wireless comm securiy 5
TRANSCRIPT
-
8/19/2019 Wireless comm securiy 5
1/27
Block 8: GSM (2G) Security
Objectives:
• To introduce the basic principles of GSM security
• To show why GSM security is broken on many levels
1
-
8/19/2019 Wireless comm securiy 5
2/27
GSM Mobile Telecommunications Security
Global Systems for Mobile Communications (GSM)
constitutes about 70% of the world mobiletelecommunications market.
Since 1! GSM has been the res"onsibility of the#uro"ean $elecommunications Standards nstitute (#$S)
which "ublished &hase' of the GSM s"ecifications in10.
$he GSM s"ecifications were desined in secrecy anddistributed on a strictly needtoknow basis to industrial"artici"ants in the *alue chain.
+owe*er, information about the GSM security alorithms
started to leak into the "ublic domain in the middle of the10-s.
2
-
8/19/2019 Wireless comm securiy 5
3/27
General architecture of a GSM netork
$he ase Station Subsystem (SS) controls the radio link with the Mobile Station (MS).
t com"rises ase $ranscei*er Stations ($Ss) and aseStation Controllers (SCs).
o Many $Ss connect to a sinle SC.
SIM
MS
BTS
BSC
MSC
PSTN
ISDN
EIR
HLRVLR
AuC
Base StationSubsystem
Network Subsystem
3
-
8/19/2019 Wireless comm securiy 5
4/27
$he /etwork Subsystem contains the Mobile Ser*icesSwitchin Centre (MSC)
o Switches calls between mobile users and betweenmobile and fied network users
o +andles mobility manaement o"erations
$he Mobile Station consists of the terminal and a smartcard called the Subscriber dentity Module (SM).
$he SM enables the user to recei*e subscribed ser*ices without bein tied to one "articular terminal
o Contains the nternational Mobile Subscriber
dentity (MS) used to uni2uely identify the user
(subscriber) to the system
$his makes the user and their terminal
inde"endent
$he terminal used is uni2uely identified by the
nternational Mobile #2ui"ment dentity (M#)
o 3emo*in the SM from your GSM terminal and
"lacin it in another you are able to make and
4
-
8/19/2019 Wireless comm securiy 5
5/27
recei*e calls and other subscribed ser*ices on theterminal
$he SM card contains a secret authentication key andother information.
$he SM card may be "rotected by a "assword or &ersonaldentity /umber (&/).
$he SS contains $Ss connected to its SCs.
$he $S contains the radio transcei*ers that determine acell and handles the radiolink "rotocols with the MS.
$he SC manaes the radio resources for one or more$Ss by handlin radiochannel setu", fre2uency ho""in
and hando*ers.
$he MSC is the main com"onent of the /etworkSubsystem
o 4cts like a switchin node of the &S$/ or S5/
o &ro*ides all the functionality needed to manae amobile subscriber authentication, reistration,location u"datin, hando*ers, call routin, etc.
5
-
8/19/2019 Wireless comm securiy 5
6/27
o &ro*ides the connection to fied networks, e..,
&S$/ or S5/
$he +ome 6ocation 3eister (+63) and isitor 6ocation3eister (63), toether with the MSC, "ro*ide the callroutin ca"abilities of GSM.
$he +63 and 63 are used for authentication and security"ur"oses.
$he #2ui"ment dentity 3eister (#3) is a list of the M#of cell "hones re"orted stolen and subse2uently "laced onthe #3.
8hen a terminal connects to the network its M# is readby the network
o 4 terminal is on the #3 can be disabled electronically
and is then be unusable on many GSM networks.
$he 4uthentication Ser*er (4uC) stores a co"y of thesecret key stored on each subscribers SM card
o $he key is used for authentication and encry"tion o*erthe radio channel
o $he 4uC is a "rotected database
6
-
8/19/2019 Wireless comm securiy 5
7/27
7
-
8/19/2019 Wireless comm securiy 5
8/27
Security !eatures of GSM
$he security of GSM is desined to "rotect the radio link
o /o attem"t is made to address the security of any
fied "art of the network
Security in GSM tries to address
o Subscriber identity authentication
o 9ser and sinallin data confidentiality
o Subscriber identity confidentiality
$he MS uni2uely identifies the subscriber.
$he MS and the indi*idual subscriber authentication keyK i are sensiti*e identification credentials
o $he MS and the K i are ne*er transmitted in the clear
$he mobile station identifies itself usin a
$em"orary Mobile Subscriber dentity ($MS)issued by the network and which may bechaned "eriodically, e.. durin handoffs, foradditional security.
8
-
8/19/2019 Wireless comm securiy 5
9/27
4 challeneres"onse mechanism is used to authenticatethe user to the $S.
The BTS is not authenticated to the user.
Con*ersations are encry"ted with a tem"orary, randomlyenerated key K c.
$he GSM security mechanisms are im"lemented in threedifferent system elements
o $he SM
o $he terminal
o $he GSM network
$he SM contains
$he MS
$he indi*idual subscriber authentication key K i
$he encry"tion key eneratin alorithm 4!
$he authentication alorithm 4:
9
-
8/19/2019 Wireless comm securiy 5
10/27
4 &/
$he GSM terminal (the MS) contains
$he encry"tion alorithm 4; (strictly 4;
-
8/19/2019 Wireless comm securiy 5
11/27
11
-
8/19/2019 Wireless comm securiy 5
12/27
Subscriber "#entity $uthentication
$he subscriber authentication ser*ice is used by the fied
network
o $o authenticate a mobile subscriber
o Create and manae the encry"tion keys
o
s su""orted by all networks and all mobile terminals
$he fre2uency with which a user is authenticated is at thediscretion of the network.
4uthentication is initiated by the fied network and is basedon a sim"le challeneres"onse "rotocol.
8hen a mobile terminal needs to authenticate itself to aser*in network one of the followin cases a""lies
12
-
8/19/2019 Wireless comm securiy 5
13/27
Case 1 $he cell belons to a network the mobile terminalhas not *isited in the recent "ast then,
• $he mobile terminal sends its MS to the ser*innetwork
• $he ser*in network MSC finds the terminal-s home
network and asks the +63 of that network to send anauthentication *ector that is stored in the ser*in
networks 63 toether with the MS of the terminal
Case > $he cell belons to the home network of theterminal or to a network the terminal has *isited in therecent "ast and to which it has authenticated itself then,
• f the authentication *ector is still in the 63 and thereare some tri"lets left unused then the +63 of the*isitin terminal does not need to be contacted
n both cases a random challene (nonce) RA! is sent tothe terminal.
13
-
8/19/2019 Wireless comm securiy 5
14/27
$he terminal com"utes a res"onse SR"S to RA! usin4: and the subscriber authentication key K i
K i is uni2ue and shared only with the 4uC of the user-shome network
4lorithm 4: takes RA! and K i and enerates
SR"S as out"ut
RA! and K i are 1>! bits lon
SR"S is :> bits lon
$he *alue of SR"S com"uted by the terminal is sinalledto the network where it is com"ared with the stored "recom"uted *alue
f the two *alues aree the user is authenticated and
the call is allowed to "roceed
f the *alues are different access is denied
$he terminal uses 4lorithm 4! to enerate a session keyK c from RA! and K i
K c is ?@ bits lon.
14
-
8/19/2019 Wireless comm securiy 5
15/27
$he $S recei*es the same session key K c from the MSC.
$he 4uC of the user-s home network canenerate K c because the +63 knows RA!and K i
n "ractice K c is "recom"uted by the 4uC
4t the end of a successful authentication echane boththe MS and $S "ossess K c.
$he K c is used until the network decides to authenticate theuser aain which may be se*eral days later.
$he "recom"uted tri"lets (RA!, SR"S, K c), held by the
+63 on behalf of a subscriber are "assed by the homenetwork-s 4uC on demand to networks *isited by thesubscriber.
C=M&1>! is an alorithm that combines 4: and 4! andenerates SR"S and K c toether
t takes RA! and K i as in"ut which are both 1>! bitslon and enerates a 1>! bit out"ut
$he first :> bits of the out"ut are taken to be SR"S
15
-
8/19/2019 Wireless comm securiy 5
16/27
$he last ;@ bits of the out"ut form the session key
$en Aero bits are added to the session key to i*e a?@ bit key
The keyspace is effectively only #$ bits
C=M&1>! or both 4: and 4! are stored in the SM card to"re*ent tam"erin.
$his authentication works abroad because the localnetwork does not ha*e to know anythin about thesealorithmsB it obtains the tri"lets (RA!, SR"S, K c) fromthe subscriber-s home network.
16
-
8/19/2019 Wireless comm securiy 5
17/27
%ser an# si&nallin& #ata confi#entiality
$his ser*ice has three com"onents
1. Confidentiality of user data and sinallin informationon "hysical connections
• &ro*ides "ri*acy for all user enerated data
(*oice and non*oice) transferred o*er trafficchannels
>. Connectionless user data confidentiality
• &ro*ides "ri*acy for all user data transferred in
"acket mode on a dedicated sinallin channel
:. Sinallin information element confidentiality
• &ro*ides "ri*acy for user related sinallin
elements transferred on a dedicated sinallinchannel
4ll three com"onents use the same encry"tion mechanismand must be su""orted by all networks and mobileterminals.
17
-
8/19/2019 Wireless comm securiy 5
18/27
#ncry"tion is done usin alorithm 4; which "roduces akey stream under control of K c the session key establishedas "art of the authentication "rocedure.
t is essential that the MS and $S synchroniAe the start oftheir encry"tion alorithms
SynchroniAation of the key stream is maintained usin
the $5M4 frame structure of the radio subsystem
$he $5M4 frame number is used as a messae key
for encry"tion alorithm 4;
4; "roduces a synchroniAed key stream for
enci"herin and deci"herin the data bits in the frame
$wo *ersions of 4; are currently used 4;
-
8/19/2019 Wireless comm securiy 5
19/27
19
-
8/19/2019 Wireless comm securiy 5
20/27
Subscriber "#entity 'onfi#entiality
$his ser*ice allows subscribers to make calls and u"date
their location without re*ealin their MS on the radio "ath
t "re*ents location trackin of subscribers
4ll GSM networks and terminals must be able to
su""ort the ser*ice
9se of this ser*ice is not mandatory
$he tem"orary mobile subscriber identity ($MS) is
used to "ro*ide the ser*ice
$he $MS is securely u"dated after each successful
access to the system
Sinallin elements that con*ey information about the
MS are sent encry"ted
n "rinci"le, the MS need only be transmitted in the clear
on reistration.
20
-
8/19/2019 Wireless comm securiy 5
21/27
$he mechanism works as follows
4ssume the MS has been allocated a $MS denoted
by $MS0 and that the network knows the relationshi"between $MS0 and the subscriber-s MS.
$he MS identifies itself to the network by sendin
$MS0
4fter authentication (if this takes "lace), the network
enerates a new $MS denoted by $MS1 and sendsthis to the MS encry"ted usin K c
$he MS decry"ts $MS1 and re"laces $MS0 with
$MS1
21
-
8/19/2019 Wireless comm securiy 5
22/27
$ttacks on GSM Security
Microwa*e links
n many cases the base transcei*er station to base stationcontroller link is a "ointto"oint microwa*e link
$his is a "otential security hole in the GSM system
5ata at this "oint is enerally unencry"ted because
when GSM was desined it was e"ected that this link would be a fied link
Some o"erators im"lement lower layer bulk encry"tion
to "rotect data in the microwa*e link.
22
-
8/19/2019 Wireless comm securiy 5
23/27
4ttacks on the 4lorithm 4:
$he Smart Card 5e*elo"er 4ssociation and the S44C
security research rou" found a flaw in the C=M&1>!alorithm in 1!.
$his flaw can be used to find the secret key K i from the SMcard if a""roimately 1?0,000 chosen RA!%SR"S "airscan be collected
f the user-s mobile "hone is stolen and the SM card
remo*ed and connected to a "hone emulator theemulator can be used to send 1?0,000 chosen RA!to the SM card and recei*e the SR"S
$his can take u" to 10 hours
4lternati*ely, a false $S could be used to send the chosenRA! o*er the air interface
$his could take days but the attacker does not need
"ossession of the SM card
=ne the attacker has the key K i they can ea*esdro" on thesubscriber-s calls and run u" calls on the subscriber-s bill.
23
-
8/19/2019 Wireless comm securiy 5
24/27
&artition 4ttack
Side channel attacks are indirect attacks that determine therelationshi" between in"utout"ut information from "owerconsum"tion, timin of o"erations, etc.
8ith "hysical access to the SM card it is "ossible toetract K i by a side channel attack called the "artitionattack- de*elo"ed by M researchers
t can be a""lied where lare table looku"s are used
or where countermeasures aainst differential sidechannel analysis ha*e not been "ro"erly a""lied
C=M&1>! uses a lare table looku" and can be
broken by "artition attack that with >;; chosen in"utsor ! ada"ti*ely chosen in"uts can etract K i in lessthan a minute
GSM network o"erators are slowly miratin fromC=M&1>! (also known as C=M&1>!1) to C=M&1>!> orC=M&1>!:. ecause the 4: and 4! alorithms are stored
in the Subscriber dentity Module, this re2uires chaninthe GSM subscribers SM cards.
24
-
8/19/2019 Wireless comm securiy 5
25/27
4ttacks on 4; alorithm
f an attacker obtains the session key K c they can find thekey stream used for encry"[email protected]? if "laintet is known and an attem"t is
made to determine the initial states of the 6DS3s from aknown key stream se2uence.
25
-
8/19/2019 Wireless comm securiy 5
26/27
iruyko*, Shamir, and 8aner attacked 4;
-
8/19/2019 Wireless comm securiy 5
27/27