PKS 2000, San Jose 19-21 September 2000 Security for 3G Systems1 Michael Walker Head of R&D Vodafone...
-
Upload
leah-watlington -
Category
Documents
-
view
214 -
download
1
Transcript of PKS 2000, San Jose 19-21 September 2000 Security for 3G Systems1 Michael Walker Head of R&D Vodafone...
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 1
Security for 3G Systems
Michael WalkerHead of R&D Vodafone UK
Vodafone Professor of Telecommunications at Royal Holloway, University of London
Chairman 3GPP SA3 - Security
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 2
Acknowledgements
This presentation is based on the technical specifications and reports produced by the members of 3GPP SA3 and ETSI SAGE• available from http://www.3gpp.org
Much of the back ground work was done as part of the EU funded ACTS project USECA• the partners are Vodafone, G&D, Panasonic, Siemens
Atea, Siemens AG & Katholieke Universiteit Leuven
• http://www.useca.freeserve.co.uk
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 3
Principles for 3G Security
Build on the security of GSM• adopt the security features from GSM that have proved
to be both needed and robust
• try to ensure compatibility with GSM in order to ease inter-working and handover
Correct the problems with GSM by addressing its real and perceived security weaknesses
Add new security features • as are necessary to secure new services offered by 3G
• to take account of changes in network architecture
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 4
3GPP/GSM Architecture
GMSCGMSC
GGSNGGSN
HLRHLR
EIREIR
AUCAUC
SCFSCF
SMS-IWMSC
SMS-IWMSCRNCBSUu
Iu
AN CN ExternalNetworks
UE
Iur
D
USIMUSIM MEME
RNCBSUuUSIMUSIM MEME
Iub
Iub
Iu
Gd,Gp,Gn+
SGSNSGSN
MSCMSC
E,G
Cu
Cu
SMS-GMSC
SMS-GMSC
SGSNSGSN
MSCMSCBSCBTSUmSIMSIM MTMT Abis A
Gb
ISDNPSTNPSPDNCSPDNPDN:-Intranet-Extranet-Internet
BSS
RNS
RNS
UTRAN
Note:Not all interfaces shown and named
F
Gf
Gr
Gn+
H
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 5
Building on GSM Security
Be compatible with the GSM core networkProvide user authentication and radio interface
encryptionContinue to use a smart card as a security module
• removable hardware• terminal independent• management of all customer parameters
Security must operate without user assistanceRequire minimal trust in serving network
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 6
Limitations of GSM Security
Security problems in GSM stem by and large from design limitations on what is protected rather than on defects in the security mechanisms themselves• design only provides access security - communications
and signalling in the fixed network portion aren’t protected
• design does not address active attacks, whereby network elements may be impersonated
• designed to be only as secure as the fixed networks to which GSM systems connect
• lawful interception only considered as an after thought
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 7
Limitations of GSM Security, 2
Failure to acknowledge limitations • encryption needed to guard against radio channel hijack
• the terminal is an unsecured environment - so trust in the terminal identity is misplaced
Inadequate flexibility to upgrade and improve security functions over time
Lack of visibility that the security is being applied• no indication to the user that encryption is on
• no explicit confirmation to the home network that authentication is properly used when customers roam
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 8
Limitations of GSM Security, 3
Lack of confidence in cryptographic algorithms• lack of openness in design and publication of A5/1
• misplaced belief by regulators in the effectiveness of controls on the export or (in some countries) the use of cryptography led to A5/2
• encryption key length of 54 bits too short - some implementation faults make increase of length even to 64 bits difficult
• ill advised use of COMP 128 for authentication
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 9
Specific GSM Security Problems
Encryption terminated too soon• user traffic and signalling in clear on microwave links
Clear transmission of cipher keys & authentication values within and between networks• signalling system vulnerable to interception and
impersonation
Confidence in strength of algorithms• failure to choose best authentication algorithms
• improvements in cryptanalysis of A5/1
Use of false base stations
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 10
False Base Stations
Used as IMSI Catcher for law enforcement
Used to intercept mobile originated calls• encryption controlled
by network and user unaware if it is not on
Dynamic cloning risk in networks where encryption is not used
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 11
3GPP Security Architecture Overview
Homestratum/Servingstratum
USIM HE/AuCTE
Transportstratum
MT
SN/VLR/
SGSN
AN
Applicationstratum
User Application Provider Application
I. Network access security II. Provider domain security III. User domain security IV. Application specific security
III.
IV.
I.
I.I.
I.
I.
II.
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 12
Authentication & Key Agreement (AKA)
Provides authentication of user (USIM) to
network & network to user
Establishes a cipher key CK & an integrity key IK
Provides an authenticated management field from
home network to USIM to allow
• algorithms and authentication keys to be selected
• the home network to control the number of times a
particular (CK,IK) pair is used
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 13
AKA Message Flow
auth. data request
Quintets(RAND, XRES, CK, IK, AUTN)
RAND, AUTN
RES
Generate quintets
Verify MAC, SQNDerive CK, IK, RES
Start using CK, IK Start using CK, IK
XRES = RES ?
USIM HLR/AuCVLR or SGSN
Distribution ofquintets from HLR/AuCto VLR/SGSN
Over-the-airauthenticationand key agreement
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 14
AKA Variables and Functions
K = user specific authentication key
RAND = random challenge generated by AuC in user‘s home network
SQN = sequence number
XRES = f2K (RAND) = expected user response computed by AuC
CK = f3K (RAND) = cipher key
IK = f4K (RAND) = integrity key
AK = f5K (RAND) = anonymity key
AMF = authentication management field
MAC = f1K(SQN || RAND || AMF) = message authentication code computed over SQN, RAND and AMF
AUTN = SQNAK || AMF || MAC = network authentication token, concealment of SQN with AK is optional
Quintet = (RAND, XRES, CK, IK, AUTN)
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 15
AKA Cryptographic Parameters
K 128 bitsRAND 128 bitsRES 32 -128 bitsCK 128 bitsIK 128 bitsAUTN 128 bits
• SQN Sequence number 48 bits
• AMF Authentication management field 16 bits
• MAC Message authentication code 64 bits
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 16
Air-interface Encryption, 1
Applies to all user traffic and signalling messages Uses stream ciphering function f8:
• UEA1 = Kasumi; UEA0 = no encryption
CIPHERTEXTBLOCK
COUNT-CBEARER
DIRECTIONLENGTH
CK
PLAINTEXTBLOCK
f8
KEYSTREAMBLOCK
COUNT-CBEARER
DIRECTIONLENGTH
CK f8
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderME or RNC
ReceiverME or RNC
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 17
Air-interface Encryption, 2
• Termination points • user side: mobile equipment, network side: radio network controller
• Ciphering in layer 2• RLC sublayer non-transparent RLC mode (signalling, data)
• MAC sublayer transparent RLC mode (voice)
• Key input values to algorithm• CK 128 bits Cipher key
• COUNT-C 32 bits Ciphering sequence number
• Further input values• BEARER 5 bits Bearer identity
• DIRECTION 1 bit Uplink/downlink
• LENGTH 16 bits Length of keystream block
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 18
Air-interface Integrity Mechanism, 1
Applies to all except a specifically excluded signalling messages after security mode set-up
MS supervises that it is started Uses integrity function f9: UIA1 = Kasumi
COUNT- IMESSAGE
DIRECTIONFRESH
IK f9
MAC- I
COUNT- IMESSAGE
DIRECTIONFRESH
IK f9
XMAC- I
SenderME or RNC
ReceiverME or RNC
MESSAGEMAC- I
MAC- I = XMAC- I ?
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 19
Air-interface Integrity Mechanism, 2• Termination points
• user side: mobile equipment, network side: radio network controller
• Integrity protection: layer 2• RRC sublayer
• Key input values• IK 128 bits Integrity key• COUNT-I 32 bits Integrity sequence number• FRESH 32 bits Connection
nonce • MESSAGE Signalling message
• Further input values• DIRECTION 1 bit Uplink/downlink
• Output values• MAC-I/XMAC-I 32 bits message authentication code
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 20
Security Choices
AKA is performed when• the user enters a new SN
• the user indicates that a new AKA is required when the amount of data ciphered with CK has reached a threshold
• the serving network decides
Otherwise integrity-key based authenticationSelection of UEA and UIA by user’s home
environment
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 21
Network Domain Security
Secures signalling data transmitted between and within 3GPP networks• for example the authentication vectors
Two different security protocols being designedApplication layer security
• for signalling protocols running over SS7, for example MAP and CAP
IP layer security• for native IP based protocols such as GTP and CSCF-
HSS signalling
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 22
Application Layer Security Architecture
ZC
KACI
NE
KACII
NE
Network I Network II
distribute SA
with IPsec
SA for MAP
negotiate SA for ZC with IKEaccording to DOI for MAPdistribute SA
with IPsec
ZA
IntermediateIP Network
SS7 networkZB ZB
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 23
Application Layer Security Features
MAP signalling provided with encryption, origin authentication and integrity using standard symmetric techniques
Block cipher BEANO designed by ETSI SAGE for securing signalling on public networks may be used
For communications secured at the application layer, 3GPP will define new Security Associations (i.e. create a new Domain of Interpretation)
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 24
IP Layer Security Architecture
ZC
KACI
NE
KACII
NE
Network I Network II
distribute SA
with IPsec
SEGI SEGII
SA Class 3
negotiate SA for ZC with IKEaccording to DOI for IPsec
SA Class 1
SA Class 2
distribute SA
with IPsec
ZA
ZB ZB
SA Class 1
IntermediateIP Network
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 25
IP Layer Security Features
IP layer security provides encryption, origin authentication and integrity using standard IPsec techniques
Security may be applied • end-to-end between Network Elements (NE)
• hop-by-hop via Security Gateways (SEG)
For communications secured using IPsec, the IETF IPsec Security Association will be adapted/profiled for 3GPP
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 26
Key Management For Network Domain Security
A two-tiered key management architecture will be adopted in the first phase
• KACs support IKE and public key
Migration to a PKI-based flat key management architecture will be considered for later phases
• NEs support IKE and public key
• On-line KACs become off-line CAs
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 27
Encryption & Integrity Algorithm Requirements
Low power with low gate-count hardware implementation as well as software
No practical attack significantly more efficient than exhaustive key search
No export restrictions on terminals (or USIM), and network equipment exportable under licence in accordance with Wassenaar
Time for development - six months!
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 28
General Approach to Design
ETSI SAGE appointed as design authorityRobust approach to exportability - full strength
algorithm and expect agencies to fall into lineUse existing block cipher as starting pointMISTY1 chosen:
• fairly well studied
• some provable security aspects
• parameter sizes suitable
• designed to be efficient in hardware and software
• offered by Mitsubishi free from royalty payments
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 29
Design and Analysis
SAGE work led by Gert Roelofsen, with external experts:• separate SAGE design and evaluation teams
• joined by Mitsuru Matsui from Mitsubishi - designer of MISTY
• additional evaluators for feasibility of implementation from Nokia, Ericsson and Motorola led by Kaisa Nyberg
External security evaluation by three teams:• Leuven: Lars Knudsen, Bart Preneel, Vincent Rijmen, Johan
Borst, Matt Robshaw
• Ecole Normale Superiere: Jacques Stern, Serge Vaudenay
• Royal Holloway: Fred Piper, Sean Murphy, Peter Wild, Simon Blackburn
Open Publication - http://www.etsi.org/dvbandca/
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 30
Other Aspects of 3GPP Security
Options in AKA for sequence management
Interoperation with GSM AKA+ and interoperation with
3GPP2 standards Formal analysis of AKA User identity confidentiality User configurability and
visibility of security features Lawful interception SIM application toolkit security MExE security
Fraud information gathering GERAN security OSA/VHE security Location services security Access security for IP based
services Provision of a standard
authentication and key generation algorithm for operators who do not wish to produce their own
PKS 2000, San Jose19-21 September 2000
Security for 3G Systems 31
References to 3GPP Security
Principles, objectives and requirements TS 33.120 Security principles and
objectives TS 21.133 Security threats and
requirements
Architecture, mechanisms and algorithms TS 33.102 Security architecture TS 33.103 Integration guidelines TS 33.105 Cryptographic algorithm
requirements TS 22.022 Personalisation of mobile
equipment
Lawful interception TS 33.106 Lawful interception
requirements TS 33.107 Lawful interception
architecture and functions
Technical reports TR 33.900 A guide to 3G security TR 33.901 Criteria for cryptographic
algorithm design process TR 33.902 Formal analysis of the 3G
authentication protocol TR 33.908 General report on the design,
specification and evaluation of 3GPP standard confid. & integ algs.
TR 33.909 Report on the evaluation of 3GPP standard confid. & integ. Algs.
Algorithm specifications Specification of the 3GPP confidentiality
and integrity algorithms• TS 35.201 : f8 & f9• TS 35.202: KASUMI• TS 35.203: implementors’ test data• TS 35.204: design conformance test data