umts network level security; investigation on security improvements thesis author: yue feng...
Post on 19-Dec-2015
216 views
TRANSCRIPT
UMTS Network Level Security; Investigation on Security Improvements
Thesis Author: Yue Feng
Supervisor: Professor Sven-Gustav HäggmanInstructor: Lic. Tech Michael Hall
2
Dedicate this thesis to my parents,
Diwei Feng and Shuhua Yang for being the best parents can be
3
Background Thesis objectives Thesis scope Network level security of mobile systems Introduction to UMTS UMTS network level security Proposals for secuity impovements Conclusions
Presentation outline
4
Background
3G era is coming, e.g., UMTS Security is becoming more and more concerned for 3G cellular
systems, since they are wireless, much more complex than 2G cellular systems, and especially more sophisticated attacking means are available
It is believed that attacks against mobile systems will not cease, as motives are as usual – for fun, criminality, Premium rate mobile services, unintentional attacks
Network level security attacks can be mainly categoried into DoS (location update spoofing, and radio jamming), masquerade, man-in-the-middle, replay, hijacking
Network level security focuses on confidentiality, authentication, integrity protection, user and location confidentiality, and availability
5
Thesis objectives
To present GSM network level security features retained in UMTS To present UMTS network level security features in 3GPP Release
1999, and MAPsec and IPsec based Network Domain Security (NDS)
To present network level security features specific for UMTS, prior to GSM network level security features
Proposals for mitigating unintentional radio jamming in uplink in UMTS – such proposals can not totally cancel such radio jamming
Proposals for interoperation in terms of security between UMTS and cdma2000 1X roaming users
6
Thesis scope
Focuses only on the UMTS network level security specified in 3GPP Release 1999, and MAPsec and IPsec based Network Domain Security (NDS), i.e., system level security and protocol level security
Application security, operating system security, and physical facilities security are out of the scope
7
Network level security of mobile systems In 400 B.C, ancient Greeks already mastered the encryption skill
called as “skytals” A big leap during World War II Network level security of 1G cellular systems was nothing
Identities transfer over air cloning No encryption interception
Lesson was learned that security has to be desgined from the beginging phase of the design of the whole system, for what ?
8
GSM network level security 1
GSM network level security features: Subscriber identity and location confidentiality Subscriber identity authentication
Signalling data and user data confidentiality Security features are realized by security mechanisms GSM network level security mechanisms:
Subscriber identity and location confidentiality mechanism GSM Authentication and Key Agreement (AKA) mechanism GSM signalling data and user data confidentiality mechanism
9
GSM network level security 2
GSM network level security relies on: International Mobile Subscriber Identity (IMSI) Temporary Mobile Subscriber
Identity (TMSI); note in exceptional cases GSM subscriber can be only identified by IMSI transferred over the air interface
Subscriber Authentication Key Ki (128bits) only secured in Subscriber Identity Module (SIM) and Authentication Center (AuC)
COMP-128 based Authentication Algorithm A3 and Ciphering Key Generating Algorithm A8 only secured in SIM and AuC; RES(32bits)=A3Ki(RAND); Kc(64bits)=A8Ki(RAND)
Stream cipher based Ciphering Algorithm A5 secured in all Mobile Equipments (MEs) and Base Station Transceivers (BTSs); CipheringStream(114bits)=A5(Kc, Frame Number); note ME is the terminal part of Mobile Station (MS)!
Authentication of a user implies authenticating the right knowledge of Subscriber
Authentication Key
10
Weaknesses of GSM network level security 1
Weaknesses of GSM Network Level Security Threats against GSM network level security cf. Section 2.3.3 Unilateral authentication of MS towards network can cause for active attacks
from a false BTS An Authenticaion Vector (AV) may be indefinately used Encryption is provided between the MS and the BTS, but not further into the
network GSM only provides access security but not Network Domain Security (NDS) and
security data is transmitted in plain text between mobile networks No cryptographic integrity protection provided leaves a door for man-in-the-
middle and hijacking attacks; note Cyclic Reduncy Checking (CRC) is not the cryptographic integrity protection
Therefore, protection against the man-in-the-middle and hijacking attacks can partialy rely on the encryption; unfortunately GSM encryption can be disabled
To be continued
11
Weaknesses of GSM network level security 2
Cryptographic algorithms are lack of confidence 64-bit Ciphering Key (Kc) is short; COMP128 base A3/A8 algorithms are poor (published on Internet in 1998 by Briceno and Goldberg); Ciphering Algorithm A5/2 is the deliberately weakened version of Ciphering Algorithm A5/1 for export control regulations; Biryukov, Shamir, and Wagner demonstrated how A5/1 could be cracked less than one second on a Personal Computer (PC)
Interfaces of law enforcement was not included in the design of GSM could be only considered as an afterthought
12
cdma2000 1X network level security 1
For the later proposals for interoperation in terms of security between UMTS and cdma2000 1X roaming users
Two-level network level security hierachy: wireless network security and RADIUS/AAA
Wireless network security includes cdma2000 1X RAN Authentication Mechanisms: Initial registration mechanism (Global challenge authentication) SSD update mechanism (when SSD is shared) is a mutual authentication
mechansim Wireless network security also includes cdma2000 1X user identity and
location confidentiality mechanism and cdma2000 1X signalling data and user data confidentiality mechanism cf. Section 2.4.1 and Section 2.4.2.2 in the thesis
RADIUS/AAA authenticates user access to Packet Switched (PS) services by Challenge Handshake Authentication Protocol (CHAP), after a successful cdma2000 1X RAN Authentication procedure; it is not the interest in the thesis
To be continued
13
cdma2000 1X network level security 2
cdma2000 1X RAN Authentication Mechanisms rely on: User Authentication Key A-Key (64bits) and Electronic Serial Number
(ESN 32bits) only secured in Mobile Terminal (MT) and Authentication Center (AC)
Algorithm Cellular Authentication and Voice Encryption (CAVE) Shared Secret Data (SSD 128bits) is the cornerstone of cdma2000 1X
wireless network security; SSD(128bits)=CAVE(A-Key, ESN, RANDSSD) SSD(128bits)Temporary User Authentication Key (SSD-A 64bits), i.e.,
the first 64-bit part; SSD-A is for the initial registration mechanism and SSD update mechanism – more precisely unique challenge authentication of SSD update mechanism since the SSD update procedure is a mutual authentication procedure
Moreover, SSD(128bits)Temporary User Confidentiality Key (SSD-B 64bits), i.e., the second 64-bit part; SSD-B can generate ciphering keys for signalling data and user data confidentiality mechanisms, cf. Section 2.4.2.2 in the thesis
14
Introduction to UMTS 1
To be continued
15
Introduction to UMTS 2
UMTS employs Wideband Code Division Multiple Access (WCDMA) as the radio access technology with 5MHz channel bandwidth, i.e., a DS-CDMA technology, and hence many say WCDMA instead of UMTS, although it is only a radio access technology
Channel types defined in WCDMA/UMTS are: Logical channels answer what type of data to be transferred Transport channels answer how and with which characteristics with the
transferred data Physical channels answer exact the physical characteristics of the radio
channels UMTS Terrestrial Radio Access Network (UTRAN) protocol can be further
divided into three layers: physical layer, link layer, and network layer Medium Access Control (MAC) sublayer belongs to the link layer, which coverts
the logical channels to the transport channels To be continued
16
Introduction to UMTS 3
Radio Link Control (RLC) sublayer belongs to the link layer, which provides services to upper layers
Radio Resource Control (RRC) sublayer is the lowest sublayer of the network layer and terminates in Radio Network Controller (RNC); it provides encryption control; it performs integrity protection of both the RRC-level signalling and higher layers signalling
17
UMTS network level security 3G security principle defined in 3GPP TS 33.210:
3G security is built on the security of 2G systems; security elements within GSM and other 2G systems which have proved to be needed and robust shall be adopted for the 3G security
3G security improves the security of 2G systems by correcting the real and perceived weaknesses
New 3G security features are defined as necessary to secure the new services offered by 3G
Requirements capture of UMTS network level security is based on the weaknesses analysis pp 9-10 and threat analysis cf. Section 2.3.3 in the thesis
UMTS retains certain network level security features from the 2G systems In the following part, network access security (3GPP Release 1999) will be
addressed; MAPsec (3GPP Release 4) and IPsec (3GPP Release 5) based Network Domain Security (NDS) will be addressed
18
UMTS Authentication and Key Agreement mechanism 1
Mutual authentication retains the user authentication mechanism from GSM, and in addition the user can authenticate the network,
UMTS AKA relies on User Authentication Key K and Algorithms f1-f5 only secured in AuC and USIM, SQN stored in AuC and USIM; Authentication Vector (AV) generated in AuC
Based on Authentication Data Request, AuC generates an array of n fresh AVs to be sent to VLR/SGSN which selectes AV(i) and in turn forwards RAND(i) and AUTN(i) to the User Equipment (UE)
19
UMTS Authentication and Key Agreement mechanism 2
UMTS Subscriber Identity Module (USIM) embeded in UE can Verify the received AUTN(i) – XMAC(i) ?= MAC(i) SQN(i) is in correct range? If not, resynchronization procedure starts, cf. TS 33.102 Compute RES(i), and establish CK(i), and IK(i)
USIM sends the RES(i) back to VLR/SGSN, cf. Section 4.5.2.3 in the thesis
20
UMTS user identity and location confidentiality mechanism
International Mobile Subscriber Identity (IMSI) Temporary Mobile Subscriber Identity (TMSI) for services provided by Circuit Switched (CS) domain; IMSI Packet TMSI (P-TMSI) for services provided by Packet Switched (PS) domain; note in exceptional cases UMTS user can be only identified by IMSI over the air interface
UMTS user may also be identified by Radio Network Temporary Identity (RNTI)
IMSI, TMSI, and P-TMSI are CN-level identities for the UE in idle mode – such as power up, authentication
RNTI is UTRAN-level identity for the UE in connected mode such as UTRAN integrity protection
21
UTRAN encryption mechanism
Using Cipheing Algorithm f8, a stream cipher based on a block cipher KASUMI; publicly evaluated
Under the control of the Ciphering Key CK (128bits) established during the AKA procedure
MAC sublayer performs the encryption in transparent RLC mode – in case of Circuit Switched (CS) services
RLC sublayer performs encryption in both acknowledged mode and unacknowledged mode
Different from the GSM encryption, UTRAN encryption protects the communications between a ME and the RNC
UTRAN encryption procedure is optional UTRAN encryption procedure is initiated by security mode setup procedure
cf. Section 4.5.6.3 in the thesis
22
UTRAN integrity protection of RRC signalling
Threats against integrity is claimed to be most severe The purpose of the UTRAN integrity protection of Radio Resource Control
(RRC) signalling, is to authenticate individual control messages. RRC sublayer executes the integrity protection of both RRC-level and
higher layer signalling, by using Integrity Algorithm f9 under the control of the Integrity Key IK (128bits) established during the AKA procedure
Similar to the Ciphering Algorithm f8, the Integrity Algorithm f9 is based on the block ciphering KASUMI; publicly evaluated
Not all UTRAN signalling is integrity-protected Most of RRC signalling is integrity-protected; such UTRAN integrity
protection does not apply for signalling before the Integrity Key IK is in place, e.g., RRC Connection Request in the security mode setup procedure
23
UMTS Network Domain Security (NDS 1)
SS7-based Network Domain Security (NDS) was not considered in GSM, since only a limitted number of well-established entities can access
Situation is getting changed Telecommunication industry is getting deregulated In case AVs and sensitive information are modified in the network domain or
between networks of diffrent mobile operators, what a desaster! IP-based network is the trend
MAP security (MAPsec) is introduced in 3GPP Release 4, however why only Mobile Application Part (MAP) signalling is protected?
IP security (IPsec) is introduced in 3GPP Release 5.
24
MAPsec (NDS 2)
MAPsec has three modes, mode 0 – no protection, mode 1 – integrity protection only, mode 2 – encryption with integrity protection
Borrows the notion of Security Association (SA) from IPsec for security keys and other relevant information
3GPP Release 4 does not specify how to exchange SAs Automatic Key Management can be an option, which has the Key Administration
Centre (KAC) as the basis All SAs are stored in a SAD and Network Elements (NEs) must access it All SAs are valid on a PLMN-level basis, as a PLMN can only address another PLMN
not its individual NE Each KAC maintains a SA Database (SAD) and Security Policy Database (SPD);
each NE has similar databases KACs agree on SAs between themselves by using the Internet Key Exchangement
(IKE) and MAPsec Domain of Interpretation (DoI) KAC distributes security policies and SAs to NEs over the Ze-interface A NE must get a valid SA and security policy to address a NE in anohter PLMN
25
IPsec (NDS 3)
IPsec is defined at the network layer to protect IP packets IPsec three components: Authentication Header (AH), Encapsulation
Security Payload (ESP), and IKE; only the ESP is talked in detail ESP has two modes: transport mode and tunnel mode
The former fits in better with end-to-end communications; provides both encryption and integrity protection; but only protects the payload
The latter fits in better between two nodes, e.g., Gateways; provides both encryption and integrity protection; protects the whole IP packet; the implication of the same function as the former has; UMTS NDS prefers using the latter for signalling protection
Security Gateway (SEG) is the basis of NDS IP-based network (NDS/IP) Each SEG contains both the SAD and SPD SEG uses the IKE to exchage IPsec SAs Main difference from the KAC is that SEG also uses the negotiated SAs, while
KAC can only agree SAs over the Zd-interface
26
Proposals for mitigating unintentional radio jamming in uplink 1
Proposals for mitigating unintentional radio jamming in uplink Radio jamming is an ongoing threat to any cellular system and hardly to be totally
canceled in practice Unintentional radio jamming is met in civilian cellular systems, and may be caused by
co-existing wireless systems – Personal Handyphone System (PHS), radar systems and broadcasting systems operating on Ultra High Frequency (UHF)
Radio jamming in uplink may be very severe, since the Base Station (BS) is visible, static, and open
Smart antenna is the big hope Review of results
GSM is relatively resistant to radio jamming thanks for its digital features Power Control (PC) and rescue handover mechanisms can further ease radio
jamming WCDMA/UMTS has even better radio jamming resistance ability; more sophisticated
PC and handover mechanisms are introduced Moderate radio jamming can not make WCDMA/UMTS network deaf
27
Proposals for mitigating unintentional radio jamming in uplink 2
In case of high radio jamming environments, Capital Expenditures (CAPEX) have been invested on countermeasures, otherwise Operating Expense (OPEX) would be critical for UMTS operators in long run
Mitigating unintentional radio jamming in uplink shall set about Identifying radio jamming sources, analyzing radio jamming reasons, figuring out radio jamming characteristics, and evaluating radio jamming impacts before making further countermeasures; network trial is essential for optimizing countermeasures and for balancing against the costs
Based on the above efforts, proposals for effectively mitigating unintentional radio jamming in uplink in UMTS are made: In case of static jamming sources such as a power plant or a broadcasting system,
switched beam smart antennas shall be adopted around the jamming area; network trial can help UMTS operator further select Butler matrix or Blass matrix; the latter performs better while being complex, heavy, and expensive; switched beam smart antenna may cause for intra-cell handover and call loss; in general some areas are more severely influenced than others. Therefore, cell splitting and more Node Bs shall be introduced, while in turn pushing up the costs
To be continued
28
Proposals for mitigating unintentional radio jamming in uplink 3
In case of dynamic radio jamming sources such as radar arrays, airport and harbor radio equipments, or co-existing systems in the same building or along highways, adaptive array smart antennas shall be adopted, since such smart antennas can dynamically track UEs and can simultaneously adjust beams to desired signals while nulling out radio jamming signals; Sample Matrix Inversion (SMI) DSP performs better especially in WCDMA/UMTS, since the SMI DSP can take advantage of pilot signal in uplink and the SMI algorithm has fast convergence rate, but the SMI DSP is complex and expensive; Least Mean Square (LMS) DSP is simple and cheap
In case of pervasive jamming environments of high power, unintentional radio jamming in uplink may be mitigated by means of implementing adaptive array smart antennas and minimizing cell size; UMTS operators shall adopt lines such as copper lines or optical fiber, other than radio, to be the backbone network transmission medium
In addition, UMTS operators shall adopt antennas with lower side lobes and use electrical down-tilt antennas
UMTS operators must cooperate with authorities or legal forces, which would be an easy way to prevent the occurrences of radio jamming, or to be compensated in case of radio jamming damage
29
Proposals for interoperation in terms of security between UMTS and cdma2000 1X roaming users 1
Since inter-system handover and Inter-system Packet Switched (PS) domain registration are hardly feasible with justifiable efforts and network level security only plays a limited part, only two other scenarios are considered: Registration of a UMTS user in a cdma2000 1X SN, called USIM roaming Registration of a cdma2000 1X user in a UMTS SN, called cdma2000 1X Mobile
Terminal (MT) roaming Principle: permanent authentication key material would be never disclosed to any
network component apart from the AuC of HE in UMTS, or the AC of HE in cdma2000 1X; UE (ME + USIM) and MT can run both UMTS AKA and cdma2000 1X RAN authentication protocols
Hence, such proposals are based on a UMTS and cdma2000 1X Gateway
To be continued
30
Proposals for interoperation in terms of security between UMTS and cdma2000 1X roaming users 2
The necessary adaptation has to be mainly facilitated by the features on the user side and the Gateway
In case B-user is roaming in A-SN, to A-SN the Gateway acts like the HE of A-SN, while to B-HE the Gateway acts like a B-SN
Proposal for USIM roaming – relatively simple as no SQN is involved Gateway in addition acts as the HE of USIM Gateway in a predefined way converts the received UMTS AKA authentication
data for the purpose of a cdma2000 1X SSD update procedure with the UMTS user ( Set SSD=IK, RANDSSD=RAND).
Gateway runs cdma2000 1X SSD update procedure with the USIM via the cdma2000 1X SN
Proposal for cdma2000 1X Mobile Terminal (MT) roaming Gateway in addition acts as the HE of cdma2000 1X MT Gateway requests a cdma2000 1X SSD update procedure by abusing the
message with especially reserved parameters to the cdma2000 1X AC of HE Gateway in a predefined way converts the received cdma2000 1X authentication
data to a UMTS AV (RAND=RANDSSD||RD, 0,0,0,0) and set K=SSD To be continued
31
Proposals for interoperation in terms of security between UMTS and cdma2000 1X roaming users 3
Gateway authenticates the cdma2000 1X user by abusing Resynchronization procedure (0, AUTS)
Only from this point forward, Gateway generates a UMTS authentication quintuple (RAND, XRES, CK, IK, AUTN), by using Algorithms f1-f5, under the control of SSD as the substitute for the UMTS User Authentication Key K
The new UMTS authentication quintuple is sent to UMTS SN for further security matters, e.g., mutual authentication, integrity protection and so on
cdma2000 1X does not have SQN approach, hence a special manner has to be arranged, every time a cdma2000 1X MT attempts to register in UMTS, the SQN in both the cdma2000 1X MT and the Gateway are forced to 1; it is incremented by 1 for the generation of a new UMTS authentication quintuplet under the condition of same SSD
32
Conclusions
UMTS network level security addresses and corrects GSM network level securtiy real and perceived weaknesses
UMTS has more robust network level security than cdma2000 1X UMTS network level security can be the pattern for the development of such
security matters for future cellular systems Future work
Avoid IMSI transfer over the air interface Integrity-protect all types of signalling in network domain Is it possible to introduce public key mechanism for UMTS network level security Prevent a Base Station (BS)/handset from camping on a false handset/ Base
Station (BS) Firewall shall be introduced to protect network domain
33
Thanks