case study: security in gsm and umts - unipi.it · pdf filecase study: security in gsm and...
TRANSCRIPT
CaseStudy:securityinGSMandUMTS
SecurityinNetworkedCompu:ngSystems
GSM GSM and UMTS security
09/05/16 GMS and UMTS security 2
Systemmodel
09/05/16 GMS and UMTS security 3
184 Chapter 7. Inter-provider Roaming within GSM and UMTS
7.1 GSM Inter-Provider Roaming
7.1.1 System Model
In a GSM network, a mobile device is connected to a visited network1 via a radio linkto a particular Base Transceiver Station (BTS). Multiple BTSs are connected to a BaseStation Controller (BSC) and multiple BSCs are controlled by a Mobile Switching Center(MSC). A BSC, together with the BTSs connected to it, is also referred to as a BaseStation Subsystem (BSS) or GSM EDGE Radio Access Network (GERAN). Each MSC hasaccess to a Visitor Location Register (VLR) that keeps track of the location of all MobileDevices (MDs) currently connected to the visited network. The Home Location Register(HLR) in HN keeps track of the location of all MDs that are pre-registered with HN. TheAuthentication Center (AuC) stores all security-related information of all pre-registeredusers.2 Figure 7.1 describes the GSM network architecture. Moreover, it illustrates thekeys and security mechanisms stored by the network components, which are described indetail in Section 7.1.2.
Mobile Device Currently Serving Network Home Network
BSS
SIM
A5A8A3Ki
IMSI
MSC: Mobile Switching Center
BTS: Base Transeiver StationVLR: Visitor Location RegisterHLR: Home Location RegisterAuC: Authentication CenterKi: Secret per subscriber key
A3: Authentication algorithmMD: Mobile DeviceA8: Key generation algorithmA5: Encryption algorithmBSC: Base Station ControlerSIM: Subscriber Identity Module
IMSI: International Mobile Subscriber Identity BSS: Base Station System
BTS
BTS
BTSA5
VLR HLR AuC
KiA3A8
MD
IMSI
A5
BSC
BSC
MSC MSC
Figure 7.1: System Model and Storage of Security Information
7.1.2 Security Model
GSM supports mobile device authentication as well as encryption of the air interface be-tween a mobile device and a network access point (BTS). GSM does not support network
1its home network or a foreign network that has a roaming agreement with MDs home network.2In our security model we used the term Security Center (SC) instead of AuC.
Securitymodel
WhatissupportedMobiledeviceauthen:ca:on Encryp:onoftheairinterfacebetweenMDandBTS
WhatitisNOTsupported Networkauthen:ca:on Integrity
09/05/16 GMSandUMTSsecurity 4
Registra:on
Eachuser(subscriber)registersforaHomeProvider(Network)
HPassociatestheuserwithIMSIandKi(128bit) IMSI:Interna:onalMobileSubscriberIden:ty
IMSIandKiarestoredonHNsAuCandSIM SIM:SubscriberIden:tyModule
09/05/16 GMSandUMTSsecurity 5
Securityalgorithms
Authen:ca:onandKeyagreement A3:Authen:ca:onalgorithm A8:Keygenera:onalgorithm Providerspecific
Encryp:onalgorithms A5/0(noencr),A5/1(standard),A5/2(weakerthatA5/1),A5/3(similartoKASUMI)
A5/0,A5/1andA5/2aremandatory Standardized,noprovider-specific
ImplementedbyMDandBTS
09/05/16 GMSandUMTSsecurity 6
GSMauthen:ca:on:simplified
09/05/16 GMS and UMTS security 7
MD FN HN | REQ, IMSI | REQ, IMSI | +->> | | RAND, RES, Kc | |
Analysis
09/05/16 GMS and UMTS security 8
MD, HN | MD!Ki
HN
FN | FN Kc
MDFN | #(RAND)
FN | #(FN Kc
MD)
FN | MD | (FN Kc
MD)
Registra:on
ByvirtueofthesecurechannelbetweenFNandHN
Finalbelief
MNachievesnobeliefs
GSMauthen:ca:on
09/05/16 GMS and UMTS security 9
188 Chapter 7. Inter-provider Roaming within GSM and UMTS
IMSIrequest security related info
authentication vector response
TMSI
GSM
IG
SM II
GSM
III
authentication challenge
encryption key
request identiy
IMSI
GSM cipher mode command
any correctily deciphered message
GSM
IV
A8 / A3
A8 / A3
try to resolve TMSI
start encryption
decide mechanisms
RRC connection establishment including:
BTS MSC/VLR MSC/HLRMD
security capabilitiesencryption mechanisms
authentication response
andstart deciphering
start encryption
PSfrag replacements
RESG
RESG
RES GRES G = RESG
RANDG
RANDG
RANDG
RANDG,RESG,Kc
Ki
Ki
Kc
Kc
Kc
Figure 7.2: GSM Authentication, Key Agreement, and Security-Mechanism Negotiation
the encryption was not disabled. In particular, it is unclear what happens if the new BTSdoes not support the A5 algorithm used between the source BTS and MD10
10Most networks can be expected to support the same algorithms on every BTS throughout the network,such that the same algorithm can be used before and after handover. However, e.g. due to a sequentialupgrade of BTSs, this is not necessarily the case.
Nego:a:onandpolicies
Nego:a:onMDsendsitssecurity(encryp:oncapabili:es)
FNdropsconnec:onifMDdoesnotenforcemandatoryalgorithms
FNchoosesoneoftheencryp:onalgorithmsandacknowledgesitschoicetoMD
EvenA5/0orA5/2 HNhasnoninfluence MDcannotenforcetheuseofA5/1orA5/3
09/05/16 GMSandUMTSsecurity 10
Anonimity
Inordertoprotectanonymity,IMSIissentintheclearovertheaiinterfaceasrarelyaspossible
Uponfirstconnec:onFNassociatesaTIMSItoMD Uponnextconnec:on,MDpresentsitsTIMSItotheFN IfFNisnotabletoresolvetheTIMSI,itrequestsMDitsIMSIandanewTIMSIisallocated
09/05/16 GMSandUMTSsecurity 11
Intra-providerroaming
Inter-providerroamingalwayscausesroamingauthen:ca:on
ThisisnotthecaseifMDisinidle-modeandmoveswithinthesamenetwork
KcismovedtothenextBTSorMSC,asneeded Ifencryp:onbetweenMDandBTSwasdisabled,itisnotre-enabledaaerroamingtothenextBTS
StandardsaynothingifthenextBTSdoesnotsupporttheA5algchosenbythepreviousone
09/05/16 GMSandUMTSsecurity 12
Impersona:onaback
One-dideMiMAnabackerimpersonatesafakebasesta:ontoMD TheabackermakesMDtoconnecttothefakebasesta:on TheabackerrequestsMDtoturnencryp:onoff Theabackercaneavesdroponallmobiletraffic UnlesstheabackercannotimpersonateMDtoarealnetworkaswell,MDwillbeunreachableforincomingtraffic
TheabackerneedKc!
09/05/16 GMSandUMTSsecurity 13
Impersona:onaback
Two-sidedMiMAnabackercanimpersonateaMDduringauthen:ca:onbysimplyforwardingtheauthen:ca:ontraffic Itsnoteasyfortheadversarytoturnencryp:onoffbecauseofmandatoryalgorithms
Theabackersucceedsif(s)heknowsthatanetworkalwaysusesA5/0 ActuallytheabackercanmakeMDtoconnecttoanetworkthatdisablesencyp:on
09/05/16 GMSandUMTSsecurity 14
UMTS GSM and UMTS security
09/05/16 GMS and UMTS security 15
Systemmodel
09/05/16 GMS and UMTS security 16
7.3 UMTS Inter-Provider Roaming 189
7.3 UMTS Inter-Provider Roaming
7.3.1 System Model
In a UMTS network, MD is connected to a visited network via a radio link to a particularbase transceiver station, called NodeB in UMTS. Multiple NodeBs are connected to a RadioNetwork Controller (RNC) and multiple RNCs are controlled by a Mobile Switching Center(MSC). The RNCs, together with the NodeBs that are connected to them, are also referredto as UMTS Terrestrial Radio Access Network (UTRAN). Each MSC has access to a VisitedLocation Register (VLR) that keeps track of the location of all MDs currently connectedto the visited network. The Home Location Register (HLR) in HN keeps track of all MDsthat are pre-registered for HN. As in GSM, all security-related information regarding MD isstored in an AuC. Figure 7.3 illustrates the UMTS system components. Moreover, it showsthe keys and security mechanisms stored by each component. These are explained in detailin the following section.
Mobile Device Currently Serving Network Home Network
UTRAN
f1 f2f3 f4
IMSIf5
f1 f2f3 f4
IMSIf5
f8f9
f8f9
Node B
Node B
Node B
VLR HLR AuC
RNC
RNC
USIM MD
Node B: Base Transceiver StationRNC: Radio Network Controller
HLR: Home Location RegisterMD: Mobile Device
UTRAN: UMTS Terrestrial Radio Access Network
MSC MSC
VLR: Visitor Location RegisterAuC: Authentication Center
f1f5: key generation functionsf8: encryption mechansim
MSC: Mobile Switching Center
f9: integrity protection mechansim
Secret per subscriber key
PSfrag replacements
KU
KU
KU
Figure 7.3: UMTS System Model and Security Mechanism Endpoints
7.3.2 Security Model
As opposed to GSM, the UMTS standard supports not only encryption but also integrityprotection. Moreover, the authentication between MD and a visited network is mutual.The EIPE on the network side does not coincide with the network access point (Node B).Instead, encryption and integrity protection are implemented in the RNC. An introductoryoverview on the UMTS security features can be found in [89]. More detailed information isprovided in [133, 9].
Securitymodel
Mobiledeviceandvisitednetworkmutualauthen:ca:on
Integrity Encryp:onoftheairinterfacebetweenMDandBTS
09/05/16 GMSandUMTSsecurity 17
Registra:on
Eachuser(subscriber)registersforaHomeProvider(Network)
HPassociatestheuserwithIMSIandKu(128bit) IMSI:Interna:onalMobileSubscriberIden:ty
IMSIandKiarestoredonHNsAuCandSIM USIM:UniversalSubscriberIden:tyModule US