wireless comm securiy 5

8/19/2019 Wireless comm securiy 5

1/27

Block 8: GSM (2G) Security

Objectives:

• To introduce the basic principles of GSM security

• To show why GSM security is broken on many levels

1


2/27

GSM Mobile Telecommunications Security

Global Systems for Mobile Communications (GSM)

constitutes about 70% of the world mobiletelecommunications market.

Since 1! GSM has been the res"onsibility of the#uro"ean $elecommunications Standards nstitute (#$S)

which "ublished &hase' of the GSM s"ecifications in10.

$he GSM s"ecifications were desined in secrecy anddistributed on a strictly needtoknow basis to industrial"artici"ants in the *alue chain.

+owe*er, information about the GSM security alorithms

started to leak into the "ublic domain in the middle of the10-s.

2


3/27

General architecture of a GSM netork

$he ase Station Subsystem (SS) controls the radio link with the Mobile Station (MS).

t com"rises ase $ranscei*er Stations ($Ss) and aseStation Controllers (SCs).

o Many $Ss connect to a sinle SC.

SIM

MS

BTS

BSC

MSC

PSTN

ISDN

EIR

HLRVLR

AuC

Base StationSubsystem

Network Subsystem

3


4/27

$he /etwork Subsystem contains the Mobile Ser*icesSwitchin Centre (MSC)

o Switches calls between mobile users and betweenmobile and fied network users

o +andles mobility manaement o"erations

$he Mobile Station consists of the terminal and a smartcard called the Subscriber dentity Module (SM).

$he SM enables the user to recei*e subscribed ser*ices without bein tied to one "articular terminal

o Contains the nternational Mobile Subscriber

dentity (MS) used to uni2uely identify the user

(subscriber) to the system

$his makes the user and their terminal

inde"endent

$he terminal used is uni2uely identified by the

nternational Mobile #2ui"ment dentity (M#)

o 3emo*in the SM from your GSM terminal and

"lacin it in another you are able to make and

4


5/27

recei*e calls and other subscribed ser*ices on theterminal

$he SM card contains a secret authentication key andother information.

$he SM card may be "rotected by a "assword or &ersonaldentity /umber (&/).

$he SS contains $Ss connected to its SCs.

$he $S contains the radio transcei*ers that determine acell and handles the radiolink "rotocols with the MS.

$he SC manaes the radio resources for one or more$Ss by handlin radiochannel setu", fre2uency ho""in

and hando*ers.

$he MSC is the main com"onent of the /etworkSubsystem

o 4cts like a switchin node of the &S$/ or S5/

o &ro*ides all the functionality needed to manae amobile subscriber authentication, reistration,location u"datin, hando*ers, call routin, etc.

5


6/27

o &ro*ides the connection to fied networks, e..,

&S$/ or S5/

$he +ome 6ocation 3eister (+63) and isitor 6ocation3eister (63), toether with the MSC, "ro*ide the callroutin ca"abilities of GSM.

$he +63 and 63 are used for authentication and security"ur"oses.

$he #2ui"ment dentity 3eister (#3) is a list of the M#of cell "hones re"orted stolen and subse2uently "laced onthe #3.

8hen a terminal connects to the network its M# is readby the network

o 4 terminal is on the #3 can be disabled electronically

and is then be unusable on many GSM networks.

$he 4uthentication Ser*er (4uC) stores a co"y of thesecret key stored on each subscribers SM card

o $he key is used for authentication and encry"tion o*erthe radio channel

o $he 4uC is a "rotected database

6


7/27

7


8/27

Security !eatures of GSM

$he security of GSM is desined to "rotect the radio link

o /o attem"t is made to address the security of any

fied "art of the network

Security in GSM tries to address

o Subscriber identity authentication

o 9ser and sinallin data confidentiality

o Subscriber identity confidentiality

$he MS uni2uely identifies the subscriber.

$he MS and the indi*idual subscriber authentication keyK i are sensiti*e identification credentials

o $he MS and the K i are ne*er transmitted in the clear

$he mobile station identifies itself usin a

$em"orary Mobile Subscriber dentity ($MS)issued by the network and which may bechaned "eriodically, e.. durin handoffs, foradditional security.

8


9/27

4 challeneres"onse mechanism is used to authenticatethe user to the $S.

The BTS is not authenticated to the user.

Con*ersations are encry"ted with a tem"orary, randomlyenerated key K c.

$he GSM security mechanisms are im"lemented in threedifferent system elements

o $he SM

o $he terminal

o $he GSM network

$he SM contains

$he MS

$he indi*idual subscriber authentication key K i

$he encry"tion key eneratin alorithm 4!

$he authentication alorithm 4:

9


10/27

4 &/

$he GSM terminal (the MS) contains

$he encry"tion alorithm 4; (strictly 4;


11/27

11


12/27

Subscriber "#entity $uthentication

$he subscriber authentication ser*ice is used by the fied

network

o $o authenticate a mobile subscriber

o Create and manae the encry"tion keys

o

s su""orted by all networks and all mobile terminals

$he fre2uency with which a user is authenticated is at thediscretion of the network.

4uthentication is initiated by the fied network and is basedon a sim"le challeneres"onse "rotocol.

8hen a mobile terminal needs to authenticate itself to aser*in network one of the followin cases a""lies

12


13/27

Case 1 $he cell belons to a network the mobile terminalhas not *isited in the recent "ast then,

• $he mobile terminal sends its MS to the ser*innetwork

• $he ser*in network MSC finds the terminal-s home

network and asks the +63 of that network to send anauthentication *ector that is stored in the ser*in

networks 63 toether with the MS of the terminal

Case > $he cell belons to the home network of theterminal or to a network the terminal has *isited in therecent "ast and to which it has authenticated itself then,

• f the authentication *ector is still in the 63 and thereare some tri"lets left unused then the +63 of the*isitin terminal does not need to be contacted

n both cases a random challene (nonce) RA! is sent tothe terminal.

13


14/27

$he terminal com"utes a res"onse SR"S to RA! usin4: and the subscriber authentication key K i

K i is uni2ue and shared only with the 4uC of the user-shome network

4lorithm 4: takes RA! and K i and enerates

SR"S as out"ut

RA! and K i are 1>! bits lon

SR"S is :> bits lon

$he *alue of SR"S com"uted by the terminal is sinalledto the network where it is com"ared with the stored "recom"uted *alue

f the two *alues aree the user is authenticated and

the call is allowed to "roceed

f the *alues are different access is denied

$he terminal uses 4lorithm 4! to enerate a session keyK c from RA! and K i

K c is ?@ bits lon.

14


15/27

$he $S recei*es the same session key K c from the MSC.

$he 4uC of the user-s home network canenerate K c because the +63 knows RA!and K i

n "ractice K c is "recom"uted by the 4uC

4t the end of a successful authentication echane boththe MS and $S "ossess K c.

$he K c is used until the network decides to authenticate theuser aain which may be se*eral days later.

$he "recom"uted tri"lets (RA!, SR"S, K c), held by the

+63 on behalf of a subscriber are "assed by the homenetwork-s 4uC on demand to networks *isited by thesubscriber.

C=M&1>! is an alorithm that combines 4: and 4! andenerates SR"S and K c toether

t takes RA! and K i as in"ut which are both 1>! bitslon and enerates a 1>! bit out"ut

$he first :> bits of the out"ut are taken to be SR"S

15


16/27

$he last ;@ bits of the out"ut form the session key

$en Aero bits are added to the session key to i*e a?@ bit key

The keyspace is effectively only #$ bits

C=M&1>! or both 4: and 4! are stored in the SM card to"re*ent tam"erin.

$his authentication works abroad because the localnetwork does not ha*e to know anythin about thesealorithmsB it obtains the tri"lets (RA!, SR"S, K c) fromthe subscriber-s home network.

16


17/27

%ser an# si&nallin& #ata confi#entiality

$his ser*ice has three com"onents

1. Confidentiality of user data and sinallin informationon "hysical connections

• &ro*ides "ri*acy for all user enerated data

(*oice and non*oice) transferred o*er trafficchannels

>. Connectionless user data confidentiality

• &ro*ides "ri*acy for all user data transferred in

"acket mode on a dedicated sinallin channel

:. Sinallin information element confidentiality

• &ro*ides "ri*acy for user related sinallin

elements transferred on a dedicated sinallinchannel

4ll three com"onents use the same encry"tion mechanismand must be su""orted by all networks and mobileterminals.

17


18/27

#ncry"tion is done usin alorithm 4; which "roduces akey stream under control of K c the session key establishedas "art of the authentication "rocedure.

t is essential that the MS and $S synchroniAe the start oftheir encry"tion alorithms

SynchroniAation of the key stream is maintained usin

the $5M4 frame structure of the radio subsystem

$he $5M4 frame number is used as a messae key

for encry"tion alorithm 4;

4; "roduces a synchroniAed key stream for

enci"herin and deci"herin the data bits in the frame

$wo *ersions of 4; are currently used 4;


19/27

19


20/27

Subscriber "#entity 'onfi#entiality

$his ser*ice allows subscribers to make calls and u"date

their location without re*ealin their MS on the radio "ath

t "re*ents location trackin of subscribers

4ll GSM networks and terminals must be able to

su""ort the ser*ice

9se of this ser*ice is not mandatory

$he tem"orary mobile subscriber identity ($MS) is

used to "ro*ide the ser*ice

$he $MS is securely u"dated after each successful

access to the system

Sinallin elements that con*ey information about the

MS are sent encry"ted

n "rinci"le, the MS need only be transmitted in the clear

on reistration.

20


21/27

$he mechanism works as follows

4ssume the MS has been allocated a $MS denoted

by $MS0 and that the network knows the relationshi"between $MS0 and the subscriber-s MS.

$he MS identifies itself to the network by sendin

$MS0

4fter authentication (if this takes "lace), the network

enerates a new $MS denoted by $MS1 and sendsthis to the MS encry"ted usin K c

$he MS decry"ts $MS1 and re"laces $MS0 with

$MS1

21


22/27

$ttacks on GSM Security

Microwa*e links

n many cases the base transcei*er station to base stationcontroller link is a "ointto"oint microwa*e link

$his is a "otential security hole in the GSM system

5ata at this "oint is enerally unencry"ted because

when GSM was desined it was e"ected that this link would be a fied link

Some o"erators im"lement lower layer bulk encry"tion

to "rotect data in the microwa*e link.

22


23/27

4ttacks on the 4lorithm 4:

$he Smart Card 5e*elo"er 4ssociation and the S44C

security research rou" found a flaw in the C=M&1>!alorithm in 1!.

$his flaw can be used to find the secret key K i from the SMcard if a""roimately 1?0,000 chosen RA!%SR"S "airscan be collected

f the user-s mobile "hone is stolen and the SM card

remo*ed and connected to a "hone emulator theemulator can be used to send 1?0,000 chosen RA!to the SM card and recei*e the SR"S

$his can take u" to 10 hours

4lternati*ely, a false $S could be used to send the chosenRA! o*er the air interface

$his could take days but the attacker does not need

"ossession of the SM card

=ne the attacker has the key K i they can ea*esdro" on thesubscriber-s calls and run u" calls on the subscriber-s bill.

23


24/27

&artition 4ttack

Side channel attacks are indirect attacks that determine therelationshi" between in"utout"ut information from "owerconsum"tion, timin of o"erations, etc.

8ith "hysical access to the SM card it is "ossible toetract K i by a side channel attack called the "artitionattack- de*elo"ed by M researchers

t can be a""lied where lare table looku"s are used

or where countermeasures aainst differential sidechannel analysis ha*e not been "ro"erly a""lied

C=M&1>! uses a lare table looku" and can be

broken by "artition attack that with >;; chosen in"utsor ! ada"ti*ely chosen in"uts can etract K i in lessthan a minute

GSM network o"erators are slowly miratin fromC=M&1>! (also known as C=M&1>!1) to C=M&1>!> orC=M&1>!:. ecause the 4: and 4! alorithms are stored

in the Subscriber dentity Module, this re2uires chaninthe GSM subscribers SM cards.

24


25/27

4ttacks on 4; alorithm

f an attacker obtains the session key K c they can find thekey stream used for encry"[email protected]? if "laintet is known and an attem"t is

made to determine the initial states of the 6DS3s from aknown key stream se2uence.

25


26/27

iruyko*, Shamir, and 8aner attacked 4;


27/27

wireless comm securiy 5

Documents