mobile telephony - radboud universiteit
TRANSCRIPT
Advanced Network Security
Mobile telephony
Joeri de Ruiter
2
Agenda
● Introducton● 2G / 3G / 4G
● Security– Authentcaton– Cryptography
● Eavesdropping● Privacy
● Tracking● A solutonn PPMSI
3
Telephony security
Sourcen htpn//sites.psu.edu/thedeepweb/2015/09/17/captain-crunch-and-his-toy-whistle/
4
Introducton
● Standards by ETSI and 3GPP● 2Gn GSPM (Global System for PMobile Communicaton)● 2.5Gn GPRS (General Packet Radio Service)● 3Gn UPMTS (Universal PMobile Telecommunicatons System)● 4Gn LTE (Long Term Evoluton)● 5G● About 8.5 billion connectons and 5 billion subscribers
5
2G (GSPM)
● 1G was analogue without any encrypton in place● 2G deployed in 1990s● 2G is digital and provides authentcaton and encrypton● Stll relevant for ICS/SCADA systems (e.g. ERTPMS)
6
GSPM-R
● Part of ERTPMS (European Rail Trafc PManagement System)● Used for communicaton between personnel as well as trains and track-side
equipment● Used, for example, to grant trains permission to drive on parts of the tracks
and to provide speed limits
7
Identiers
IPMEI (Internatonal PMobile Subscriber Identty)
IPMSI (Internatonal PMobile Subscriber Identty)● Home country● Home network● User
8
2G - Architecture
SIPM(Subscriber Identty PModule)
PME (PMobile Equipment)
MS (Mobile Staton)
Access Network
BTS(Base Transceiver Staton)
BTS(Base Transceiver Staton)
BSC(Base Staton Controller)
PMSC(PMobile Switching Center)
AuC(Authentcaton Center)
VLR(Visitor Locaton Register)
HLR(Home Locaton Register)
Gateways
PSTN and Internet
Core Network
9
2G - Architecture
● Visitor Locaton Register (VLR) keeps track of phones present in its area● PMapping between IPMSI and TPMSI
● Home Locaton Register (HLR) stores permanent informaton about subscribers
● Authentcaton Center (AuC) stores long-term shared secrets with SIPMs
10
2G - Authentcaton
● Authentcaton and Key Agreement (AKA)● Shared symmetric key K between SIPM and home network● Two algorithms, A3 and A8
● Can be determined by the provider
11
2G - Authentcaton
Identty request
Identty response, IMSIIMSI
RAND, XRES, CK
Retrieve K for IPMSIRAND ← {0,1}128
XRES ← A3(K, RAND)CK ← A8(K, RAND)
Authenticton request, RAND
Authenticton response, SRES
SRES ← A3(K, RAND)CK ← A8(K, RAND)
Verify XRES = SRES
Dctc enirypted with CK
12
Roaming
● Phone can use a network diferent than its providers network● Visited Network (VN) or Serving Network● Home Network (HN)
● Visitng Network requests authentcaton informaton from Home Network● Authentcaton informaton provided by Home Network● Visited Network performs authentcaton● Visited Network reports presence of phone
● Home Network informs previous network that phone lef● Home Network keeps track of the current locaton of its subscribers
● Necessary for, e.g., incoming calls
13
2G - Encrypton algorithms
● A5/0● No encrypton
● A5/1● Proprietary stream cipher
● A5/2● Weaker cipher for export
● A5/3● KASUPMI, a block cipher based on PMISTY
– Used with 64 bit keys
14
3G (UPMTS)
● 3G (UPMTS) introduced in 2001● Algorithms used for encrypton and PMACs
● KASUPMI (128 bit key)● SNOW 3G, stream cipher by Lund University
● PMutual authentcaton
15
3G - Architecture
USIPM(Universal Subscriber Identty PModule)
PME (PMobile Equipment)
MS (Mobile Staton)
Access Network
Node B
Node B
RNC(Radio Network Controller)
PMSC(PMobile Switching Center)
AuC(Authentcaton Center)
VLR(Visitor Locaton Register)
HLR(Home Locaton Register)
Gateways
PSTN and Internet
Core Network
16
3G - AuthentcatonIdentty request
Identty response, IMSIIMSI
RAND, AUTN, XRES, CK, IK
Retrieve K and SQN for IPMSIRAND ← {0,1}128
PMAC ← f1(K,SQN,APMF,RAND)XRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)AK ← f5(K,RAND)AUTN ← (SQN XOR AK,APMF,PMAC)Update SQN ← SQN + 1
Authenticton request, RAND, AUTN
Authenticton response, SRES
AK ← f5(K,RAND)XSQN ← (SQN XOR AK) XOR AKXPMAC ← f1(K,XSQN,APMF,RAND)Verify XPMAC = PMACVerify SQN <= XSQN <= SQN + rangeUpdate SQN ← XSQNSRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)
Verify XRES = SRES
Dctc enirypted with CKcnd cuthenticted with IK
17
3G - Authentcaton
● Functons f1 to f5 not standardised● Only used by SIPM card and provider’s authentcaton server
● Recommendaton for f1 to f5 is to use Rijndael
18
4G (LTE)
● 4G (LTE) introduced in 2010● Almost 90% coverage reported by Open Signal in February 2018
● Algorithms used for encrypton and PMACs● SNOW 3G● AES
● Cell towers are assumed to be smarter● Separaton between signal and data channel
● Signal channel encrypted between phone and core network● Data channel encrypted between phone and cell tower● Possible to perform handover directly between cell towers
19
4G - Authentcaton
● Authentcaton protocol the same as 3G● PMore elaborate key hierarchy
● Reduce tmes necessary to execute (slow) AKA protocol● Cell towers get their own keys● PMechanisms to protect against compromise of cell towers
20
Cell tower
4G – Key hierarchy
K
CK, IKAKA
KASPMEID of Visitng Network
KeNB
Signal data keys
User data keys
Home network
Visitnn network
21
4G - Handover
● Handover between cell towers can be done without interference of backend● Key update mechanisms to provide forward and backward security
● Only involving cell towers provides backward security● Involving backend also provides forward security
● SIPM and backend generate the Next-hop parameter (NH)● Based on a shared secret and counter
22
4G – Key derivaton
KeNBKASPME
NH
KeNB
NH
KeNB KeNB
Cell info Cell info
KeNB KeNB KeNB
Cell info Cell info Cell info
KeNB KeNB KeNB
Cell info Cell info Cell info
NCC = 1
NCC = 2
23
Authentcaton comparison
Sourcen PMobile communicaton security, Fabian van den Broek, 2016
24
Eavesdropping
● Diferent approaches● Passive● Actve (i.e. with a man-in-the-middle)
● Works mainly well with 2G● Only authentcaton of the phone● Weak or no encrypton supported
● Ofen fallback to 2G is possible
25
Run your own network
● Possible using a Sofware Deined Radio (SDR) and open source sofware (e.g. OpenBTS)
● Pretend to be your victms network and get them to connect to you● E.g. by jamming or providing a stronger signal
26
PMan-in-the-middle (2G)
Identty request
Identty response, IMSI
Authenticton request, RAND
Authenticton response, SRES
SRES ← A3(K, RAND)CK ← A8(K, RAND)
Unenirypted dctc VoIP
● Use A5/0 (no encrypton)● Forward calls via VoIP
● No incoming calls
27
PMan-in-the-middle (2G)
Identty request
Identty response, IMSI
Authenticton request, RAND
Authenticton response, SRES
SRES ← A3(K, RAND)CK ← A8(K, RAND)
Dummy dctc (A5/2)
Retrieve key CK
Authenticton response, SRES
Dctc (A5/3)Dctc (A5/2)
Identty request
Identty response, IMSI
Authenticton request, RAND
Instant Ciphertext-Only Cryptanalysis of GSPM Encrypted Communicaton, Barkan et al., 2010
28
Eavesdropping
● Complete solutons available for governmental organisatons
29
Interceptng signals
● Again using Sofware Deined Radios (SDR) and open source sofware (e.g. AirProbe)
30
Interceptng signals
● Problemn channel hopping● Solutonn multple or more powerful radios
31
Cracking A5/1
● Weak algorithm● First atack publicly described by Anderson in 1994● PMany more research since then
● A5/1 is a stream cipher, so if you have known plaintext you have part of the keystream
32
Cracking A5/1
● Rainbow tables available to quickly retrieve used key● Known as Berlin tables● Released in 2010● Around 2TB● Probabilistc● Limited amount of known plaintext necessary
● Shortly aferwards the tool Kraken was released that could use these tables to crack GSPM trafc
33
Cracking A5/2
● A5/2 was purposefully weak for export● Can be cracked in seconds
● Barkan et al., 2010● No longer allowed in new phones since 2007
34
Cracking A5/3
● Atack published Dunkelman et al. in 2010● Theoretcal atack that might not be practcal● KASUPMI weaker than PMISTY on which it is based
35
SS7
● Signaling System 7● Used in the core network and to communicate between providers
● For example, used to exchange authentcaton requests, send locaton updates and deliver SPMS messages
● From an era where providers trusted each other...● Originally when sending an SPMS
● Ask Home Network current network of phone (i.e. country and provider)● Send SPMS directly to the phone’s current network
● Fixed when using Home Routng● Home Network delivers the SPMS
● PMight enable interceptng for 3G
36
37
Privacy
● IPMSI catchers (a.k.a. StngRay) can be used to● Track users● PMonitor locatons● Link identtes to devices
● Can pretend to be a base staton to get to phones to connect and learn the IPMSI
Sourcen U.S. Patent and Trademark Ofce / AP Photo
38
Privacy
● IPMSI is always provided upon request● No protecton provided by mutual authentcaton
● TPMSI introduced to provide some anonymity● Temporary PMobile Subscriber Identty● Can be used instead of IPMSI● Provided by the visited network to the phone under encrypton● Should only be used for one locaton
● Can we stll trace users?
39
Allocaton of TPMSI
Eni(CK, TMSI Reclloicton, newTMSI)
Eni(CK, TMSI Reclloicton iompleted)
Discard oldTPMSIStart using newTPMSI
Discard oldTPMSIStart using newTPMSI
40
TPMSI reallocaton atack
Eni(CK, TMSI Reclloicton, newTMSI)
Eni(CK, TMSI Reclloicton iompleted)
Discard oldTPMSIStart using newTPMSI
Discard oldTPMSIStart using newTPMSI
Record TPMSI Reallocatoncommand
Eni(CK, TMSI Reclloicton, newTMSI)
Replay TPMSI Reallocatoncommand
Eni(CK, TMSI Reclloicton iompleted)
New session with same keys
41
TPMSI reallocaton atack
● Atack presented by Arapinis et al.● Atacker records an encrypted TPMSI allocaton command● Replay the recorded command later to distnguish victm’s phone from others
● As long as the same keys (CK and, optonally, IK) are used● Only victm’s phone will respond to the encrypted command
● Other phones will ignore it as decrypton fails● PMainly a theoretcal atack
42
3G linkability atack
● Atack presented by Arapinis et al.● Atack on 3G’s AKA protocol● Uses the fact that diferent error messages are used for
● PMAC failure● Invalid sequence number
43
3G linkability atack
Identty request
Identty response, IMSI
Authenticton request, RAND, AUTN
Authenticton response, SRES
Record RAND, AUTN
Authenticton request, RAND, AUTN
Error, Syni_Fcil
Error, MAC_Fcil
orSame phone
Diferent phone
44
Defeatng IPMSI catchers
● TPMSI does not provide enough protecton● IPMSI can be requested without authentcaton or encrypton● Visited network always learns the IPMSI● IPMSI is needed to determine the provider and retrieve the shared key
● How can we protect against the intercepton of IPMSIs?● Introduce a new identiern a temporary pseudonym PPMSI
– Provided by the home network● Works with minimal modiicaton to the current standards
– IPMSI catching stll possible, but less interestng● Additonal beneitn mutual authentcaton for 2G● Considered for inclusion in one of the 5G proposals
45
Defeatng IPMSI catchers
● PPMSI is shared between the SIPM and provider● Same structure as IPMSI
● First part identies the country and provider● Last part identies the user
● PPMSI is used instead of IPMSI and is regularly updated● How do we get the PPMSI to the SIPM?
● Hijack the RAND variable
46
3G / 4G - AuthentcatonIdentty request
Identty response, IMSIIMSI
RAND, AUTN, XRES, CK, IK
Retrieve K and SQN for IPMSIRAND ← {0,1}128
PMAC ← f1(K,SQN,APMF,RAND)XRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)AK ← f5(K,RAND)AUTN ← (SQN XOR AK,APMF,PMAC)Update SQN ← SQN + 1
Authenticton request, RAND, AUTN
Authenticton response, SRES
AK ← f5(K,RAND)XSQN ← (SQN XOR AK) XOR AKXPMAC ← f1(K,XSQN,APMF,RAND)Verify XPMAC = PMACVerify SQN <= XSQN <= SQN + rangeUpdate SQN ← XSQNSRES ← f2(K,RAND)CK ← f3(K,RAND)IK ← f4(K,RAND)
Verify XRES = SRES
Dctc enirypted with CKAnd cuthenticted with IK
47
3G / 4G - PPMSI (simpliied)Identty request
Identty response, PMSIPMSI
RAND, AUTN, XRES, CK, IK
Retrieve K, KP and SQN for PMSIPMSI’ ← {0,9}10
RAND ← F(KP,PMSI’,SQN)...
Authenticton request, RAND, AUTN
Authenticton response, SRES
…PMSI’, SQN’ ← F-1(KP,RAND)Verify SQN’ = XSQNUpdate PMSI ← PMSI’
Verify XRES = SRES
Dctc enirypted with CKAnd cuthenticted with IK
48
2G - Authentcaton
Identty request
Identty response, IMSIIMSI
RAND, XRES, CK
Retrieve K for IPMSIRAND ← {0,1}128
XRES ← A3(K, RAND)CK ← A8(K, RAND)
Authenticton request, RAND
Authenticton response, SRES
SRES ← A3(K, RAND)CK ← A8(K, RAND)
Verify XRES = SRES
Dctc enirypted with CK
49
2G – PPMSI (simpliied)
Identty requestIdentty response, PMSI PMSI
RAND, XRES, CK
Retrieve K. KP, SQN for PMSIPMSI’ ← {0,9}10
M ← MAC(KP,PMSI’, SQN)RAND ← F(KP,PMSI’,SQN,M)Update SQN ← SQN + 1...
Authenticton request, RAND
Authenticton response, SRES
PMSI’, SQN’, M’ ← F-1(KP,RAND)M ← MAC(KP,PMSI’,SQN’)Verify M = M’Verify SQN < SQN’Update SQN ← SQN’PMSI ← PMSI’...
Verify XRES = SRESDctc enirypted with CK
50
Defeatng IPMSI catchers
● All values it within current lengths of used variables● No modiicaton of messages needed
● Can be implemented by a single provider● Only changes needed in SIPM and authentcaton server
● Actually two PPMSIs stored in SIPM and at provider● Current PPMSI● Next PPMSI
– Once used promoted to current PPMSI and fresh next PPMSI generated● PMAC prevents desynchronisaton atacks in 2G soluton
51
Further actvites
● Read chapters 2 and 3 ofnPMobile communicaton securityFabian van den BroekPhD thesis, 2016
● Optonal readingnDefeatng IPMSI CatchersFabian van den Broek, Roel Verdult and Joeri de Ruiter22nd ACPM SIGSAC Conference on Computer and Communicatons Security (CCS'15), ACPM, 2015
Analysis of privacy in mobile telephony systemsMyrto Arapinis, Loreta Ilaria Mancini, Eike RiterMark D. RyanInternatonal Journal of Informaton Security, October 2017