1

Mobile Security

Wolfgang Schneiderwolfgang.schneider@sit.fraunhofer.deFraunhofer-Institute SITDolivostr. 15DarmstadtGermany

2

Wireless Communication Overview

3

GSM

• GSM Properties– cellular radio network

– digital transmission up to 9600 bit/s

– roaming (mobilität among different network providers, international)

– Good transmission quality (error recognition and correction)

– scalable (große Teilnehmerzahlen möglich)

– worldwide 900 million subscribers

– Europe : over 300 million subscribers

– security mechanisms provided (authentication, authorisation, encryption)

– good usage of resources (frequency- and time-multiplex)

– integration with ISDN and analogue telephone network

– standard (ETSI, European Telecommunications Standards Institute)

4

GSM

GSM Security Requirements

Network provider‘s view• correct Billing: authenticity of the user• no misuse of the service, correct billing of content-usage• efficiency: no more bandwidth needed for security, no long delays

(user acceptance), cost-efficient

User‘s view• confidentiality of communication (voice and data)• privacy, no profiles of the movements of the users• connection with authentic base station• correct billing

Content provider‘s view• correct billing

5

GSM

Overview of GSM Security ServicesSmartcard-based authentication of the user• Identification of the through worldwide unique name IMSI

• Algorithm A3 for authentication is not public,

Confidentiality on the radio link:• Algorithms: up to 7 A5 variants • unique, permanent subscriber key Ki and

dynamicly generated communication keys Kc

Anonymity:• use of temporary identities

6

GSM-Architecture

Network and provider subsystemRadio subsystem

7

GSM-Architecture

Handover und Roaming

Handover

Roaming

MSC MSC

HLR

VLR AC

HLR

VLR AC

8

GSM Security

9

GPRS: General Packet Radio Service

• Properties– Packet mode service (end-to-end)– Data rates up to 171,2 kbit/s (theoretical), effectively up

to 115 Kbit/s– Effektive und flexible Verwaltung der Luftschnittstelle– Adaptive channel coding– Standardised interworking with IP- and X.25 networks– dynamic resource sharin with the „classic“ GSM voice

services– advantage: billing per volume, not per connection time

10

GPRS Security Mechanisms

• Security in GPRS eng very similar to GSM • Authentification through SGSN with Challenge-Response• Use of temporary identities (managed through SGSN)• Encryption algorithm A5/3 (GEA3) • But: no end-to-end encryption• Key generation and managment as in GSM • No authentication and confidentiality of signalling

messages within the signalling network

11

UMTS

• UMTS properties – packet oriented, all-IP, 2-10 Mb/s throughput, – Rich Telephony (voice with video, sound), – audio-, video-streaming (movies etc.), – better QoS, more user control, – video-conferencing as killer application??– worldwide roaming– It is basically a merge of mobile telephony, wireless and

paging technologies into a common system– Support of different carrier systems

• Real time / not real time• Line switching / packet switching

– roaming between UMTS and GSM as well as satellite networks

– asymmetric data rates for up-link/down-link

12

UMTS Cell Structure

13

UMTS Service Concept

• UMTS Service Concept– Virtual Home Environment (VHE): services freely configurable

through user– service quality and according cost can be chosen– dynamic Anpassung an die Verbindung

• UPT: Universal Personal Telecommunication Service – One subscriber number for multiple devices (call management)– virtual mobility of the terrestric network

14

UMTS Security

Adaptation of GSM security

• Confidentiality of the user identity• Authentication of the user towards the network• Encrypted communication over the radio link,• SIM card as personal security module with

authentication of the user towards the SIM card USIM (UMTS Subscriber Identity Module)

15

UMTS Security

• UMTS Extensions– extended UMTS Authentification and key agreement

home network authenticated towards the user,sequence numbers: prevents replay of authentication data, keyed MAC

– Integrity of control data:control data during connection establishment are secured with MAC

– USIM controlled use of keysthe USIM provides new authentication if the encrypted data exceed a certain volume

– Periodic key renewal– Integrity and confidentiality of communication data:

128-bit communication key, MACs for integrity

16

UMTS Problems

Problems– Interoperability between 2G, 2.5G und 3G mobile

networks – different security features: what does it mean in case of

roaming between old and new networks?

17

Wireless Network Infrastructures

• Wireless local area networks (WLAN) and wireless personal area networks (PAN)

• advantages– flexibility– Ad-hoc networks easy to establish– No cables– robustness

• disadvantages– Comparatively low data rates (11 Mbit/s or 54 Mbit/s)– Higher vulnerability on the transmission link in comparison to cabled

local area networks– no international standards for frequency bands– security

18

WLAN Standards/ IEEE 802.11

• IEEE Standard 802.11a, 11b, 11g, 1x (development since 1997)– Intended for

• cost effective and simple use of mobile devices• e.g. campus networks with wireless infrastructure• Ad-hoc networks without infrastructure• Hot spots, e.g. airports, hotels, restaurants

• two modes: infrastructure und ad-hoc– Infrastructure mode:

• User communicate wireless with Access Points (AP),

AP is the bridge between the radio and the wired network

– Ad-hoc mode:• Direct point-to-point communication between users

19

WLAN Standards/ IEEE 802.11

Infrastructure mode

Ad-Hoc mode Peer-to-Peer

Network

20

IEEE 802.11 Security

WEP Wired Equivalent Privacy

• Encryption with RC4 stream cipher with 40 or 104 bit key

with a 24 bit initialisation vector• Relies on a single static shared key• No key management protocol• Cryptanalysis showed that the way how RC4 is used in WEP

makes it vulnerable to eavesdropping attacks• Automatic tools which recover the RC4 key through

eavesdropping are available in the internet• In 2005 a group from the US FBI demonstrated that they

were able to break a WEP-protected WLAN within 3 minutes

using publicly available tools

21

IEEE 802.11 Security

Wi-Fi Protected Access (WPA, IEEE 802.11i)

• Major improvement over WEP• Designed to use with an authentication server, but can be

configured in a pre-shared key mode (PSK) for home and small office environments

• Uses RC4 stream cipher with 128 bit keys• Dynamic key change with Temporal Key Integrity Protocol

(TKIP)• Improved payload integrity through use of a message

integrity code (MIC) instead of a CRC • Includes frame counter to prevent replay attacks

22

IEEE 802.11 Security

• What else can be done?

– Separation of the insecure WLAN from the secure

company intranet – Additional security on higher levels: IPSec or SSL or

SSH– Additional authentication server– Closed shop (only registered MAC addresses)– Supression of the network name

• Next step is the use of AES instead of RC4

23

PANs Standards/ Bluetooth

Bluetooth short overview

– Created 1998 by Ericsson,Intel,IBM,Nokia,Toshiba– Intended for wireless ad-hoc pico networks ( < 10m)– goal: cheap one-chip solution for short distance wireless

communication– Areas of use

• Connectiion of peripheric devices• Support of ad-hoc networks

– Frequency band 2,4 GHz

24

PANs Standards/ Bluetooth

Bluetooth short overview (cont..)

– Point-to-point and point-to-multipoint transmission possible– range 10 cm to 10 m with 1 mW, up to 100m with 100mW– synchronous voice channels– 1 asynchronous data channel– 1 channel data or voice support data rates of:

• 433,9 kbit/s asynchronous-symmetric• 723,2 kbit/s / 57,6 kbit/s asynchronous-asymmetric• 64 kbit/s synchronous, voice

25

PANs Standards/ Bluetooth

Bluetooth network infrastructures

Example of a piconet Examples for master/slaves networking

26

PANs Standards/ Bluetooth

Bluetooth services• Two modes

– Synchronous Connection-oriented Link, SCO• Needed for voice• Master reserves time slots

– Asynchronous Connectionless Link, ACL• Needed for packet oriented data transfer• Master uses polling

27

Security Architecture of Bluetooth

• Central component of the Bluetooth security architecture is the Security Manager with the following tasks:– Administration of security attributes of services and devices– Access control from and to devices– authentication– Encryption/decryption support– Moderation of the connection establishment between two

devices which don‘t know each other

28

Security Architecture of Bluetooth

• Security services comprise :

– mutual authentification of devices, which are identified through a Bluetooth address

– Encryption of transfered data– authorisation of the use of services

• Subjects in Bluetooth are solely devices, i.e. authorisation is always done on the basis of the device identities and attributes

• Objects are the services

29

Security Architecture of Bluetooth

• Access can be granted on the basis of the trustworthyness of the device, or whether a succesful authentication has been done before

• Identification means is the device address (BD_ADDR)

– BD_ADDR is a 48 bit long unique address which is assigned by IEEE

• device authorisation is based on device attributes

30

Security Architecture of Bluetooth

• Bluetooth security on link level is based on 128 bit link key and on the symmetric E0 algorithm

– A link key is being established between two or more communication partners for one session

– Link key and E0 algorithm are used for the device authentication

– Encryption keys are derived from the link key and can have a length between 8 bit and 128 bit.

– The length of the encryption keys is device-dependent and cannot be changed by the user