gsm security.ppt
TRANSCRIPT
-
8/9/2019 GSM Security.ppt
1/38
11
GSM Security OverviewGSM Security Overview
(Part 2)(Part 2)
Max StepanovMax Stepanov
-
8/9/2019 GSM Security.ppt
2/38
2
Agenda Agenda
GSM Security ObjectivesGSM Security ObjectivesConcerns, Goals, Re uire!entsConcerns, Goals, Re uire!ents
GSM Security Mec"anis!sGSM Security Mec"anis!sS#M Anato!yS#M Anato!y Algorit"!s and Attac$s Algorit"!s and Attac$s
COMP%2&COMP%2&Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&((' Rao, P Ro"antgi, Sc"er*er, S +unguely' Rao, P Ro"antgi, Sc"er*er, S +unguely ))
-
8/9/2019 GSM Security.ppt
3/38
GSM Security ConcernsGSM Security Concerns
O-eratorsO-erators.ills rig"t -eo-le.ills rig"t -eo-le
Avoid /raud Avoid /raudProtect ServicesProtect Services
Custo!ersCusto!ersPrivacyPrivacy
Anony!ity Anony!ity
Ma$e a syste! at least secure as PS+0Ma$e a syste! at least secure as PS+0
-
8/9/2019 GSM Security.ppt
4/38
1
GSM Security GoalsGSM Security Goals
Con/identiality and Anony!ity on t"e radioCon/identiality and Anony!ity on t"e radio-at"-at"
Strong client aut"entication to -rotect t"eStrong client aut"entication to -rotect t"eo-erator against t"e billing /raudo-erator against t"e billing /raudPrevention o/ o-erators /ro!Prevention o/ o-erators /ro!co!-ro!ising o/ eac" ot"ers securityco!-ro!ising o/ eac" ot"ers security
#nadvertently#nadvertentlyCo!-etition -ressureCo!-etition -ressure
-
8/9/2019 GSM Security.ppt
5/38
3
GSM Security 4esignGSM Security 4esignRe uire!entsRe uire!ents
+"e security !ec"anis!+"e security !ec"anis!M5S+ 0O+M5S+ 0O+
Add signi/icant over"ead on call set u- Add signi/icant over"ead on call set u-#ncrease bandwidt" o/ t"e c"annel#ncrease bandwidt" o/ t"e c"annel#ncrease error rate#ncrease error rate
Add e6-ensive co!-le6ity to t"e syste! Add e6-ensive co!-le6ity to t"e syste!
M5S+M5S+Cost e//ective sc"e!eCost e//ective sc"e!e
4e/ine security -rocedures4e/ine security -roceduresGeneration and distribution o/ $eysGeneration and distribution o/ $eys76c"ange in/or!ation between o-erators76c"ange in/or!ation between o-eratorsCon/identiality o/ algorit"!sCon/identiality o/ algorit"!s
-
8/9/2019 GSM Security.ppt
6/38
8
GSM Security 9eaturesGSM Security 9eaturesKey management is independent of equipment Key management is independent of equipment
Subscribers can c"ange "andsets wit"out co!-ro!ising securitySubscribers can c"ange "andsets wit"out co!-ro!ising security
Subscriber identity protectionSubscriber identity protectionnot easy to identi/y t"e user o/ t"e syste! interce-ting a usernot easy to identi/y t"e user o/ t"e syste! interce-ting a userdatadata
Detection of compromised equipment Detection of compromised equipment 4etection !ec"anis! w"et"er a !obile device was4etection !ec"anis! w"et"er a !obile device wasco!-ro!ised or notco!-ro!ised or not
Subscriber authenticationSubscriber authentication+"e o-erator $nows /or billing -ur-oses w"o is using t"e syste!+"e o-erator $nows /or billing -ur-oses w"o is using t"e syste!
Signaling and user data protectionSignaling and user data protectionSignaling and data c"annels are -rotected over t"e radio -at"Signaling and data c"annels are -rotected over t"e radio -at"
-
8/9/2019 GSM Security.ppt
7/38
:
GSM Mobile StationGSM Mobile StationMobile StationMobile Station
Mobile 7 ui-!ent (M7)Mobile 7 ui-!ent (M7)P"ysical !obile deviceP"ysical !obile device#denti/iers#denti/iers
#M7# ; #nternational Mobile 7 ui-!ent #dentity#M7# ; #nternational Mobile 7 ui-!ent #dentitySubscriber #dentity Module (S#M)Subscriber #dentity Module (S#M)S!art Card containing $eys, identi/iers and algorit"!sS!art Card containing $eys, identi/iers and algorit"!s#denti/iers#denti/iers
KK ii ; Subscriber Aut"entication
-
8/9/2019 GSM Security.ppt
8/38
&
GSM Arc"itectureGSM Arc"itectureMobile Stations Base Station
Subsystem
ExchangeSystem
NetworkManagement
Subscriber and terminalequipment databases
BSC MSCVL
!L
E"
#$C
%MC
B&S
B&S
B&S
-
8/9/2019 GSM Security.ppt
9/38
>
Subscriber #dentity ProtectionSubscriber #dentity Protection+MS# ; +e!-orary Mobile Subscriber #dentity+MS# ; +e!-orary Mobile Subscriber #dentity
GoalsGoals+MS# is used instead o/ #MS# as an a te!-orary subscriber identi/ier +MS# is used instead o/ #MS# as an a te!-orary subscriber identi/ier +MS# -revents an eavesdro--er /ro! identi/ying o/ subscriber +MS# -revents an eavesdro--er /ro! identi/ying o/ subscriber
5sage5sage+MS# is assigned w"en #MS# is trans!itted to AuC on t"e /irst -"one+MS# is assigned w"en #MS# is trans!itted to AuC on t"e /irst -"oneswitc" onswitc" on7very ti!e a location u-date (new MSC) occur t"e networ$s assigns7very ti!e a location u-date (new MSC) occur t"e networ$s assignsa new +MS#a new +MS#
+MS# is used by t"e MS to re-ort to t"e networ$ or during a call+MS# is used by t"e MS to re-ort to t"e networ$ or during a callinitiali*ationinitiali*ation0etwor$ uses +MS# to co!!unicate wit" MS0etwor$ uses +MS# to co!!unicate wit" MSOn MS switc" o// +MS# is stored on S#M card to be reused ne6t ti!eOn MS switc" o// +MS# is stored on S#M card to be reused ne6t ti!e
+"e ?isitor =ocation Register (?=R) -er/or!s assign!ent,+"e ?isitor =ocation Register (?=R) -er/or!s assign!ent,ad!inistration and u-date o/ t"e +MS#ad!inistration and u-date o/ t"e +MS#
-
8/9/2019 GSM Security.ppt
10/38
%@
-
8/9/2019 GSM Security.ppt
11/38
%%
4etection o/ Co!-ro!ised4etection o/ Co!-ro!ised7 ui-!ent7 ui-!ent
#nternational Mobile 7 ui-!ent #denti/ier (#M7#)#nternational Mobile 7 ui-!ent #denti/ier (#M7#)#denti/ier allowing to identi/y !obiles#denti/ier allowing to identi/y !obiles#M7# is inde-endent o/ S#M#M7# is inde-endent o/ S#M5sed to identi/y stolen or co!-ro!ised e ui-!ent5sed to identi/y stolen or co!-ro!ised e ui-!ent
7 ui-!ent #dentity Register (7#R)7 ui-!ent #dentity Register (7#R).lac$ list ; stolen or non ty-e !obiles.lac$ list ; stolen or non ty-e !obilesB"ite list valid !obilesB"ite list valid !obilesGray list ; local trac$ing !obilesGray list ; local trac$ing !obiles
Central 7 ui-!ent #dentity Register (C7#R)Central 7 ui-!ent #dentity Register (C7#R) A--roved !obile ty-e (ty-e a--roval aut"orities) A--roved !obile ty-e (ty-e a--roval aut"orities)Consolidated blac$ list (-osted by o-erators)Consolidated blac$ list (-osted by o-erators)
-
8/9/2019 GSM Security.ppt
12/38
%2
Aut"entication Aut"entication
Aut"entication Goals Aut"entication GoalsSubscriber (S#M "older) aut"enticationSubscriber (S#M "older) aut"enticationProtection o/ t"e networ$ againstProtection o/ t"e networ$ againstunaut"ori*ed useunaut"ori*ed useCreate a session $eyCreate a session $ey
Aut"entication Sc"e!e Aut"entication Sc"e!e
Subscriber identi/ication #MS# or +MS#Subscriber identi/ication #MS# or +MS#C"allenge Res-onse aut"entication o/ t"eC"allenge Res-onse aut"entication o/ t"esubscriber by t"e o-erator subscriber by t"e o-erator
-
8/9/2019 GSM Security.ppt
13/38
%
Aut"entication and 7ncry-tion Aut"entication and 7ncry-tionSc"e!eSc"e!e
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
KcKc
m i Encrypted Data m i
SIM
Signed response (SRES) SRESSRES
F n F n
Aut"entication are SR7Svalues e ualD
-
8/9/2019 GSM Security.ppt
14/38
%1
Aut"entication Aut"entication
AuC ; Aut"entication Center AuC ; Aut"entication Center Provides -ara!eters /or aut"entication andProvides -ara!eters /or aut"entication andencry-tion /unctions (RA04, SR7S,
-
8/9/2019 GSM Security.ppt
15/38
%3
A ; MS Aut"entication Algorit"! A ; MS Aut"entication Algorit"!
GoalGoalGeneration o/ SR7S res-onse to MSC sGeneration o/ SR7S res-onse to MSC srando! c"allenge RA04rando! c"allenge RA04
A3
RAND (1 8 !it)
Ki (1 8 !it)
SRES (3 !it)
-
8/9/2019 GSM Security.ppt
16/38
%8
A& ; ?oice Privacy
-
8/9/2019 GSM Security.ppt
17/38
%:
=ogical #!-le!entation=ogical #!-le!entationo/ A and A&o/ A and A&
.ot" A and A& algorit"!s are.ot" A and A& algorit"!s arei!-le!ented on t"e S#Mi!-le!ented on t"e S#M
O-erator can decide, w"ic" algorit"! to useO-erator can decide, w"ic" algorit"! to use Algorit"!s i!-le!entation is inde-endent o/ Algorit"!s i!-le!entation is inde-endent o/"ardware !anu/acturers and networ$"ardware !anu/acturers and networ$o-eratorso-erators
-
8/9/2019 GSM Security.ppt
18/38
%&
=ogical #!-le!entation=ogical #!-le!entationo/ A and A&o/ A and A&
COMP%2& is used /or bot" A and A& inCOMP%2& is used /or bot" A and A& in!ost GSM networ$s!ost GSM networ$s
COMP%2& is a $eyed "as" /unctionCOMP%2& is a $eyed "as" /unction
C$%&1 8
RAND (1 8 !it)
Ki (1 8 !it)
1 8 !it o'tp'tSRES 3 !it and K c 54 !it
-
8/9/2019 GSM Security.ppt
19/38
%>
A3 ; 7ncry-tion Algorit"! A3 ; 7ncry-tion Algorit"!
A3 is a strea! ci-"er A3 is a strea! ci-"er #!-le!ented very e//iciently on "ardware#!-le!ented very e//iciently on "ardware4esign was never !ade -ublic4esign was never !ade -ublic
=ea$ed to Ross Anderson and .ruce Sc"neier =ea$ed to Ross Anderson and .ruce Sc"neier ?ariants?ariants
A3E% ; t"e strong version A3E% ; t"e strong version A3E2 ; t"e wea$ version A3E2 ; t"e wea$ version A3E A3E
GSM Association Security Grou- and GPP designGSM Association Security Grou- and GPP design.ased on
-
8/9/2019 GSM Security.ppt
20/38
2@
=ogical A3 #!-le!entation=ogical A3 #!-le!entation
A5
Kc ("# !it)n ( !it)
11# !it
XORData (11# !it)
A5
Kc ("# !it)n ( !it)
11# !it
XORCipherte t (11# !it) Data (11# !it)
Mobile Station BTS
Real A3 out-ut is 22& bit /or bot" directionsReal A3 out-ut is 22& bit /or bot" directions
-
8/9/2019 GSM Security.ppt
21/38
2%
A3 7ncry-tion A3 7ncry-tionMobile Stations Base Station
Subsystem
ExchangeSystem
NetworkManagement
Subscriber and terminalequipment databases
BSC MSCVL
!L
E"
#$C
%MC
B&S
B&S
B&S
A5 Encryption
-
8/9/2019 GSM Security.ppt
22/38
22
S#M Anato!yS#M Anato!ySubscriber #denti/ication Module (S#M)Subscriber #denti/ication Module (S#M)
S!art Card ; a single c"i- co!-uter containing OS, 9ileS!art Card ; a single c"i- co!-uter containing OS, 9ileSyste!, A--licationsSyste!, A--licationsProtected by P#0Protected by P#0
Owned by o-erator (i e trusted)Owned by o-erator (i e trusted)S#M a--lications can be written wit" S#M +ool$itS#M a--lications can be written wit" S#M +ool$it
-
8/9/2019 GSM Security.ppt
23/38
2
S!art Card Anato!yS!art Card Anato!y
-
8/9/2019 GSM Security.ppt
24/38
21
Micro-rocessor CardsMicro-rocessor Cards
+y-ical s-eci/ication+y-ical s-eci/ication& bit CP5& bit CP5%8 < ROM%8 < ROM
238 bytes RAM238 bytes RAM1< 77PROM1< 77PROMCost F3 3@Cost F3 3@
S!art Card +ec"nologyS!art Card +ec"nology
.ased on #SO :&%8 de/ining.ased on #SO :&%8 de/iningCard si*e, contact layout, electrical c"aracteristicsCard si*e, contact layout, electrical c"aracteristics#EO Protocols#EO Protocols byteEbloc$ basedbyteEbloc$ based9ile Structure9ile Structure
-
8/9/2019 GSM Security.ppt
25/38
2525
Algorit"! #!-le!entations Algorit"! #!-le!entations
and Attac$sand Attac$s
-
8/9/2019 GSM Security.ppt
26/38
28
Attac$ Categories Attac$ Categories
S#M Attac$sS#M Attac$sRadio lin$ interce-tion attac$sRadio lin$ interce-tion attac$s
O-erator networ$ attac$sO-erator networ$ attac$sGSM does not -rotect an o-erator s networ$GSM does not -rotect an o-erator s networ$
-
8/9/2019 GSM Security.ppt
27/38
2:
Attac$ istory Attac$ istory%>>%%>>%
9irst GSM i!-le!entation9irst GSM i!-le!entation A-ril %>>& A-ril %>>&
+"e S!artcard 4evelo-er Association (S4A) toget"er wit" 5 C+"e S!artcard 4evelo-er Association (S4A) toget"er wit" 5 C.er$eley researc"es crac$ed t"e COMP%2& algorit"! stored in S#M and.er$eley researc"es crac$ed t"e COMP%2& algorit"! stored in S#M and
succeeded to get August %>>>
+"e wee$ A3E2 was crac$ed using a single PC wit"in seconds+"e wee$ A3E2 was crac$ed using a single PC wit"in seconds4ece!ber %>>>4ece!ber %>>>
Ale6 .iryu$ov, Adi S"a!ir and 4avid Bagner "ave -ublis"ed t"e Ale6 .iryu$ov, Adi S"a!ir and 4avid Bagner "ave -ublis"ed t"e
sc"e!e brea$ing t"e strong A3E% algorit"! Bit"in two !inutes o/sc"e!e brea$ing t"e strong A3E% algorit"! Bit"in two !inutes o/interce-ted call t"e attac$ ti!e was only % secondinterce-ted call t"e attac$ ti!e was only % secondMay 2@@2May 2@@2
+"e #.M Researc" grou- discovered a new way to uic$ly e6tract t"e+"e #.M Researc" grou- discovered a new way to uic$ly e6tract t"eCOMP%2& $eys using side c"annelsCOMP%2& $eys using side c"annels
-
8/9/2019 GSM Security.ppt
28/38
2828
COMP%2&COMP%2&
-
8/9/2019 GSM Security.ppt
29/38
2>
COMP%2&COMP%2&
Pseudo-code of the compression in COMP128 a !orithm !"##$5% & K i ' !$(##)$% & *A+D'"oo#up ta$ es% T " !5$,%- T $!,5(%- T , !$,.%- T ) !(/%- T / !),%
-
8/9/2019 GSM Security.ppt
30/38
-
8/9/2019 GSM Security.ppt
31/38
%
Actual #n/or!ation Available Actual #n/or!ation Available
Side Channe sPo*er Consumption+ ectroma!netic radiation&imin!+rrors
+tc,
Side Channe (ttac#s
)nputCr'pto Processin!
Sensitive )nformation
Output
S!art CardS!art Card
-
8/9/2019 GSM Security.ppt
32/38
2
Si!-le Power 47S AnalysisSi!-le Power 47S Analysis
SPA o/ 47S o-eration -er/or!ed by a ty-ical S!art CardSPA o/ 47S o-eration -er/or!ed by a ty-ical S!art Card Above initial -er!utation, %8 47S rounds, /inal -er!utation Above initial -er!utation, %8 47S rounds, /inal -er!utation.elow detailed view o/ t"e second and t"ird rounds.elow detailed view o/ t"e second and t"ird rounds
-
8/9/2019 GSM Security.ppt
33/38
Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&
Attac$ Goal Attac$ GoalK K i i stored on S#M cardstored on S#M card
-
8/9/2019 GSM Security.ppt
34/38
1
Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&
ow to i!-le!ent 3%2 ele!ent +ow to i!-le!ent 3%2 ele!ent + @@ table ontable on& bit S!art Card (i e inde6 is @ 233)D& bit S!art Card (i e inde6 is @ 233)D
S-lit 3%2 ele!ent table into two 238 ele!ent tablesS-lit 3%2 ele!ent table into two 238 ele!ent tables
)t s possi$ e to detect access of)t s possi$ e to detect access ofdifferent ta$ es via side channe s.different ta$ es via side channe s.
Power Consu!-tion7lectro!agnetic radiation
-
8/9/2019 GSM Security.ppt
35/38
3
Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&
Pseudo-code of the compression in COMP128 a !orithm !"##$5% & K i ' !$(##)$% & *A+D'"oo#up ta$ es% T " !5$,%- T $!,5(%- T , !$,.%- T ) !(/%- T / !),%
-
8/9/2019 GSM Security.ppt
36/38
8
Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&
-
8/9/2019 GSM Security.ppt
37/38
:
Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&
All we need isJ All we need isJ A) 9ind A) 9ind R[0] R[0] suc" t"atsuc" t"at
K[0] + R[0] "mod #$ % & #' K[0] + R[0] "mod #$ % & #' K[0] + "R[0]+$% "mod #$ % (= #' K[0] + "R[0]+$% "mod #$ % (= #'
(+"ere are only two o-tions)(+"ere are only two o-tions).) 9ind R H@I suc" t"at.) 9ind R H@I suc" t"at
K[0] + R)[0] "mod #$ % & #' K[0] + R)[0] "mod #$ % & #' K[0] + R)[0] + $ "mod #$ % (= #' K[0] + R)[0] + $ "mod #$ % (= #'
C) One o/C) One o/ K[0]K[0] /ro! A) will !atc" .)/ro! A) will !atc" .)
+"e $ey byte is always uni uely deter!ined /ro!+"e $ey byte is always uni uely deter!ined /ro!-artitioning in/or!ation-artitioning in/or!ation
Co!-utation o/ t"e ot"ers bytes o/Co!-utation o/ t"e ot"ers bytes o/ K K is si!ilaris si!ilar
-
8/9/2019 GSM Security.ppt
38/38
Su!!arySu!!ary
GSM Security ObjectivesGSM Security ObjectivesConcerns, Goals, Re uire!entsConcerns, Goals, Re uire!ents
GSM Security Mec"anis!sGSM Security Mec"anis!sS#M Anato!yS#M Anato!y
Algorit"!s and Attac$s Algorit"!s and Attac$s
COMP%2&COMP%2&Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&