gsm security.ppt

8/9/2019 GSM Security.ppt

1/38

11

GSM Security OverviewGSM Security Overview

(Part 2)(Part 2)

Max StepanovMax Stepanov


2/38

2

Agenda Agenda

GSM Security ObjectivesGSM Security ObjectivesConcerns, Goals, Re uire!entsConcerns, Goals, Re uire!ents

GSM Security Mec"anis!sGSM Security Mec"anis!sS#M Anato!yS#M Anato!y Algorit"!s and Attac$s Algorit"!s and Attac$s

COMP%2&COMP%2&Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&((' Rao, P Ro"antgi, Sc"er*er, S +unguely' Rao, P Ro"antgi, Sc"er*er, S +unguely ))


3/38

GSM Security ConcernsGSM Security Concerns

O-eratorsO-erators.ills rig"t -eo-le.ills rig"t -eo-le

Avoid /raud Avoid /raudProtect ServicesProtect Services

Custo!ersCusto!ersPrivacyPrivacy

Anony!ity Anony!ity

Ma$e a syste! at least secure as PS+0Ma$e a syste! at least secure as PS+0


4/38

1

GSM Security GoalsGSM Security Goals

Con/identiality and Anony!ity on t"e radioCon/identiality and Anony!ity on t"e radio-at"-at"

Strong client aut"entication to -rotect t"eStrong client aut"entication to -rotect t"eo-erator against t"e billing /raudo-erator against t"e billing /raudPrevention o/ o-erators /ro!Prevention o/ o-erators /ro!co!-ro!ising o/ eac" ot"ers securityco!-ro!ising o/ eac" ot"ers security

#nadvertently#nadvertentlyCo!-etition -ressureCo!-etition -ressure


5/38

3

GSM Security 4esignGSM Security 4esignRe uire!entsRe uire!ents

+"e security !ec"anis!+"e security !ec"anis!M5S+ 0O+M5S+ 0O+

Add signi/icant over"ead on call set u- Add signi/icant over"ead on call set u-#ncrease bandwidt" o/ t"e c"annel#ncrease bandwidt" o/ t"e c"annel#ncrease error rate#ncrease error rate

Add e6-ensive co!-le6ity to t"e syste! Add e6-ensive co!-le6ity to t"e syste!

M5S+M5S+Cost e//ective sc"e!eCost e//ective sc"e!e

4e/ine security -rocedures4e/ine security -roceduresGeneration and distribution o/ $eysGeneration and distribution o/ $eys76c"ange in/or!ation between o-erators76c"ange in/or!ation between o-eratorsCon/identiality o/ algorit"!sCon/identiality o/ algorit"!s


6/38

8

GSM Security 9eaturesGSM Security 9eaturesKey management is independent of equipment Key management is independent of equipment

Subscribers can c"ange "andsets wit"out co!-ro!ising securitySubscribers can c"ange "andsets wit"out co!-ro!ising security

Subscriber identity protectionSubscriber identity protectionnot easy to identi/y t"e user o/ t"e syste! interce-ting a usernot easy to identi/y t"e user o/ t"e syste! interce-ting a userdatadata

Detection of compromised equipment Detection of compromised equipment 4etection !ec"anis! w"et"er a !obile device was4etection !ec"anis! w"et"er a !obile device wasco!-ro!ised or notco!-ro!ised or not

Subscriber authenticationSubscriber authentication+"e o-erator $nows /or billing -ur-oses w"o is using t"e syste!+"e o-erator $nows /or billing -ur-oses w"o is using t"e syste!

Signaling and user data protectionSignaling and user data protectionSignaling and data c"annels are -rotected over t"e radio -at"Signaling and data c"annels are -rotected over t"e radio -at"


7/38

:

GSM Mobile StationGSM Mobile StationMobile StationMobile Station

Mobile 7 ui-!ent (M7)Mobile 7 ui-!ent (M7)P"ysical !obile deviceP"ysical !obile device#denti/iers#denti/iers

#M7# ; #nternational Mobile 7 ui-!ent #dentity#M7# ; #nternational Mobile 7 ui-!ent #dentitySubscriber #dentity Module (S#M)Subscriber #dentity Module (S#M)S!art Card containing $eys, identi/iers and algorit"!sS!art Card containing $eys, identi/iers and algorit"!s#denti/iers#denti/iers

KK ii ; Subscriber Aut"entication


8/38

&

GSM Arc"itectureGSM Arc"itectureMobile Stations Base Station

Subsystem

ExchangeSystem

NetworkManagement

Subscriber and terminalequipment databases

BSC MSCVL

!L

E"

#$C

%MC

B&S

B&S

B&S


9/38

>

Subscriber #dentity ProtectionSubscriber #dentity Protection+MS# ; +e!-orary Mobile Subscriber #dentity+MS# ; +e!-orary Mobile Subscriber #dentity

GoalsGoals+MS# is used instead o/ #MS# as an a te!-orary subscriber identi/ier +MS# is used instead o/ #MS# as an a te!-orary subscriber identi/ier +MS# -revents an eavesdro--er /ro! identi/ying o/ subscriber +MS# -revents an eavesdro--er /ro! identi/ying o/ subscriber

5sage5sage+MS# is assigned w"en #MS# is trans!itted to AuC on t"e /irst -"one+MS# is assigned w"en #MS# is trans!itted to AuC on t"e /irst -"oneswitc" onswitc" on7very ti!e a location u-date (new MSC) occur t"e networ$s assigns7very ti!e a location u-date (new MSC) occur t"e networ$s assignsa new +MS#a new +MS#

+MS# is used by t"e MS to re-ort to t"e networ$ or during a call+MS# is used by t"e MS to re-ort to t"e networ$ or during a callinitiali*ationinitiali*ation0etwor$ uses +MS# to co!!unicate wit" MS0etwor$ uses +MS# to co!!unicate wit" MSOn MS switc" o// +MS# is stored on S#M card to be reused ne6t ti!eOn MS switc" o// +MS# is stored on S#M card to be reused ne6t ti!e

+"e ?isitor =ocation Register (?=R) -er/or!s assign!ent,+"e ?isitor =ocation Register (?=R) -er/or!s assign!ent,ad!inistration and u-date o/ t"e +MS#ad!inistration and u-date o/ t"e +MS#


10/38

%@


11/38

%%

4etection o/ Co!-ro!ised4etection o/ Co!-ro!ised7 ui-!ent7 ui-!ent

#nternational Mobile 7 ui-!ent #denti/ier (#M7#)#nternational Mobile 7 ui-!ent #denti/ier (#M7#)#denti/ier allowing to identi/y !obiles#denti/ier allowing to identi/y !obiles#M7# is inde-endent o/ S#M#M7# is inde-endent o/ S#M5sed to identi/y stolen or co!-ro!ised e ui-!ent5sed to identi/y stolen or co!-ro!ised e ui-!ent

7 ui-!ent #dentity Register (7#R)7 ui-!ent #dentity Register (7#R).lac$ list ; stolen or non ty-e !obiles.lac$ list ; stolen or non ty-e !obilesB"ite list valid !obilesB"ite list valid !obilesGray list ; local trac$ing !obilesGray list ; local trac$ing !obiles

Central 7 ui-!ent #dentity Register (C7#R)Central 7 ui-!ent #dentity Register (C7#R) A--roved !obile ty-e (ty-e a--roval aut"orities) A--roved !obile ty-e (ty-e a--roval aut"orities)Consolidated blac$ list (-osted by o-erators)Consolidated blac$ list (-osted by o-erators)


12/38

%2

Aut"entication Aut"entication

Aut"entication Goals Aut"entication GoalsSubscriber (S#M "older) aut"enticationSubscriber (S#M "older) aut"enticationProtection o/ t"e networ$ againstProtection o/ t"e networ$ againstunaut"ori*ed useunaut"ori*ed useCreate a session $eyCreate a session $ey

Aut"entication Sc"e!e Aut"entication Sc"e!e

Subscriber identi/ication #MS# or +MS#Subscriber identi/ication #MS# or +MS#C"allenge Res-onse aut"entication o/ t"eC"allenge Res-onse aut"entication o/ t"esubscriber by t"e o-erator subscriber by t"e o-erator


13/38

%

Aut"entication and 7ncry-tion Aut"entication and 7ncry-tionSc"e!eSc"e!e

A3

Mobile Station Radio Link GSM Operator

A8

A5

A3

A8

A5

Ki Ki

Challenge RAND

KcKc

m i Encrypted Data m i

SIM

Signed response (SRES) SRESSRES

F n F n

Aut"entication are SR7Svalues e ualD


14/38

%1

Aut"entication Aut"entication

AuC ; Aut"entication Center AuC ; Aut"entication Center Provides -ara!eters /or aut"entication andProvides -ara!eters /or aut"entication andencry-tion /unctions (RA04, SR7S,


15/38

%3

A ; MS Aut"entication Algorit"! A ; MS Aut"entication Algorit"!

GoalGoalGeneration o/ SR7S res-onse to MSC sGeneration o/ SR7S res-onse to MSC srando! c"allenge RA04rando! c"allenge RA04

A3

RAND (1 8 !it)

Ki (1 8 !it)

SRES (3 !it)


16/38

%8

A& ; ?oice Privacy


17/38

%:

=ogical #!-le!entation=ogical #!-le!entationo/ A and A&o/ A and A&

.ot" A and A& algorit"!s are.ot" A and A& algorit"!s arei!-le!ented on t"e S#Mi!-le!ented on t"e S#M

O-erator can decide, w"ic" algorit"! to useO-erator can decide, w"ic" algorit"! to use Algorit"!s i!-le!entation is inde-endent o/ Algorit"!s i!-le!entation is inde-endent o/"ardware !anu/acturers and networ$"ardware !anu/acturers and networ$o-eratorso-erators


18/38

%&

=ogical #!-le!entation=ogical #!-le!entationo/ A and A&o/ A and A&

COMP%2& is used /or bot" A and A& inCOMP%2& is used /or bot" A and A& in!ost GSM networ$s!ost GSM networ$s

COMP%2& is a $eyed "as" /unctionCOMP%2& is a $eyed "as" /unction

C$%&1 8

RAND (1 8 !it)

Ki (1 8 !it)

1 8 !it o'tp'tSRES 3 !it and K c 54 !it


19/38

%>

A3 ; 7ncry-tion Algorit"! A3 ; 7ncry-tion Algorit"!

A3 is a strea! ci-"er A3 is a strea! ci-"er #!-le!ented very e//iciently on "ardware#!-le!ented very e//iciently on "ardware4esign was never !ade -ublic4esign was never !ade -ublic

=ea$ed to Ross Anderson and .ruce Sc"neier =ea$ed to Ross Anderson and .ruce Sc"neier ?ariants?ariants

A3E% ; t"e strong version A3E% ; t"e strong version A3E2 ; t"e wea$ version A3E2 ; t"e wea$ version A3E A3E

GSM Association Security Grou- and GPP designGSM Association Security Grou- and GPP design.ased on


20/38

2@

=ogical A3 #!-le!entation=ogical A3 #!-le!entation

A5

Kc ("# !it)n ( !it)

11# !it

XORData (11# !it)

A5

Kc ("# !it)n ( !it)

11# !it

XORCipherte t (11# !it) Data (11# !it)

Mobile Station BTS

Real A3 out-ut is 22& bit /or bot" directionsReal A3 out-ut is 22& bit /or bot" directions


21/38

2%

A3 7ncry-tion A3 7ncry-tionMobile Stations Base Station

Subsystem

ExchangeSystem

NetworkManagement

Subscriber and terminalequipment databases

BSC MSCVL

!L

E"

#$C

%MC

B&S

B&S

B&S

A5 Encryption


22/38

22

S#M Anato!yS#M Anato!ySubscriber #denti/ication Module (S#M)Subscriber #denti/ication Module (S#M)

S!art Card ; a single c"i- co!-uter containing OS, 9ileS!art Card ; a single c"i- co!-uter containing OS, 9ileSyste!, A--licationsSyste!, A--licationsProtected by P#0Protected by P#0

Owned by o-erator (i e trusted)Owned by o-erator (i e trusted)S#M a--lications can be written wit" S#M +ool$itS#M a--lications can be written wit" S#M +ool$it


23/38

2

S!art Card Anato!yS!art Card Anato!y


24/38

21

Micro-rocessor CardsMicro-rocessor Cards

+y-ical s-eci/ication+y-ical s-eci/ication& bit CP5& bit CP5%8 < ROM%8 < ROM

238 bytes RAM238 bytes RAM1< 77PROM1< 77PROMCost F3 3@Cost F3 3@

S!art Card +ec"nologyS!art Card +ec"nology

.ased on #SO :&%8 de/ining.ased on #SO :&%8 de/iningCard si*e, contact layout, electrical c"aracteristicsCard si*e, contact layout, electrical c"aracteristics#EO Protocols#EO Protocols byteEbloc$ basedbyteEbloc$ based9ile Structure9ile Structure


25/38

2525

Algorit"! #!-le!entations Algorit"! #!-le!entations

and Attac$sand Attac$s


26/38

28

Attac$ Categories Attac$ Categories

S#M Attac$sS#M Attac$sRadio lin$ interce-tion attac$sRadio lin$ interce-tion attac$s

O-erator networ$ attac$sO-erator networ$ attac$sGSM does not -rotect an o-erator s networ$GSM does not -rotect an o-erator s networ$


27/38

2:

Attac$ istory Attac$ istory%>>%%>>%

9irst GSM i!-le!entation9irst GSM i!-le!entation A-ril %>>& A-ril %>>&

+"e S!artcard 4evelo-er Association (S4A) toget"er wit" 5 C+"e S!artcard 4evelo-er Association (S4A) toget"er wit" 5 C.er$eley researc"es crac$ed t"e COMP%2& algorit"! stored in S#M and.er$eley researc"es crac$ed t"e COMP%2& algorit"! stored in S#M and

succeeded to get August %>>>

+"e wee$ A3E2 was crac$ed using a single PC wit"in seconds+"e wee$ A3E2 was crac$ed using a single PC wit"in seconds4ece!ber %>>>4ece!ber %>>>

Ale6 .iryu$ov, Adi S"a!ir and 4avid Bagner "ave -ublis"ed t"e Ale6 .iryu$ov, Adi S"a!ir and 4avid Bagner "ave -ublis"ed t"e

sc"e!e brea$ing t"e strong A3E% algorit"! Bit"in two !inutes o/sc"e!e brea$ing t"e strong A3E% algorit"! Bit"in two !inutes o/interce-ted call t"e attac$ ti!e was only % secondinterce-ted call t"e attac$ ti!e was only % secondMay 2@@2May 2@@2

+"e #.M Researc" grou- discovered a new way to uic$ly e6tract t"e+"e #.M Researc" grou- discovered a new way to uic$ly e6tract t"eCOMP%2& $eys using side c"annelsCOMP%2& $eys using side c"annels


28/38

2828

COMP%2&COMP%2&


29/38

2>

COMP%2&COMP%2&

Pseudo-code of the compression in COMP128 a !orithm !"##$5% & K i ' !$(##)$% & *A+D'"oo#up ta$ es% T " !5$,%- T $!,5(%- T , !$,.%- T ) !(/%- T / !),%


30/38


31/38

%

Actual #n/or!ation Available Actual #n/or!ation Available

Side Channe sPo*er Consumption+ ectroma!netic radiation&imin!+rrors

+tc,

Side Channe (ttac#s

)nputCr'pto Processin!

Sensitive )nformation

Output

S!art CardS!art Card


32/38

2

Si!-le Power 47S AnalysisSi!-le Power 47S Analysis

SPA o/ 47S o-eration -er/or!ed by a ty-ical S!art CardSPA o/ 47S o-eration -er/or!ed by a ty-ical S!art Card Above initial -er!utation, %8 47S rounds, /inal -er!utation Above initial -er!utation, %8 47S rounds, /inal -er!utation.elow detailed view o/ t"e second and t"ird rounds.elow detailed view o/ t"e second and t"ird rounds


33/38

Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&

Attac$ Goal Attac$ GoalK K i i stored on S#M cardstored on S#M card


34/38

1


ow to i!-le!ent 3%2 ele!ent +ow to i!-le!ent 3%2 ele!ent + @@ table ontable on& bit S!art Card (i e inde6 is @ 233)D& bit S!art Card (i e inde6 is @ 233)D

S-lit 3%2 ele!ent table into two 238 ele!ent tablesS-lit 3%2 ele!ent table into two 238 ele!ent tables

)t s possi$ e to detect access of)t s possi$ e to detect access ofdifferent ta$ es via side channe s.different ta$ es via side channe s.

Power Consu!-tion7lectro!agnetic radiation


35/38

3


Pseudo-code of the compression in COMP128 a !orithm !"##$5% & K i ' !$(##)$% & *A+D'"oo#up ta$ es% T " !5$,%- T $!,5(%- T , !$,.%- T ) !(/%- T / !),%


36/38

8



37/38

:


All we need isJ All we need isJ A) 9ind A) 9ind R[0] R[0] suc" t"atsuc" t"at

K[0] + R[0] "mod #$ % & #' K[0] + R[0] "mod #$ % & #' K[0] + "R[0]+$% "mod #$ % (= #' K[0] + "R[0]+$% "mod #$ % (= #'

(+"ere are only two o-tions)(+"ere are only two o-tions).) 9ind R H@I suc" t"at.) 9ind R H@I suc" t"at

K[0] + R)[0] "mod #$ % & #' K[0] + R)[0] "mod #$ % & #' K[0] + R)[0] + $ "mod #$ % (= #' K[0] + R)[0] + $ "mod #$ % (= #'

C) One o/C) One o/ K[0]K[0] /ro! A) will !atc" .)/ro! A) will !atc" .)

+"e $ey byte is always uni uely deter!ined /ro!+"e $ey byte is always uni uely deter!ined /ro!-artitioning in/or!ation-artitioning in/or!ation

Co!-utation o/ t"e ot"ers bytes o/Co!-utation o/ t"e ot"ers bytes o/ K K is si!ilaris si!ilar


38/38

Su!!arySu!!ary

GSM Security ObjectivesGSM Security ObjectivesConcerns, Goals, Re uire!entsConcerns, Goals, Re uire!ents

GSM Security Mec"anis!sGSM Security Mec"anis!sS#M Anato!yS#M Anato!y

Algorit"!s and Attac$s Algorit"!s and Attac$s

COMP%2&COMP%2&Partitioning Attac$ on COMP%2&Partitioning Attac$ on COMP%2&

gsm security.ppt

Documents