Security Architecture Day2 Last Session
-
Upload
anuradha-thilakarathna -
Category
Documents
-
view
17 -
download
0
Transcript of Security Architecture Day2 Last Session
Workshop on 3G, HSPA & LTE/4G – Day 2
Dr. Manodha Gamage
Consultant – TRCSL,
Senior Lecturer (visiting)
Tel. 0777-789781
March 19, 2012
Security Aspects of 3G
Goals of Cryptography
1. Confidentiality (secrecy):
– Use of encryption to protect information from unauthorized parties
2. Data Integrity:
– Make sure no attempts to change the data by unauthorized parties
3. Authentication:
– Services related to identification
– Entity Authentication and Data Origin Authentication
– Information on a channel should be authenticated for :– Information on a channel should be authenticated for :
• Origin
• Data
• Content
• Date of origin and time sent
– Uses Key Exchange (eg. DH) & Digital Signatures (eg. DSA)
4. Non-Repudiation:
– To prevent an entity from denial of previous commitments/actions
3
Copyright © Dr. Manodha Gamage 2011
Classification of Security Primitives/Cryptographic Tools
(Encrypt group of
characters/words)
(Operate on individual
characters)characters)
4
Copyright © Dr. Manodha Gamage 2011
Basics of Cryptography
• Plain text
• Cipher text
• Symmetric Key (Private Key);Secure Key exchange is important1. Block Ciphers
• Input: a block of plaintext and a key
• Output: a block of cipher-text of the same size of plaintext
• Encrypt group of characters/words
2. Stream Ciphers2. Stream Ciphers
• Create an arbitrarily long stream of key material
• Combine Key with plaintext
– Bit-by-bit
• Output stream created based on an internal state (changes as cipher operates)
• That state's change is controlled by key (in some by plaintext stream too)
• Public Key (Asymmetric Key);
– Encrypt Key is publicly available
– Decrypt Key is Private
5
Copyright © Dr. Manodha Gamage 2011
Symmetric Key Cryptography
Step 1: Key Delivery (via secure channel)
Alice Bob
Step 2: Encrypted Communication
Alice Bob
Shared
Secret
Key
6
Copyright © Dr. Manodha Gamage 2011
Symmetric Key Encryption
Data
(Plaintext)
Alice
Data
(Plaintext)
Bob
Example
Alice wants to encrypt a message
that only Bob can read by using
Symmetric Key Cryptography
Shared
Secret
Key
Shared
Secret
Key
Communications LinkData
(Ciphertext)
Encrypt
Data
(Ciphertext)
Decrypt
7Copyright © Dr. Manodha Gamage 2011
Asymmetric/Public Key Cryptography
Step 1: Each Party has a
Key Pair (public/private)
Public
key
Private
Alice
and
Bob
Step 3: Encrypted Communication
Step 2: Each obtains the other’s
Public Key from trusted source.
(Certificate Center)
Private
key
Private
key
Private
key
Bob’s
Public keyAlice’s
Public key
Alice Bob
used to decrypt
used to decrypt
8Copyright © Dr. Manodha Gamage 2011
Data
(Plaintext)
Data
(Plaintext)
Bob’s
Asymmetric/Public Key Encryption
Alice BobExample
Alice wants to encrypt a message
that only Bob can read by using
Public Key Cryptography.
Note that Alice must obtain Bob’s
public key and use it to encrypt.
Bob’s
Public Key
Data
(Ciphertext)
Data
(Ciphertext)Communications Link
Encryption DecryptionBob’s
Private
Key
9
Copyright © Dr. Manodha Gamage 2011
Alice’s
(Plaintext/Cipher text
by Bob’s pub. key)
Data
(Plaintext/Cipher text
by Bob’s pub. key) Compare
Public Key Digital Signature
Hash
Example
Alice wants to sign a message
so that Bob can authenticate
that it really came from Alice.
Alice’s
Public Key
Alice’s
Private Key
Encrypt
(Sign)
Signature
+ DataCommunications Link
Signature
+ Data
Decrypt
(Verify)Hash
10
Copyright © Dr. Manodha Gamage 2011
Security of GSM
GSM Network Architecture����Which related to the security system
• IMSI : International Mobile Subscriber Identity
• TMSI : Temporary Mobile Subscriber Identity
• MSRN : Mobile Station Roaming Number
• MSISDN : Mobile Station ISDN
• LAI : Local Area Identity
• Ki : authentication key
• Kc : ciphering key
• SRES : Signed Response
• RAND : random number
12
Copyright © Dr. Manodha Gamage 2011
GSM Security Algorithms
• A3 : Subscriber authentication algorithm
• A8 : Cipher key generation algorithm
• A5 : Ciphering/deciphering algorithm
13
Copyright © Dr. Manodha Gamage 2011
TMSI Assignment
• Objective : to protect the IMSI.
• 5 digit TMSI replace at each location update procedure.
• TMSI sent encrypted by A5 algorithm from BTS to MS.
Weaknesses:
� No protection for IMSI which transmitted between MS and fixed network.
� TMSI only encrypted between BTS and MS.
14
Copyright © Dr. Manodha Gamage 2011
Authentication
RAND SRESnetwork
A3
Ki
SRESMS
=
SRES
No
RAND
SRES
challenge
• Objective : to know subscriber identity fidelity.
• Known as Challenge-Response method.
Weaknesses:
� No protection for RAND and SRESMS which transmitted.
SRESnetwork
?
YesAccess
granted
Deny accessSRES
MS
SRESMS
MS
Fixed network
response
15
Copyright © Dr. Manodha Gamage 2011
Ciphering - Deciphering
Kc64 bit
Nomor Frame22 bit
Algoritma A5
S1
Kc64 bit
Nomor Frame22 bit
Algoritma A5
S1
Ciphertext
Codeword downlink
114 bit
• Ciphering process are held on BTS and MS, using A5 algorithm.
• Symmetry cryptography.
S2 Plaintext
114 bit
MS
S2Plaintext
114 bit
BTS
Ciphertext
114 bit
Codeword uplink
114 bit
Weaknesses:
� There is no security outside BTS-MS path.
16Copyright © Dr. Manodha Gamage 2011
MSC
HLR
AuC
MS
1. Register to
network
4. RAND
2. Request
authentication
triplet
3. Authentication
triplet
(RAND,SRES,Kc)
Authentication in GSM Network
AuC
6. Check
SRES5.
SRES
SRES = A3(RAND,Ki)
Kc = Air interface
encryption key
17Copyright © Dr. Manodha Gamage 2011
GSM Network Security Defects
• Network not authenticated
– Faking base station principally possible
• Algorithm weaknesses
– Both A5 and COMP128 defective
• Data integrity not checked
– Makes alteration of data possible
• Authentication data transmitted in clear both inside and • Authentication data transmitted in clear both inside and
between networks
– Contains also air interface encryption key
• Encryption does not extend toward core Network
• Lack of visibility
– User can not know whether encryption used or not
– No confirmation to home network, whether serving network uses
correctly authentication parameters when user roams
18
Copyright © Dr. Manodha Gamage 2011
Security of UMTS
UMTS Security Features• Mutual Authentication
– Mobile user and the serving network authenticate each other
• Data Integrity
– Signaling messages between MS and RNC/Core, protected by integrity code
• Network to Network Security – Secure communication between serving networks using IPsec
• Wider Security Scope – Security is based within the RNC rather than the base station
• Secure IMSI (International Mobile Subscriber Identity) Usage– The User is assigned temporary IMSI by servicing network
• User –Mobile Station Authentication – The user and the mobile station share a secret key, PIN
• Secure Services – Protect against misuse of services provided by home network &serving network
• Secure Applications
– Provide security for applications resident on mobile station
20
Copyright © Dr. Manodha Gamage 2011
UMTS Security Features cont..
• Fraud Detection – Mechanisms to combating fraud in roaming situations
• Flexibility – Security features can be extended and enhanced as required by new threats and services
• Visibility and Configurability
– Users are notified whether security is on and what level of security is available
• Multiple Cipher and Integrity Algorithms • Multiple Cipher and Integrity Algorithms
– User and network negotiate and agree on cipher and integrity algorithms (KASUMI or SNOW3G)
• Lawful Interception
– Mechanisms to provide authorized agencies with certain information about subscribers
• GSM Compatibility
– GSM subscribers roaming in 3G network are supported by GSM security context
21
Copyright © Dr. Manodha Gamage 2011
Security Mechanism
• Authentication and Key Agreement
• Encryption
• Integrity Protection
22Copyright © Dr. Manodha Gamage 2011
Authentication & Key Agreement
• Authentication Center (AuC) and USIM share
– Permanent secret key, K
– Message authentication functions f1, f1*, f2
– Key generating functions f3, f4, f5
• AuC has a random number generator • AuC has a random number generator
• AuC has scheme to generate fresh sequence numbers
•
• USIM has scheme to verify freshness of received sequence
numbers
23Copyright © Dr. Manodha Gamage 2011
MS VLR/SGSN HE/HLR
Generate authentication
vectors AV(1..n)
Store authentication vectors
Select authentication vector AV(i)
Authentication data request
Authentication data response
AV(1..n)
Distribution of
authentication
vectors from HE
to SN
AKA Procedure for 3G UMTS (TS 33.102)Commonly stored in USIM &
AuC/HE
• f1, f2, f3, f4, f5
• K-Long term Secret Key
NOTES:
RAND: Un-predictable Challenge
AMF: An authentication and key
Authentication Vector
Select authentication vector AV(i)
User authentication request
RAND(i) || AUTN(i)
User authentication response
RES(i)
Compare RES(i) and XRES(i)
Verify AUTN(i)
Compute RES(i)
Compute CK(i) and IK(i) Select CK(i) and IK(i)
Authentication and
key establishment
Authentication and key agreement
AMF: An authentication and key
management field (16b)
AUTN: Authentication Token
For each user, HE/AuC keeps track of a
counter: SQNHEAK-Anonymity Key
24
Generation of AV at HE/AuC (TS 33.102)
K
SQNRAND
f1 f2 f3 f4 f5
Generate SQN
Generate RAND
AMF
1
1
NOTES:
RAND: Un-predictable Challenge
AMF: An authentication and key
management field (16b)
AUTN: Authentication Token
MAC XRES CK IK AK
AUTN := SQN ⊕ AK || AMF || MAC
AV := RAND || XRES || CK || IK || AUTN
2
3
4
For each user, HE/AuC keeps track of a
counter: SQNHEAK-Anonymity Key
25
Copyright © Dr. Manodha Gamage 2011
AKA Procedure: User Authentication function at USIM
K
SQN
RAND
f5
AK
SQN ⊕ AK AMF MAC
AUTN
⊕
1
1
Commonly stored in USIM &
AuC/HE
• f1, f2, f3, f4, f5
• K-Long term Secret Key
Receive RAND & AUTN from Network
f1 f2 f3 f4
XMAC RES CK IK
Verify MAC = XMAC
Verify that SQN is in the correct range
2
3
4
If a mismatch, Reject
Authentication & abandon
If not, synchronization
failure & abandon
26Copyright © Dr. Manodha Gamage 2011
UMTS AKA
27Copyright © Dr. Manodha
Gamage 2011
UMTS AKA
28Copyright © Dr. Manodha
Gamage 2011
UMTS AKA
29Copyright © Dr. Manodha
Gamage 2011
Length of Authentication Parameter (TS 33.102)
• Authentication key (K) shall have a length of 128 bits
• Random challenge (RAND) shall have a length of 128 bits
• Sequence numbers (SQN) shall have a length of 48 bits
• Anonymity key (AK) shall have a length of 48 bits
• Authentication management field (AMF) shall have a length of 16 bits• Authentication management field (AMF) shall have a length of 16 bits
• Message authentication codes, MAC in AUTN and MAC-S in AUTS shall have a length of 64 bits
• Cipher key (CK) shall have a length of 128 bits
• Integrity key (IK) shall have a length of 128 bits
• Authentication response (RES) shall have a variable length of 4-16 octets 30
Copyright © Dr. Manodha Gamage 2011
Life Time of CK and IK (6.4.3 of TS 33.102)
• Generating CK & IK is not mandatory at call set-up;
• A mechanism is needed to ensure usage of CK/IK for an unlimited period of time
• USIM shall contain a mechanism to limit amount of data that is protected by an access link key set
• Each time an RRC connection is released, STARTCS & STARTPS of bearers that were protected in that RRC connection are compared with THRESHOLD (set by the operator and stored in the USIM)1. If START and/or START have reached THRESHOLD, 1. If STARTCS and/or STARTPS have reached THRESHOLD,
• ME marks it/them as invalid by setting to THRESHOLD
• Deletes CK&IK stored on USIM and
• Sets KSI (Key Set ID) to invalid
2. Otherwise, the STARTCS and STARTPS are stored in the USIM.
• When RRC connection is established START values are read from USIM– Then, ME shall trigger generation of a new access link key set
(CK&IK) if STARTCS and/or STARTPS has reached THRESHOLD
• This mechanism will ensure that a cipher/integrity key set cannot be reused beyond the limit set by the operator 31
• Ciphering of U-plane data & C-plane (RRC&NAS Signalling)
– Algorithms in 3G;• UEA 1 & 2 : Kasumi and SNOW 3G based f8 algorithm
– Algorithms in LTE• EEA 1 & 2 : SNOW 3G and AES based f8 algorithm
Ciphering Algorithms in 3G and LTE
• Integrity Protection for c-plane
– Algorithms in 3G;• UIA 1 & 2 : Kasumi and SNOW 3G based f9 algorithm
– Algorithms in LTE• EIA 1 & 2 : SNOW 3G & AES based f9 algorithm
32
Copyright © Dr. Manodha Gamage 2011
Ciphering (f8) and Integrity Check (f9) for Control Plane
ENCRYPT
PDCP PDU
MAC-I Calculated over this
PDCP
HdrPDCP SDU MAC-I
PDCP Hdr= 1 or 2 Octets
1. Ciphering and Integrity Check (MAC-I) is done for Control Plane data
2. Two different Keys derived from AS Base Key, KeNB to be used for
Ciphering and MAC-I
3. First Calculate MAC-I over PDCP PDU (i.e. Hdr + SDU) using f9
4. Then Encrypt (SDU + MAC-I) using f8
5. Algorithms to be used;1. EIA1 (for f9) and EEA1 (for f8); SNOW3G based Algorithms
2. EIA2 (for f9) and EEA2 (for f9); AES Algorithms (Counter & CMAC modes)
33Copyright © Dr. Manodha Gamage 2011
Ciphering (f8) for User Plane
ENCRYPT
PDCP PDUPDCP
HdrPDCP SDU
PDCP Hdr= 1 or 2 Octets
1. Ciphering ONLY for User Plane data
2. Ciphering Key derived from AS Base Key, KeNB to be used;
Note: Two different Ciphering Keys to be used for User plane and Control plane
34Copyright © Dr. Manodha Gamage 2011
Thank you