the problem of private identification protocols · 2018. 9. 9. · 11 construction • phase 1....
TRANSCRIPT
![Page 1: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/1.jpg)
THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS
Ruxandra F. Olimid and Stig F. MjølsnesDept. of Information Security and Communication Technology, NTNU, Norway
RealWorldCrypto 2018Zurich,January 10
![Page 2: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/2.jpg)
2
Motivation - LTE
![Page 3: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/3.jpg)
3
LTE - Subscriber’s Identification(IMSI,K) (IMSI,K)
IMSI (InternationalMobileSubscriberIdentity)
MCC(MobileCountryCode)
MNC(MobileNetworkCode)
MSIN(MobileSubscriberIdentificationNumber)
![Page 4: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/4.jpg)
4
LTE - Subscriber’s Identification
Subscriber
IMSI
Identification
UE eNodeB
IMSI
TMSI1
TMSI2
UE
![Page 5: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/5.jpg)
5
LTE - Privacy Breach
UE eNodeB
Identity Request (IMSI)
Identity Response (IMSI)
[. . . ] requests the user to send its permanent identity. The user's response contains the IMSI in cleartext. This represents a breach in the provision of user identity confidentiality.
[ETSITS133401V14.4.0(2017-10)]
![Page 6: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/6.jpg)
6
Experimental Work
• S.F.Mjølsnes,R.F.Olimid: Easy4G/LTEIMSICatchersforNon-Programmers,MMM-ACNS2017
• S.F.Mjølsnes,R.F.Olimid: ExperimentalAssessmentofPrivateInformationDisclosureinLTEMobileNetworks,Secrypt 2017
![Page 7: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/7.jpg)
7
Experimental Work
UE eNodeB
Identity Request (IMSI)
Identity Response (IMSI)
![Page 8: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/8.jpg)
8
Our LTE IMSI Catcher
• eNodeB_Jammer: causes the UE to detach from the serving cell it camps on
• eNodeB_Collector: masquerades as an authorized eNodeBrunning on the (second) highest priority frequency, but with higher signal power, causing the UE to try reselection and expose the IMSI
![Page 9: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/9.jpg)
9
Tools: Hardware
• Software radio peripherals (USRPs)– Ettus B200mini + antennas
• Computers (access and core network)– Standard desktops or laptops: Intel NUC D54250WYK (i5-4250U
CPU@1,30GHz), Lenovo ThinkPad T460s (i7-6600U CPU@2,30GHz)
• Mobile terminals: – Samsung Galaxy S4 device, used to find the LTE
channels and TACs used in the targeted area– Two LG Nexus 5X phones running Android v6, used
to test our IMSI Catcher
• SIM cards
[https://www.ettus.com/product/details/USRP-B200mini]
![Page 10: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/10.jpg)
10
Tools: Software
• LTE Emulator:– Open Air Interface (OAI), an open source software that
provides a (partially) standard compliant implementation of LTE
• Service Mode:– Dial *#0011# on Samsung Galaxy S4 device– Read configuration of the commercial
network: EARFCN DL, TAC, MCC, MNC, Cell ID
![Page 11: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/11.jpg)
11
Construction
• Phase 1. Gather the configuration parameters:– Find the EARFCN DL and TAC (using the Samsung device)– Run eNodeB_Jammer using MCC, MNC and the EARFCN DL of
the commercial cell– Read new EARFCN DL after reselection
• Phase 2. Configure and run the LTE IMSI Catcher:– Run eNodeB_Collector using MCC, MNC and the new
EARFCN DL after reselection in the commercial network, but a different TAC
– Run eNodeB_Jammer configured as in Phase 1
![Page 12: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/12.jpg)
12
Results• Low-cost IMSI Catcher (< 3000 EUR):
– COTS hardware and readily available software only– No (or very basic) changes in the source code
![Page 13: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/13.jpg)
13
Results• Behaviour:
– Denial-of-Service (DoS) until reboot - cause 3 (Illegal UE)– Downgrade to non-LTE services - cause 7 (EPS services
not allowed)– Reconnection to the commercial network - cause 15 (No suitable cells in tracking area)
![Page 14: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/14.jpg)
14
Similar Work
[NDSS 2016]
![Page 15: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/15.jpg)
15
IMSI Catchers in the Real World
![Page 16: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/16.jpg)
16
”Real World” IMSI Catchers
[Aftenposten, Dec.16 2014]
![Page 17: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/17.jpg)
17
”Real World” IMSI Catchers[http://w
ww.rayzoneg.com
/en.piranha.html]
![Page 18: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/18.jpg)
18
”Real World” IMSI Catchers[https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/]
![Page 19: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/19.jpg)
19
The cryptographic problem
• S.F.Mjølsnes,R.F.Olimid:Thechallengeofprivateidentification,iNetSec 2017(toappear)
![Page 20: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/20.jpg)
20
The Problem
(How) Can we construct efficient and scalable secure identification mechanisms in (mobile) communication
systems?
Subscriber Provider
(ID1,K1)(ID2,K2)
…......
(IDn,Kn)
(IMSIi,Ki)(IDi,Ki)
We decouple the protocol from registration and authentication, to gain independence in design and analysis - the private identification challenge
becomes a general standalone problem
Output:(IDi,Ki)
![Page 21: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/21.jpg)
21
Public Key - Trivial Solution
Subscriber Provider
ID1
ID2
…......
IDn
sk
Encpk(IDi)
Decsk(Encpk(IDi))=IDi
IDi
pk
NoPubKey
![Page 22: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/22.jpg)
22
Key Search - Linear Solution
Subscriber Provider
(IDi,Ki)(ID1,K1)(ID2,K2)
…......
(IDn,Kn)
rj ,EncKi(rj)
Tryall{Ki}untilsuccessfullydecryptionofrj
rj←RR
Output:(IDi,Ki)[Weis, Sarma, Rivest, Engels - Security and Pervasive Computing’03]
Lineartime
[Alwen, Hirt, Maurer, Patra, Raykov - Anonymous Authentication with Shared Secrets’14]
*key-indistinguishable MAC
![Page 23: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/23.jpg)
23
Related Work
• Mobile networks (LTE):• Several IMSIs for each USIM [Kahn & Mitchel’15]• New temporary identifiers: DMSI (Dynamic Mobile Subscriber
Identities) [Choudhury et al.’12], PMSI (Pseudo Mobile Subscriber Identities) [Broek et al.’15], CMSI (Changing Mobile Subscriber Identities) [Muthana &Saeed.’17]
• Public-key solutions [Arapinis et al.’12], [Hermans et al.’14], [Chandrasekaranet al.’17]
• Models and definitions:• Mobile Networks, include authentication [Alwen et al.’14, Abadi &
Fournet’15]• RFIDs [Vaudenay’07], [Canard et al.’10], [Hermans et al.’14], [Yang et al.’17]
• RFID:• Linear complexity in the number of subscribers [Weis et al.’03], • Surveys [Jules’06], [Langheinrich.’09], [Song et al.’09], [Song et al.’11],
[Yang et al.’17]
![Page 24: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/24.jpg)
24
Summary• 4G/LTE IMSI-catchers
– is IMSI-catching a bug or a feature?– this problem should be considered for 5G and beyond
• Drawbacks of existing proposals: – architectural changes– significant modifications to the protocols and/or the exchanged
messages– high computational costs and difficult management caused by public
key cryptography– particularity to specific scenarios
• Private Identification Problem:– introduced as a general standalone problem, being decoupled from
authorization (and registration)– existing efficient and scalable solutions in private key settings ?
![Page 25: THE PROBLEM OF PRIVATE IDENTIFICATION PROTOCOLS · 2018. 9. 9. · 11 Construction • Phase 1. Gather the configuration parameters: –Find the EARFCN DL and TAC (using the Samsung](https://reader036.vdocuments.us/reader036/viewer/2022071409/610275b3b1c4e53ca33cf870/html5/thumbnails/25.jpg)
25
Thank you!
A!
Q?