
.ncry%tion Function
• For each T8M$ frame( $; generates consecuti!e se7uences of
11@ bits for encry%ting?decry%ting in the transmit?recei!e time slots
/ encry%tion and decry%tion is %erformed by a%%lying the 11@ bit keystream
se7uences to the contents of each frame using a bitwise " o%eration
• $; generates the keystream as a function of the ci%her key and
the Nframe number+ - so the ci%her is re-synchronised to e!ery
frame
•The T8M$ frame number re%eats after about >); hours( hence thekeystream starts to re%eat after >); hours
/ new ci%her keys can be established to a!oid keystream re%eat
-
8/19/2019 GSM Attack 2
30/71
Managing the .ncry%tion
• KTS instructs M. to start ci%hering using the cipher
command
• $t same time KTS starts decry%ting
• M. starts encry%ting and decry%ting when it
recei!es the cipher command
• KTS starts encry%ting when cipher command isacknowledged
-
8/19/2019 GSM Attack 2
31/71
Strength of the .ncry%tion
• Ci%her key 'Kc* @ bits long but 14 bits are ty%ically
forced to Oero in SIM and $uC
/ ;@ bits effecti!e key length• Full length @ bit key now %ossible
• The strength also de%ends on which $; algorithm is
used
-
8/19/2019 GSM Attack 2
32/71
GSM .ncry%tion $lgorithms
• Currently defined algorithms are5 $;?1( $;?9 and $;?>
• The $; algorithms are standardised so that mobiles and networkscan intero%erate globally
• $ll GSM %hones currently su%%ort $;?1 and $;?9• Most networks use $;?1( some use $;?9
• $;?1 and $;?9 s%ecifications ha!e restricted distribution but thedetails of the algorithms ha!e been disco!ered and some
cry%tanalysis has been %ublished• $;?> is new - e&%ect it to be %hased in o!er the ne&t few years
-
8/19/2019 GSM Attack 2
33/71
G0"S .ncry%tion
• 8ifferences com%ared with GSM circuit-switched/ .ncry%tion terminated further back in network at SGS#
/ .ncry%tion a%%lied at higher layer in %rotocol stack• ogical ink ayer 'C*
/ #ew stream ci%her with different in%ut?out%ut %arameters• G0"S .ncry%tion $lgorithm 'G.$*
/ G.$ generates the keystream as a function of the ci%her key andthe NC frame number+ - so the ci%her is re-synchronised to
e!ery C frame/ C frame number is !ery large so keystream re%eat is not an
issue
-
8/19/2019 GSM Attack 2
34/71
G0"S .ncry%tion $lgorithms
• Currently defined algorithms are5 G.$1( G.$9 andG.$>
• The G.$ algorithms are standardised so that
mobiles and networks can intero%erate globally• G.$1 and G.$9 s%ecifications ha!e restricted
distribution
• G.$> is new - e&%ect it to be %hased in o!er thene&t few years
-
8/19/2019 GSM Attack 2
35/71
GSM User Identity Confidentiality '1*
• User identity confidentiality on the radio access link/ tem%orary identities 'TMSIs* are allocated and used
instead of %ermanent identities 'IMSIs*
• el%s %rotect against5/ tracking a user+s location
/ obtaining information about a user+s calling %attern
IMSI5 International Mobile Subscriber Identity
TMSI5 Tem%orary Mobile Subscriber Identity
-
8/19/2019 GSM Attack 2
36/71
GSM User Identity Confidentiality '9*
• ,hen a user first arri!es on a network he uses his IMSI to
identify himself
• ,hen network has switched on encry%tion it assigns a
tem%orary identity TMSI 1• ,hen the user ne&t accesses the network he uses TMSI 1
to identify himself
• The network assigns TMSI 9 once an encry%ted channelhas been established
-
8/19/2019 GSM Attack 2
37/71
HLR HLR
AuCAuC
Access Network
(GSM BSS)
Visited
Network
Mobile
Station (MS)
BSCBTSSIMSIM
MEME A
SGSNSGSN
MSCMSC
Home
Network
(#) !uthentication
($) %istribution o&authentication data
GSM "adio $ccess ink Security
(+a) *rotection o& the S circuitswitched access link (-./S)
(0) 1c
(0a) 1c
(+b) *rotection o& the *RS packetswitched access link (-SS)
S" ' circuit switched
services
SS ' packet switchedservices (*RS)
-
8/19/2019 GSM Attack 2
38/71
-
8/19/2019 GSM Attack 2
39/71
GSM Security and the 0ress
• Some of the concerns were well founded( others were grossly e&aggerated
• Significance of Nacademic breakthroughs+ on cry%togra%hic algorithms is often wildly o!er%layed
-
8/19/2019 GSM Attack 2
40/71
imitations of GSM Security '1*
• Security %roblems in GSM stem by and large fromdesign limitations on what is %rotected/ design only %ro!ides access security - communications
and signalling in the fi&ed network %ortion aren+t%rotected
/ design does not address active attacks( wherebynetwork elements may be im%ersonated
/ design goal was only e!er to be as secure as the fixednetworks to which GSM systems connect
-
8/19/2019 GSM Attack 2
41/71
imitations of GSM Security '9*
• Failure to acknowledge limitations/ the terminal is an unsecured en!ironment - so trust in
the terminal identity is mis%laced
/ disabling encry%tion does not 6ust remo!e confidentiality%rotection / it also increases risk of radio channel hi6ack
/ standards don+t address e!erything - o%erators mustthemsel!es secure the systems that are used to manage
subscriber authentication key• awful interce%tion only considered as an
afterthought
-
8/19/2019 GSM Attack 2
42/71
S%ecific GSM Security 0roblems '1*
• Ill ad!ised use of CM0 193 as the $>?$3 algorithmby some o%erators/ !ulnerable to collision attack - key can be determined if
the res%onses to about 14(444 chosen challenges areknown
• later im%ro!ed to about ;4(444
/ attack %ublished on Internet in 1223 by Kriceno and
Goldberg
-
8/19/2019 GSM Attack 2
43/71
S%ecific GSM Security 0roblems '9*
• The GSM ci%her $;?1 is becoming !ulnerable to/ e&hausti!e search on its key
/ ad!ances in cry%tanalysis
• time-memory trade-off attacks by Kiryuko!( Shamir and,agner '9444* and Karkan( Kiham and Deller '944>*
• statistical attack by .kdahl and Pohansson '9449* andMa&imo!( Pohansson and Kabbage '944@*
-
8/19/2019 GSM Attack 2
44/71
S%ecific GSM Security 0roblems '>*
• The GSM ci%her $;?9/ cry%tanalysis
• leaked and broken in $ugust 1222
• im%ro!ements by Karkan( Kiham and Deller '944>*( including ci%herte&t
only attack/ $;?9 now offers !irtually no %rotection against %assi!e
ea!esdro%%ing
/ $;?9 is now so weak that the ci%her key can be disco!ered innear real time using a !ery small amount of known %lainte&t
-
8/19/2019 GSM Attack 2
45/71
False Kase Station $ttacks '1*
• IMSI catching/ force mobile to re!eal its IMSI in clear
• Interce%ting mobile-originated calls by disabling encry%tion
/ encry%tion controlled by network and user generally unaware if it is noton
/ false base station mas7uerades as network with encry%tion switchedoff
/ calls relayed to called %arty e)g) !ia fi&ed connection/ ci%her indicator on %hone hel%s guard against attack
-
8/19/2019 GSM Attack 2
46/71
False Kase Station $ttacks '9*
• Interce%ting mobile-originated calls by forcing use of a known ci%her key
/ mobile is unable to check freshness of ci%her key
/ attacker obtains !alid '"$#8( Dc* %air for target+s SIM
/ false base station mas7uerades as network with encry%tion switched on butforces use of known ci%her key by using corres%onding "$#8 in the
authentication challenge
/ calls relayed to called %arty e)g) !ia fi&ed connection
/ ci%her indicator on %hone does not guard against attack( but the need to obtain
a !alid '"$#8( Dc* %air is a significant obstacle for the attacker
-
8/19/2019 GSM Attack 2
47/71
False Kase Station $ttacks '>*
• 8ynamic cloning attacks
/ relay authentication messages between target and network( then
dro% target and hi6ack the channel
• solution5 enforce encry%tion
/ relay authentication messages( then force mobile to encry%t with
$;?9 to disco!er ci%her key using Karkan( Kiham and Deller
attack( then dro% target and hi6ack the channel
• solution5 remo!e $;?9 from new %hones
-
8/19/2019 GSM Attack 2
48/71
essons earnt from GSM .&%erience
• Security must o%erate
without user assistance(
but the user should know it
is ha%%ening• Kase user security on
smart cards
• 0ossibility of an attack is a
%roblem e!en if attack is
unlikely
• 8on+t relegate lawful
interce%tion to an
afterthought - es%ecially as
one considers end-to-endsecurity
• 8e!elo% o%en international
standards
• Use %ublished algorithms(or %ublish any s%ecially
de!elo%ed algorithms
-
8/19/2019 GSM Attack 2
49/71
Third Generation Mobile 0hones /
The UMTS Standard
-
8/19/2019 GSM Attack 2
50/71
0rinci%les of UMTS Security
• Kuild on the security of GSM/ ado%t the security features from GSM that ha!e %ro!ed to be
needed and that are robust
/ try to ensure com%atibility with GSM to ease inter-working and
hando!er
• Correct the %roblems with GSM by addressing security weaknesses
• $dd new security features/ to secure new ser!ices offered by UMTS
/ to address changes in network architecture
-
8/19/2019 GSM Attack 2
51/71
UMTS #etwork $rchitecture
Home
networkSwitching
and routing
Other Networks
(GSM, fixed,
Internet, etc.)
!isited core network
(GSM/ased)
H"R#$u%
RN%
RN%
0SIM
New radio access
network
!"R
GSM S it F t t " t i d
-
8/19/2019 GSM Attack 2
52/71
GSM Security Features to "etain and
.nhance in UMTS
• $uthentication of the user to the network
• .ncry%tion of user traffic and signalling data o!er the radio link
/ new algorithm / o%en design and %ublication
/ encry%tion terminates at the radio network controller '"#C*
• further back in network com%ared with GSM
/ longer key length '193-bit*
• User identity confidentiality o!er the radio access link
/ same mechanism as GSM
-
8/19/2019 GSM Attack 2
53/71
#ew Security Features for UMTS
• Mutual authentication and key agreement/ e&tension of user authentication mechanism
/ %ro!ides enhanced %rotection against false base station attacks byallowing the mobile to authenticate the network
• Integrity %rotection of critical signalling between mobile andradio network controller/ %ro!ides enhanced %rotection against false base station attacks by
allowing the mobile to check the authenticity of certain signalling
messages/ e&tends the influence of user authentication when encry%tion is not
a%%lied by allowing the network to check the authenticity of certainsignalling messages
UMTS $uthentication 5
-
8/19/2019 GSM Attack 2
54/71
UMTS $uthentication 5
0rotocol b6ecti!es• 0ro!ides authentication of user 'USIM* to network and
network to user
• .stablishes a ci%her key and integrity key
• $ssures user that ci%her?integrity keys were not usedbefore
• Inter-system roaming and hando!er
/com%atible with GSM5 similar %rotocol
/ com%atible with other >G systems due to the fact that C8M$9444
has ado%ted the same authentication %rotocol
-
8/19/2019 GSM Attack 2
55/71
UMTS $uthentication 5 0rere7uisites
• $uC and USIM share/ subscriber s%ecific secret key( D
/ authentication algorithm consisting of• authentication functions( f1( f1Q( f9
• key generating functions( f>( f@( f;( f;Q
• $uC has a random number generator
• $uC has a se7uence number generator
• USIM has a scheme to !erify freshness of recei!edse7uence numbers
UMTS $uthentication
-
8/19/2019 GSM Attack 2
56/71
UMTS $uthenticationMSC or SGSN HLR/AuCUSIM
R$N&,S1N⊕ $*
22 $M322M$%
R'S
R$N&, R'S, %*, I*,
S1N⊕ $*22$M322M$%+
$uthentication &ata
Reuest
R'S, %*,I*, $*, M$%
R$N&
* f1f!
S1N
&ecr45t S1N using f6
!erif4 M$% using f7
%heck S1N freshness
R'S, %*, I*
R$N&
f"f#*
$M3
R'S - R'S
-
8/19/2019 GSM Attack 2
57/71
UMTS $uthentication 0arameters
D E Subscriber authentication key '193 bit*"$#8 E User authentication challenge '193 bit*
SR# E Se7uence number '@3 bit*
$MF E $uthentication management field '1 bit*
M$C E f1D 'SR#"$#8$MF* E Message $uthentication Code '@ bit*
'*".S E f9D '"$#8*
E '.&%ected* user res%onse '>9-193 bit*
CD E f>D '"$#8* E Ci%her key '193 bit*
ID E f@D '"$#8* E Integrity key '193 bit*
$D E f;D '"$#8* E $nonymity key '@3 bit*
$UT# E SR#⊕$D $MFM$C E $uthentication Token '193 bit*
$uthentication 7uintet E H"$#8( ".S( CD( ID( $UT# ';@@-@4 bit*J ty%ically sent in batches to MSC or SGS#
-
8/19/2019 GSM Attack 2
58/71
UMTS Mutual $uthentication $lgorithm
• ocated in the customer+s USIM and in the home network+s$uC
• Standardisation not re7uired and each o%erator can choosetheir own
• $n e&am%le algorithm( called MI.#$G.( has been madea!ailable/ o%en design and e!aluation by .TSI+s algorithm design grou%(
S$G.
/ o%en %ublication of s%ecifications and e!aluation re%orts
/ based on "i6ndael which was later selected as the $.S
-
8/19/2019 GSM Attack 2
59/71
UMTS .ncry%tion 0rinci%les
• 8ata on the radio %ath is encry%ted between theMobile .7ui%ment 'M.* and the "adio #etworkController '"#C*
/ %rotects user traffic and sensiti!e signalling data againstea!esdro%%ing
/ e&tends the influence of authentication to the entireduration of the call
• Uses the 193-bit encry%tion key 'CD* deri!ed duringauthentication
-
8/19/2019 GSM Attack 2
60/71
UMTS .ncry%tion Mechanism
• .ncry%tion a%%lied at M$C or "C layer of the UMTS radio%rotocol stack de%ending on the transmission mode/ M$C E Medium $ccess Control
/ "C E "adio ink Control
• Stream ci%her used( UMTS .ncry%tion $lgorithm 'U.$*
• U.$ generates the keystream as a function of the ci%her key(the bearer identity( the direction of the transmission and theNframe number+ - so the ci%her is re-synchronised to e!eryM$C?"C frame
• The frame number is !ery large so keystream re%eat is not anissue
-
8/19/2019 GSM Attack 2
61/71
UMTS .ncry%tion $lgorithm
• Currently one standardised algorithm5 U.$1
/ located in the customer+s %hone 'not the USIM* and in
e!ery radio network controller
/ standardised so that mobiles and radio networkcontrollers can intero%erate globally
/ based on a mode of o%eration of a block ci%her called
D$SUMI
-
8/19/2019 GSM Attack 2
62/71
UMTS Integrity 0rotection 0rinci%les
• 0rotection of some radio interface signalling/ %rotects against unauthorised modification( insertion and re%lay of
messages
/ a%%lies to security mode establishment and other critical signalling
%rocedures• el%s e&tend the influence of authentication when encry%tion is
not a%%lied
• Uses the 193-bit integrity key 'ID* deri!ed during authentication
• Integrity a%%lied at the "adio "esource Control '""C* layer ofthe UMTS radio %rotocol stack/ signalling traffic only
-
8/19/2019 GSM Attack 2
63/71
UMTS Integrity 0rotection $lgorithm
• Currently one standardised algorithm5 UI$1
/ located in the customer+s %hone 'not the USIM* and in
e!ery radio network controller
/ standardised so that mobiles and radio networkcontrollers can intero%erate globally
/ based on a mode of o%eration of a block ci%her called
D$SUMI
UMTS .ncry%tion and Integrity
-
8/19/2019 GSM Attack 2
64/71
UMTS .ncry%tion and Integrity
$lgorithms• Two modes of o%eration of D$SUMI
/ stream ci%her for encry%tion
/ Message $uthentication Code 'M$C* algorithm for integrity
%rotection
• %en design and e!aluation by .TSI S$G.
• %en %ublication of s%ecifications and e!aluation re%orts
• $ second set of encry%tion?integrity algorithms 'U.$9 and
UI$9* are currently being designed
/ To be de%loyed as a back-u% in case the Dasumi-based
algorithms become com%romised in the future
Ci%hering $nd Integrity $lgorithm
-
8/19/2019 GSM Attack 2
65/71
Ci%hering $nd Integrity $lgorithm
"e7uirements• Stream ci%her f3 and integrity function f2
• Suitable for im%lementation on M. and "#C
/ low %ower with low gate-count hardware im%lementation
as well as efficient in software
• #o e&%ort restrictions on terminals( and network
e7ui%ment e&%ortable under licence in accordance
with international regulations
General $%%roach To 8esign of U.$1
-
8/19/2019 GSM Attack 2
66/71
General $%%roach To 8esign of U.$1
and UI$1• .TSI S$G. a%%ointed as design authority
• Koth f3 and f2 constructed using a new block ci%her called
D$SUMI as a kernel
• $n e&isting block ci%her MIST1 was used as a starting%oint to de!elo% D$SUMI
/ MIST1 was designed by Mitsubishi
/ MIST1 was fairly well studied and has some %ro!ably secure
as%ects/ modifications make it sim%ler but no less secure
• .TSI S$G. is also the design authority for U.$9 and UI$9
-
8/19/2019 GSM Attack 2
67/71
HLR HLR
AuCAuC
Access Network
($%&AN)
Visited
Network
$ser
'i*ment
+
RNCBTSUSIMUSIM
MEME
SGSNSGSN
HMSCMSC
Home
Network
(#) !uthentication
($) %istribution o&authentication vectors
UMTS "adio $ccess ink Security
(+) *rotection o& the
access link (-R")
(0) "1,I1 (0) "1, I1
S" ' circuit switched
services
SS ' packet switched
services
Summary of UMTS "adio $ccess ink
-
8/19/2019 GSM Attack 2
68/71
Summary of UMTS "adio $ccess ink
Security• #ew and enhanced radio access link security
features in UMTS/ new algorithms / o%en design and %ublication
/ encry%tion terminates at the radio network controller/ mutual authentication and integrity %rotection of critical
signalling %rocedures to gi!e greater %rotection againstfalse base station attacks
/ longer key lengths '193-bit*
-
8/19/2019 GSM Attack 2
69/71
-
8/19/2019 GSM Attack 2
70/71
Further "eading
8 9G:: standards,
htt5;##www.9g55.org#ft5#s5ecs#S ?9.@A@ = for GSM securit4 features
= >S 99.7@A = for 0M>S securit4 features
-
8/19/2019 GSM Attack 2
71/71
GSM and UMTS Security