Using mobile phone data and airtime credit purchases to estimate food security
Mobile Phone Security
-
Upload
dominque23 -
Category
Documents
-
view
905 -
download
0
description
Transcript of Mobile Phone Security
Mobile Phone Security
Worldwide wireless phone users
In-Stat/MDR Report• The next five years(2002-2007) will see a slowing of worldwide cellul
ar subscriber growth.• However, there will be more than 931 million new subscribers over t
he next 5 years. • By 2007, the total worldwide wireless population will exceed two billi
on subscribers.• China, in the Eastern Asia region, continues to lead the world in over
all subscriber growth, the new percentage growth leaders are found in Southern Asia and Southeast Asia.
• “It is rather remarkable that the fastest numerically growing country, China, is trailing Africa, Eastern Europe, and the Middle East in Compound Annual Growth Rate,” says Ken Hyers, a Senior Analyst with In-Stat/MDR.
In-Stat/MDR Report• Western Europe’s growth virtually stops during In-Stat/MDR’s 2002-2
007 forecast period, with a CAGR of 1.2%. This can be expected, as the penetration rate in 2007 will be 83.6%.
• Analog will be completely phased out of Western Europe by 2004, and does not expect CDMA to make any inroads in Western Europe. UMTS subscriber growth will come at the expense of GSM.
• In Europe, overall, GSM’s overall market share will decline, from 99.1% in 2002 to 91.4% in 2007. In-Stat/MDR continues to believe that UMTS will not achieve significant market share during this forecast period.
In-Stat/MDR Report
• CDMA will continue to be the single most dominant air link in the US throughout the forecast period. TDMA will be phased out, in favor of GSM, and by the end of the forecast period, TDMA networks will no longer be operational in the US.
• Despite NTT DoCoMo’s strong support for FOMA in Japan, the service faces stiff competition for KDDI’s AU. NTT DoCoMo will not be able to leverage its dominant Share-Of-Market (SOM) vis-à-vis FOMA to surpass AU before 2006.
Characteristics of selected wireless link standards
384 Kbps384 Kbps
56 Kbps56 Kbps
54 Mbps54 Mbps
5-11 Mbps5-11 Mbps
1 Mbps1 Mbps
802.15
802.11b
802.11{a,g}
IS-95 CDMA, GSM
UMTS/WCDMA, CDMA2000
.11 p-to-p link
2G
3G
Indoor
10 – 30m
Outdoor
50 – 200m
Mid rangeoutdoor
200m – 4Km
Long rangeoutdoor
5Km – 20Km
History of Mobile phone technology
Technology 1G 2G 2.5G 3G 4G
Design Began 1970 1980 1985 1990 2000
Implementation
1984 1991 1999 2002 2010?
Service Analog Voice, synchronous data to 9.6kbps
Digital voice, short messages
Higher capacity, packetized data
Higher capacity, broadband data up to 2 Mbps
Higher capacity, completely IP-oriented, multimedia, data to hundreds of megabits
Standards AMPS, TACS, NMT, etc.
TDMA, CDMA,GSM,PDC
GPRS, EDGE,1xRTT
WCDMA, CDMA2000
Single standard
Data Bandwidth
1.9kbps 14.4kbps
384kbps 2Mbps 200Mbps
Multiplexing FDMA TDMA,CDMA
TDMA,CDMA
CDMA CDMA?
Core Network PSTN PSTN PSTN, packet network
Packet network
Internet
History of Mobile phone technology
• Legend:– 1xRTT = 2.5G CDMA data service up to 384 kbps– AMPS = advanced mobile phone service– CDMA = code division multiple access– EDGE = enhanced data for global evolution– FDMA = frequency division multiple access– GPRS = general packet radio system– GSM = global system for mobile– NMT = Nordic mobile telephone– PDC = personal digital cellular– PSTN = pubic switched telephone network– TACS = total access communications system– TDMA = time division multiple access– WCDMA = wideband CDMA
UMTS and all that (2G, 2.5G, 3G)
• Third Generation Mobile Phones: Digital Voice and Data
• ITU-Standard “International Mobile• Telecommunications“ (IMT-2000):
– High-quality voice transmission– Messaging (replace email, fax, SMS, chat, etc.)– Multimedia (music, videos, films, TV, etc.)– Internet access (web surfing + multimedia)
• Single worldwide technology envisioned by ITU, but:– Europe: GSM-based UMTS– US: IS-95 based CDMA2000 (different chip rate, frame time,
spectrum, ..)• Intermediate solutions (2.5G):
– Enhanced Data rates for GSM Evolution (EDGE): GSM with more bits per baud
– General Packet Radio Service (GPRS): packet network over D-AMPS or GSM
• Success of WLAN hotspots endangers 3G solutions!Note: wireless =security hazard
The emerging network of 21st century
CDMA2000 Family of 3G CDMA2000 Family of 3G standardsstandards
•CDMA2000 1X: Double voice capacity; up to 307 kbps packet data speeds; supports advanced services such as MMS, games, location services, picture and music download.
•CDMA2000 1xEV:
– CDMA2000 1xEV-DO: Optimized for packet data services; up to 2.4 Mbps packet data speeds; leverages IP; “always-on” services supporting Internet and Intranet.
– CDMA2000 1xEV-DV: Will provide integrated voice with high-speed packet data services, such as video-conferencing and other multimedia services, at speeds of up to 3.09 Mbps.
First launchedFirst launchedOctober 2000October 2000SK Telecom SK Telecom LG TelecomLG Telecom
First launched First launched
January 2002January 2002SK TelecomSK Telecom
Approved by the ITU Approved by the ITU as part of the IMT-2000 as part of the IMT-2000
family; anticipated family; anticipated commercial commercial
deployment in 2005deployment in 2005
Privacy and Security in GSM
• Criteria that GSM has to meet• GSM services• GSM architecture• GSM security issues
Criteria that GSM has to meet
• GSM– 유럽 표준 이동 통신 규격– Global System for Mobile Communication
• Criteria that GSM has to meet– Good subjective speech quality– Support for international roaming
• GSM 서비스– Bearer service: 음성 , 데이터 , 동화상 등의 정보를
실시간으로 전송할 수 있는 기능– Tele-services: 위의 기능에 정보처리 기능을 추가한 서비스– Supplementary service: 부가 서비스
GSM Architecture
• The geographic area is divided into cells
• Each cell has a Base Station managing the communications
• A set of cells managed by a single MSC is called Location Area
Base Station
VLRMSC
VLR MSC
HLR
MSC Mobile Switching Center
VLR Visitor Location Register
HLR Home Location Register
land link
land link
Radio link
Databases
Switches
Radio Systems
BTS
BSC
MS
MSC MSC GMSC SSP
PSTN
BSS
BSS
HLRVLR VLREIR
SSP
AuC
NSS
PLMNNSS: Network and Switching
Subsystem
EIR: Equipment Identity
Register
AuC: Authentication Center
GMSC: Gateway MSC
BSS: Base Station System
BSC: Base Station
Controller
BTS: Base Transceiver
Station
MS: Mobile Station
SSP: Service Switching Point
GSM Architecture
Databases
Switches
Radio Systems
BTS
BSC
MS
MSC MSC GMSC SSP
PSTN
BSS
BSS
HLRVLR VLREIR
SSP
AuC
NSS
PLMN
GSM Hack
Hard to break
Easy to break
GSM Security
• Security service provided by GSM– Anonymity: not easy to identify the user of
the system– Authentication: operator knows who is using
the system for billing purpose– User Data and Signaling protection: user
data passing over the radio path is protected
• Two security architectures in GSM– Architecture I: uses proprietary algorithms– Architecture II: uses public algorithms
Security Architecture IMobile Device Air Interface Base Station
A3
Km Random # R
A3Km
SRES (Signed RESponse)=?
A8
SRES
A8
KiKi
A5
Message mi
A5
Message mi
Encrypted data
A3: authentication, A8: Key generation, A5: encryption/decryption
GSM Protocol
MOBILE RADIO INTERFACE Base Station / AC
Challenge R (128bit)
Response SRES (32 bit)A3
KI (128 bit)
A3
A5 A5
ENCRYPTED DATA
A8
KC(64 bit)
A8
KC (64 bit)
KI (128 bit)
SIM
?
Authentication and Data Privacy
A random challenge (R) is issued to the mobile
Mobile encrypts the challenge using the authentication algorithm (A3) and the key assigned to the mobile (KI)
Mobile sends response back (SRES) Network checks that the response to the
challenge is correct. A8 algorithm is used to compute session
key ( KC) Data is encrypted using A5 series privacy
algorithms by session key (KC)
Cryptographic Algorithms• Authentication algorithm (A3) and key
generation algorithm (A8) – Implemented in the SIM– Operators can choose their own A3/A8– COMP-128 provided as example algorithm– Can securely pass (RAND,SRES,Kc) while roaming
• Encryption algorithm (A5)– Implemented in the handset– A5/0 - unencrypted– A5/1 - more secure– A5/2 - less secure– A5/3 - 3G mobiles ( coming soon)
GSM Attacks
• Algorithms were kept secret• After reverse-engineering, many attacks:
– Golic, 1997 (A5/1)– Goldberg+Wagner, 1998 (COMP128)– Goldberg+Wagner+Briceno, 1999 (A5/2)– Biryukov+Shamir+Wagner, 2000 (A5/1)– Biham +Dunkelman, 2000 (A5/1)– Ekdahl+Johansson, 2002 (A5/1)– Barkan+Biham+Keller, 2003 (A5/2)+
• COMP128 and A5/2 completely broken, A5/1 weak
SIM Attacks
• Secret key KI is compromised.
• Physical access to SIM is needed.
• COMP-128 leaks KI (April 1998)– Requires about 50K challenges
• Side-channel attacks– Power consumption– Timing of operation– Electromagnetic emanations
• Cloning of SIM is possible
GSM Security Implementation
• A3 implemented within a Smart Card– Tamper proof smart card containing the key
• A5 is in the data path and must be fast (in the phone hardware)– Implemented in low cost, custom ASICs for sp
eed– A5/1 is strong encryption– Weaker A5/2 for export-level encryption
GSM Security Issues• A3 standard has been compromised
– Leaked by accident, vulnerabilities exposed– Can extract key from a SIM -> cloning possible
• A5 standard has also been leaked
• Recently a strong attack against A5/2 and A5/1 was found [CRYPTO 2003]
• Protocol vulnerabilities– Standard supports non-encrypted channel– Could be used by rogue BTS to spoof access– No authenticaton of BTS-> Mobile
GSM Hack [Anderson’97]
• Operator proposes silly challenge– Break my network for money!
• Cambridge University research group– Found nifty solution for problem
• Go after the easy part, not the hard part– Break the network, not the link
GSM Hack
• Equipment– About $20,000 worth of equipment to
intercept authentication information on links btw MSC <-> BSC or BSC <-> BTS
– Operator Response• What challenge?
– PacBell’s “Can’t be cloned” slogan for GSM• Didn’t last long
– Solutions?
Possible solutions
• Aziz & Diffie, Wireless LANs, 1994• Brown, Privacy and Authentication for PCS,
1995• Sam, Identity Privacy for Mobile Users, 19
95• R. Molva, Authentication of Mobile Users,
1994 …
Cryptanalytic Attack
• Weakness in the encryption algorithm
• Session key KC is compromised
• Over the air attack (physical access not required)
A5/2 AlgorithmMajority Function
Majority Function
Majority Function
11011010
100111
10111011
101101
R1 - 19bit
R2 - 22bit
R3 – 23bit
R4 - 17bit
KC (
64 b
it)
+ F
ram
e N
o (2
2 bi
t)
Key
str
eam
(22
8 bi
t)
Clocking Unit
Description of A5/2
• 4 LFSR R1,R2,R3,R4.
• R4 controls the clocking of R1,R2,R3.
• LFSRs are initialized using KC and frame # f.
• After key is loaded, one bit of each register is forced to be set.
• Output (228 bit key stream) is quadratic function of R1,R2,R3.
• 114 bits of key stream are used to encrypt uplink and rest 114 are used for downlink.
Known Plaintext Attack on A5/2
• Session key KC can be found, if internal states of R1,R2,R3,R4 and frame #f are known.– Each bit of registers is represented as variable
• 18+21+22=61 variables.
– Output is quadratic in these variables, linearise them using new variables.• 18+(18*17)/2+21+(21*20)/2+22+(22*21)/2+1 = 656
variables.
– Get 656 linearly independent equations and solve them to get the internal state of the registers.
Known Plaintext Attack (Contd.)
• To get linearly independent equations– C = P key-stream– Output of A5/2: key-stream = C P– For each bit of output one linear equation can
be formed. – Each frame can give 114 equations.– Though there are 656 equations only 61 are
linear and other variables depend upon them. – Around 450 linear equations (4 frames) are
sufficient to get 61 linear variables.
Known Plaintext Attack (Contd.)
• Complexity– Time to solve set of linear equations:
• 6563 228 bit XOR operations for each possible guess of R4.
– Total time for computation:• 244 bit XOR operations. • 239 register XOR operations on 32 bit machine.
– Implementation on PIII 800 MHz required approximately 40 minutes and 54KB memory.
– Complexity can be reduced by doing some pre-computation.
Ciphertext-only Attack on A5/2
• Error correction codes are employed in GSM before encryption.
• Plaintext has highly structured redundancy.
• Complexity– Implementation on a personal computer
recovers KC in less than a second and takes less than 5.5hours for one time pre-computation.
Possible Attack Scenarios
• Eavesdropping conversation (passive listening)
• Call hijacking (man in the middle)• Altering of data messages (SMS)• Call theft (parallel session)
What Went Wrong
• GSM security design process was conducted in secrecy.
• The A5 encryption algorithm was never published.
• The key calculated does not depend on which of the A5 algorithms it is destined to be used with.
• Real time cryptanalysis of A5/2.• The encryption is done after coding for
error correction.
Our Observations
• Attack takes lesser time than authentication timeout.
• No authentication for base station.• Replay attack is possible as nonce or time
stamp are not used.• A5/2 is already broken and A5/1 is weak. Even
changing to A5/3 won’t help.• GSM interceptor/scanners are easily available.• Security problems in mobile communications
are keeping the applications like m-commerce from deployment.
Security Architecture IIMobile Device Air Interface Base Station
C3 C3
M
C8 C8
KiKi
C5
Message mi
C5
Message mi
Encrypted data
C3: authentication, C8: Key generation, C5: encryption/decryption
Mutual Authentication Key Exchange
M
mimi
Architecture – Authentication protocol (C3)
Mobile Device Air Interface Base Station
C3 C3
M
SVC_REQ_PARMS, R1, Certificate(m)
M
Certificate(s), ENCpub_m(SIGpri_s(SVC_REQ_PARMS, R1, M, R2))
ENCpub_s(SIGpri_m(SVC_REQ_PARMS, R2), SIGpri_m(M))
m: mobile user, s: base stationSVC_REQ_PARMS: (IDm,IDs, service_id_key, key_len)R1: rand. # generated by mR2: rand. # generated by sM: rand. bit string generated by s
Authentication Phase
Architecture – Authentication protocol (C3) (Cont’d)
Mobile Device Air Interface Base Station
C3 C3
REL_REQ, IDs, IDm, ENCpub_s(R2,R3)
IDm, IDs, BILL_INFO, R3
Release Phase
Goal : non-repudiation
Architecture – Key generation (C8)
• C8 algorithm processes input data on a byte-by-byte basis.
• Some simulation results show that the key stream generated by C8 algorithm maintain a maximal periods, regardless of input patterns.– We can expect that C8 algorithm
provides strong security property
Architecture – Message Encryption/Decryption (C5)
• C5 algorithm uses stream cipher for encryption/decryption
• The simplest stream cipher is using only the XOR operation– Message Key_stream
Comparison of two architectures
Architecture I Architecture II
Complexity • Fast authentication• Fast key exchange• Fast encryption
• Slow authentication• Key exchange depends on key length• Fast encryption
Security • Authentication is not secure enough• Only the mobile user is authenticated
• Secure authentication• Mutual authentication• Key generation has a long period
Flexibility • A3, A5, A8 are proprietary• SIM stores user’s personal information and A3 algorithm
• C1, C8, C5 are publicly available• SIM only stores user’s personal information
Security Services
• Subscriber identity authentication– Through challenge-response
• User data confidentiality– Through encryption
• Signaling data confidentiality– Through encryption
• Subscriber identity confidentiality– Through temporary identification number
Part IICode Division Multiple
Access (CDMA) Systems
Security Standards in CDMA2000 1XRTT
• Electronic Serial Number (ESN)• Authentication Key (A-key)• CAVE
– dedicated hash with 64-bit key (A-key)
– Challenge response authentication protocol
– Key generation
Security Standards (Contd.)
• Voice privacy – XOR with 520-bit mask for voice data
confidentiality
• ORYX– LFSR-based stream cipher for data
traffic
• CMEA – variable-width block cipher with 2
rounds for control channel
Overview of CDMA Protocol
CAVE
A-key (64)ESN (32)
CAVE
A-key (64)
ESN (32)Rand SSD (56)
SSD_B (64) SSD_A (64) SSD_A (64) SSD_B(64)
CAVE
VPM
CAVE
VPMScrambled Voice
ORYX ORYXEncrypted DATA
CMEA CMEAEncrypted Signaling
Message
CAVE
Broadcast Random
CAVE
?
RAND
AUTHU(18)
Security of A-key
• Security of A-key is important component
• Re-programmable– Factory– Dealer at the point of sale– Subscriber via telephone– Over the air service provisioning
(OTASP)• 512-bit Diffie-Hellman key exchange
Additional Features
• Global challenge – All mobiles are challenged with same random
number– Allows rapid authentication
• Unique challenge – A specific RAND is used for each requesting mobile
• Call history count (6-bit)– Tracked by both, mobile and the network – Provides a way to detect cloning, as the operator
gets alerted if there is a mismatch.
• Anonymity– Temporary Mobile Station Identifier (TMSI)
Cellular Crypto Algorithms
Confidentiality
Authentication
Key Generation
CDMA XOR mask & CMEA (ORYX)
CAVE CAVE
GSM A5/2 or A5/1 (soon: A5/3)
COMP128 (COMP128-2, 3DES-CBC-MAC)
COMP128 (same)
Key: = insecure
Our Observation
• CDMA 2000 1XRTT are comparatively strong
• The problems are due to inefficient implementation.– A-key is kept weak– Call history count is not implemented