CELLULAR TELEPHONE NETWORK SECURITY

Ari Vesanen,ari.vesanen@oulu.fi

Department of Information Processing Sciences,University of Oulu

Contents

1. Introduction to GSM2. GSM network structure and properties3. GSM network security model4. GSM network security threats5. GPRS vs. GSM Security6. UMTS vs. GSM Security

Introduction to GSM

• GSM world’s most widely used cellular phone system – About 1000 million users – First digital cellular phone standard– 1982 GSM (Groupe Special Mobile) –

committee to create standard – 1989 ETSI (European Telecommunications

Standards Institute) responsible for development

– 1990 first specifications frozen

• GSM specifications developed secretly – No public evaluation according to scientific

procedure – Kerckhoff’s principle violated: Algorithm

strength should depend on secrecy of key and not on the secrecy of the algorithm itself

– GSM specifications and encryption algorithms have leaked and been subject to criticism

GSM Network Structure Mobile station MS SIM PHONE

BTS BTS

BSC BSC

HLR

AuC EIR

VLR

Base Station subsystem BSS

Network Switching Subsystem NSS

MSC

PLMN, PSTN, ...

Abis

Um

A

• Mobile Station = phone + SIM– SIM = Subscriber Identity Module – User identity IMSI (International Mobile

Subscriber Identity) on SIM– MSISDN (Mobile Subscriber International

Integrated Services Digital Network) –number = Phone number on SIM

– Phone identity IMEI (International Mobile Equipment Identity) in phone• Got from phone: type *#06#

• BSS components: Base Transceiver Station (BTS) and Base Station Controller (BSC) – BTS controls radio communication with

phone, encrypts calls and does decryption – BSC can control several BTS’s, tasks

• Initialization of radio channel • Frequency hopping • Handover (transferring user between

cells) • Traffic between BSS and MSC

• NSS = MSC + SMSC + Registers (+ OSS)

• Mobile Services Switching Centre (MSC)– Main component of NSS– Works as link to wired network – Services for registering and authenticating

mobile user– Services related to mobility

• Short Message Service Centre (SMSC)– Transmission of short messages– Needs routing information -> works in co-

operation with HLR

• HLR (Home Location Register)– Information on subscribers registered in this

GSM network– Current location of users (location network’s

VLR address)– One network can contain only one HLR

• VLR (Visitor Location Register)– Relevant information on all active users in

GSM network

• AuC (Authentication Center)– User secret key information by IMSI

• EIR (Equipment Identity Register)– Valid equipments by their IMEI code

GSM Network Radio Interface

• Band control: combined TDMA/FDMA– FDMA divides band into 200 kHz wide

channels • GSM 900 – 124 channels• GSM 1800 – 374 channels• Channels grouped and distributed to

operators– Carrier frequency into time frames

according to TDMA model – TDMA frame = eight time intervals (slots)

• Message in one slot = burst– Logical channel = one slot in one frame

• Frequency hopping– 216,7 hops/second– After each burst frequency changed

according to predefined pattern– Spreads disturbances– Makes eavesdropping more difficult

• TDMA/FDMA model technically challenging

Establishing Call

• Updating location– Uses MSC, HLR and VLR– When MS moves to new location area or to

new operator area -> must register for update

– Location update message to new MSC/VLR –pair that registers new information and sends it to subscribers HLR. HLR sends the previous VLR information that subscriber left its area

Phone’s home MSC

Phone’s location MSC

Incoming call HLR

VLR

BTS

BSC

MSCall Routing

1

6

2

3

4

5

GSM Network Security Model

• Identification of subscriber – IMSI– IMSI consists of three components: 1. Mobile Country Code (MCC) 2. Mobile Network Code (MNC)3. Mobile Subscriber Identity Number (MSIN) – TMSI temporary identifier, used instead of

IMSI in communication• Changed when location changed• Makes IMSI capturing and subscriber

communication monitoring more difficult

• Authentication– Actors: SIM card and (home network’s)

Authentication Center (AuC)– Authenticates user to network (not vice

versa) – Based on secret 128 –bit key Ki (resides

only on SIM and in AuC)– Authentication always in home network!

• Authentication algorithm may be changed, yet works in visited networks

• Authentication method challenge-response– Algorithm A3

MSC

HLR

AuCMS

1. Register to network

6. CheckSRES

4. RAND

5. SRES

2. Request authenticationtriplet

3. Authenticationtriplet(RAND,SRES,Kc)

Authentication in GSM Network

SRES = A3(RAND,Ki)

Kc = Air interface encryption key

• Air interface encryption – Encryption algorithm A5 must reside in

phone, for all network operators common algorithm

– Key generated using algorithm A8 – on SIM, hence may be operator specific

– Uses (64 –bit) session key Kc = A8(RAND, Ki) and (22 –bit) TDMA frame number

– A5 stream cipher, re-synchronized for each frame

– Kc rarely updated (in connection with authentication)

– Only air interface encrypted in GSM network, no encryption in operator network• Relied on physical security

MS (A) BTS (B)

Air Interface Encryption in GSM Network

A5 A5

Kc (64 bit)Frame no

(22 bit)

Kc (64 bit)

CIPHER A->BXOR

XOR

PLAIN A->B

CIPHER B->APLAIN B->A XOR

XOR

PLAIN B->A

PLAIN A->B

Frame no (22 bit)

114 bit

114 bit

114 bit

114 bit

Algorithms

• SAGE –group under ETSI designed algorithms– Composition secret

• A3, Device authentication algorithm– Takes as parameters 128 –bit key Ki and

random number RAND, computes 32 –bit fingerprint, SRES.

– Almost without exception: COMP128 –algorithm used both as A3 and A8

– COMP128 proposed in GSM specification

• A8 air interface encryption key generation algorithm – Mostly COMP128– Takes as parameters 128 –bit key Ki and

random number RAND, computes 64 –bit session key Kc

– Kc used until MSC decides to re-authenticate device

• Both A3 and A8 on SIM card – Operator can decide algorithms – Authentication done in subscriber’s home

network -> local network does not have to know algorithms, yet authentication works also when user roams

• COMP128 not public, found out using SIM cards and leaked specifications– http://www.iol.ie/~kooltek/a3a8.txt (Marc

Briceno, Ian Goldberg and David Wagner) implementation

– Published in April 1998– Produces both SRES and Kc in one run

• Upper 32 bits SRES• Lowest 54 bits + 10 zeros Kc ->

effectively Kc is 54 –bit!

A5 – Air Interface Encryption Algorithm

• Stream cipher algorithm• ”Original” European algorithm A5

leaked in general already in 1994, details in May 1999 (Briceno from GSM phone)

• Initialized each sent frame– Key Kc used during call, but 22-bit frame

number changed

• European A5– Three feedback shift registers (LFSR =

Linear Feedback Shift Register) of different lengths

– Register lengths 19, 22 and 23 bits– Register values XORed and obtained bit

XORed with plaintext bit– Registers initialized using session key Kc

and frame number – After initialization 228 bits pseudo random

bit stream formed: 114 first bits to encrypt frame from device to base station, rest 114 bits from base station to device

– Cf. http://cryptome.org/a51-bsw.htm

| | | | | | | | | | | | | | | | | |

| | | | | | | | | | | | | | | | | | | | |

| | | | | | | | | | | | | | | | | | | | | |

XOR

XOR

XOR

XOR

R1 (19)

R2 (22)

R3 (23)

A5 - cipher

18 13 C1

C221

22 C3 7

Rotation: Majority of C1,C2 and C3

0

0

0

• Algorithm in many forms, original A5/1– Stronger than other A5/x ’s– A5/0 = No encryption – A5/2 decidedly weakened form (used e.g. in

USA)• Published and analyzed in August 1999

(very weak)– Other A5/x ’s not become public (if any)

GSM Network Security Defects

• Network not authenticated– Faking base station principally possible

• Algorithm weaknesses– Both A5 and COMP128 defective

• Data integrity not checked– Makes alteration of data possible

• Authentication data transmitted in clear both inside and between networks– Contains also air interface encryption key

• Lack of visibility– User can not know whether encryption used

or not– No confirmation to home network, whether

serving network uses correctly authentication parameters when user roams

Threats • Attacks against A5

– A5 –implementation (Mike Roe): http://www.hackcanada.com/blackcrawl/cell/gsm/gsm_security.html

– Breaking air interface encryption -> call eavesdropping

– Many methods proposed for breaking A5:– Almost practical attack by Golic: ” Cryptanalysis of Alleged A5 Stream Cipher”

cf. http://downloads.securityfocus.com/library/a5-hack.html• Birthday attack type time/memory -

optimization

– Attack applicable in real time:– Biryukov, Shamir and Wagner (cf.

http://cryptome.org/a51-bsw.htm): Real time break algorithm on PC against the strong algorithm A5/1

– Basic assumption: Attacker knows or guesses part of bit stream produced by cipher

– Basic idea: Great number of pre-computed states stored (possible, since feedback registers can only be in 264 different states)• Idea by Golic

– Key can be deduced from initial state of each frame

– A5/1 can be effectively implemented on PC (each register small enough to store their states in computer’s memory as three cyclic arrays)

– A5/1 can be run backwards effectively– However, backward computation not

entirely deterministic: one state can be arrived at from several states

– Suitable 16-bit number alpha in advance chosen and only frames that include alpha considered

– The number of register states producing alpha is about 248

– States computed in advance and stored on disk -> attack demands large amount of space

– Three different attacks (all require at least two 73GB hard drives)

– Estimate: First type attack (”biased birthday attack” –two versions), needs about 2 minutes of call data • Alpha appears sufficiently many times

(ca. 71) in data– Direct collision with disk data and cipher data

• Encryption broken in one second – Third type attack (”random subgraph

attack”): call data 2 seconds• Performing attack takes minutes

– No crypto attack carried out in practice (presumably)

• SIM card cloning (by physical contact) – Subscriber’s secret key on SIM and security

depends on this key -> if attacker obtains SIM security can be broken

– An identical copy of SIM can be made• If card noticed missing, it can quickly be

shut out of services • If copy and original simultaneously used,

network notices and invalidates both• In principal cloned card can be used such

that subscriber is billed

– Revealing key Ki from SIM• Based on weakness of COMP128• Inventors: SDA (Smartcard Developer

Association) and ISAAC (Internet Security, Applications, Authentication and Cryptography)

– Cf. http://www.isaac.cs.berkeley.edu/isaac/gsm-faq.html

• Flaw in algorithm -> information on Ki obtained by giving suitable random number inputs RAND as an argument to A8

– Input RAND slightly changed and observed when identical answer obtained

– 217.5 inputs enough to deduce Ki

• Test attack: SIM in card reader attached to PC; PC generated 150 000 challenges, using which SIM computed SRES –response and session key Kc -> based on information Ki computed. Took ca. 8 hours

– April 1998

• Used attack technique standard -like– Cf. e.g. Serge Vaudenay ”FFT-Hash-II is not

yet Collision-Free” http://lasecwww.epfl.ch/pub/lasec/doc/liens-92-17.A4.ps

• SIM cloning over-the-air– ISAAC: According to experts possible in

practice (faking base station)• Cf.

http://www.isaac.cs.berkeley.edu/isaac/ gsm.html

– Type 1: Attacker builds fake base station, covering subscriber’s valid BTS -> Subscriber’s SIM may be bombed with self-generated authentication requests

• Estimate: Attack duration 8 – 13 hours, victim device has to be in operating area of fake base station (not necessarily continuously)

• Subscriber can not detect attack– Enhanced version of COMP128 exists

(COMP128-2) • Some operators use• Not (known to be) broken

– Type 2: Attack from legal network • Client outside home network (e.g.

abroad) • Attacker inside location network

• Building fake (rogue) base station– Cost estimate 10 000 euros– Can capture IMSI– Gathered information might be used in

networks with more loose authentication– Counter: Temporary identifier TMSI,

changed when subscriber location updated• TMSI not entirely prevents IMSI capture

since IMSI has to be sent once– Also other attacks (e.g. mentioned SIM –

cloning)

• Cell change in GSM network1. Phone sends audibility reports to BTS2. BTS adds own information and sends to

BSC3. BSC cell change request to MSC (if

necessary)4. MSC resource allocation request to new

BSC, that waits for MS to arrive5. New BSC send acknowledgement to MSC

that sends cell change command to old BSC, this forwards it to MS

6. MS breaks connection to old base station and continues with new one

How to hook up a phone to my fake base station?

• Item 5: Cell change command from the network -> Attacker may simulate command and force the phone to change– No authentication for base stations ->

Device can not know communicating with a rogue base station

GPRS vs. GSM Security

• GPRS transition phase to 3G, supports packet switched traffic– Voice (circuit switched traffic) as in GSM– GPRS data uses multiple slots

• Air interface encryption (differences with GSM)– New A5 –algorithm GEA

• Yet secret – GPRS traffic encryption extends further

(base stations cannot cope with traffic using several slots)

• Authentication (differences with GSM)– Separate authentication for circuit switched

and packet switched traffic

• Packet switched backbone has own security features– Not considered here

• UMTS design applies open standardization

• Specs: 3GPP ( 3rd Generation Partnership Project) – WWW –site http://www.3gpp.org, contains

specifications etc.– Cf. TTAE.3G-33.102 ”3G Security; Security

Architecture” – UMTS network constructed on (and parallel

to) existing GSM networks -> Security model constructed on GSM security model

UMTS vs. GSM Security

• Authentication method as in GSM– Based on a secret key K, residing only on

USIM and in home network AuC

• Comparison: in GSM network authentication vectors triplets (RAND, SRES ,Kc) in UMTS network quintets (RAND, XRES, CK, IK, AUTN)– IK integrity key for data integrity– AUTN authentication token for network

authentication

• Improvements to GSM security – Encryption algorithms use longer keys– Network also authenticated – Signaling data authenticated and integrity

checked

• UMTS GSM –compatible– GSM users have GSM context – GSM users have practically GSM security in

UMTS network