IIR-tutorial-1

IIR-tutorial-1

English
17 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

USECUSECA3G Security: Background and ContextPeter HowardReReseseararchch and and Sta Standandarrdds Es EnnggiinneereerCommunications Security and Advanced DevelopmentVodafone Limitedpeter.howard@vf.vodafone.co.ukIIR Fraud and Security Conference, March 2000 - 1 - 3G Security: Background and ContextUSECAContents• Review of GSM security• Principles and objectives for 3G security• 3G threat analysis and security requirements captureIIR Fraud and Security Conference, March 2000 - 2 - 3G Security: Background and Context1USECAGSM security• One of the aspects of GSM that has played a significant part inits global appeal is its set of security features• GSM was the first public telephone system to use integratedcryptographic mechanisms• By virtue of GSM penetration, these mechanisms have achievedthe status of being the most widespread household use ofcryptography• GSM security model has been adopted, modified and extendedfor DECT, TETRA and now 3GPPIIR Fraud and Security Conference, March 2000 - 3 - 3G Security: Background and ContextUSECABackground• Security has always been an issue for mobile telephones– Scanners to eavesdrop calls– Re-chipped mobiles to commit fraud by making calls onsomeone else’s bill– Low power base stations to capture identities required to re-chip mobiles for organised cloning• Against this background, some GSM designers decided toprovide the system with an integrated set of security features• Others were concerned ...

Subjects

Informations

Published by
Reads 55
Language English
Report a problem

USECUSECA
3G Security: Background and Context
Peter Howard
ReReseseararchch and and Sta Standandarrdds Es Ennggiinneereer
Communications Security and Advanced Development
Vodafone Limited
peter.howard@vf.vodafone.co.uk
IIR Fraud and Security Conference, March 2000 - 1 - 3G Security: Background and Context
USECA
Contents
• Review of GSM security
• Principles and objectives for 3G security
• 3G threat analysis and security requirements capture
IIR Fraud and Security Conference, March 2000 - 2 - 3G Security: Background and Context
1USECA
GSM security
• One of the aspects of GSM that has played a significant part in
its global appeal is its set of security features
• GSM was the first public telephone system to use integrated
cryptographic mechanisms
• By virtue of GSM penetration, these mechanisms have achieved
the status of being the most widespread household use of
cryptography
• GSM security model has been adopted, modified and extended
for DECT, TETRA and now 3GPP
IIR Fraud and Security Conference, March 2000 - 3 - 3G Security: Background and Context
USECA
Background
• Security has always been an issue for mobile telephones
– Scanners to eavesdrop calls
– Re-chipped mobiles to commit fraud by making calls on
someone else’s bill
– Low power base stations to capture identities required to re-
chip mobiles for organised cloning
• Against this background, some GSM designers decided to
provide the system with an integrated set of security features
• Others were concerned that cryptographic mechanisms would
unduly complicate the system and make mobile telephones too
large, too complex or simply unreliable
• Integration of cryptographic mechanisms met with some
resistance and some restrictions were imposed
IIR Fraud and Security Conference, March 2000 - 4 - 3G Security: Background and Context
2USECA
GSM security objectives
• The most significant restriction was that GSM only needed to be
as secure as the fixed networks to which it would be connected
– Interpreted to mean that wherever fixed network technology
was used cryptographic features where not needed (they
are, after all, not generally used by fixed carriers)
• Protection against so-called active attacks which involved
impersonating a network element was not addressed
• These restrictions became design constraints intended to
ensure low complexity of the security features and low impact
on system performance
• In hindsight the concerns about complexity were largely
unfounded
IIR Fraud and Security Conference, March 2000 - 5 - 3G Security: Background and Context
USECA
GSM security features
• Secure user access to telecommunications services
– Allows a network operator to authenticate the identity of a
user in such a way that it is practically impossible for
someone to make fraudulent calls by masquerading as a
genuine user
• User and signalling traffic confidentiality
– Protects user traffic, both voice and data, and sensitive
signalling data, such as dialled telephone numbers, against
eavesdropping on the radio path
• User anonymity
– Designed to protect the user against someone, who knows
the user’s IMSI, from using this information to track the
location of the user or to identify calls made to or from that
user by eavesdropping on the radio path
IIR Fraud and Security Conference, March 2000 - 6 - 3G Security: Background and Context
3USECA
GSM security mechanisms
• Cryptographic authentication verifies the subscription with the
home network when service is requested
– Challenge / response authentication protocol based on a
subscriber specific secret authentication key
• Radio interface encryption prevents eavesdropping and
authenticates the use of the radio channel - the latter is often
forgotten
– The encryption mechanism is based on a symmetric stream
cipher
– The key for encryption is established as part of the
authentication protocol
• The allocation and use of temporary identities helps to provide
user anonymity
IIR Fraud and Security Conference, March 2000 - 7 - 3G Security: Background and Context
USECA
The SIM
• The SIM (Subscriber Identity Module) is the basis of the
provision and management of GSM security features
• It is a smart card based security module which is inserted into
the MS (Mobile Station)
• With the exception of traffic encryption, all security functions at
the user side of the radio interface are implemented on the SIM
• The SIM contains all the identification data and cryptographic
keys that the subscriber needs to make or receive a call
• The SIM is the object of the home network’s location
management and the SIM to which calls are charged
• A smart card is used to prevent duplication of the subscription
by maintaining secrecy of the authentication key
IIR Fraud and Security Conference, March 2000 - 8 - 3G Security: Background and Context
4USECA
Overview of the GSM security architecture
• Authentication and key agreement
• Encryption
• Allocation and use of temporary identities
IIR Fraud and Security Conference, March 2000 - 9 - 3G Security: Background and Context
USECA
Authentication and key agreement
• The subscriber-specific secret authentication key and the
security algorithms for authentication and key agreement are
only contained
– At the network side, in the Authentication Centre (AuC)
associated with the Home Location Register (HLR)
– At the user side, in the Subscriber Identity Module (SIM)
inserted into the Mobile Station (MS)
• Security data is generated in the HLR/AuC and distributed to the
Visitor Location Register (VLR) as part of registration - this
allows the VLR to authenticate and agree an encryption key with
the user
• Security data is typically sent in batches which means that the
serving network can authenticate and agree a new encryption
key with the user several times before having to contact the
home system again
IIR Fraud and Security Conference, March 2000 - 10 - 3G Security: Background and Context
5USECA
Authentication and key agreement protocol
• Protocol goals
– Authentication of the user
– Agreement of a shared secret encryption key
• Mechanism properties
– Symmetric key authentication based on a shared secret
subscriber authentication key contained in the AuC and SIM
– User authentication by challenge / response
– Encryption key derived from authentication key and
challenge
IIR Fraud and Security Conference, March 2000 - 11 - 3G Security: Background and Context
USECA
Authentication and key agreement protocol
MS/SIM MSC/VLR HLR/AuC
RAND
Ki Ki: Subscriber authentication key
A3: Algorithm for calculating RES
A8: Algorithm forlating Kc A3 A8
RAND: User challenge
(X)RES: (Expected) user response
Kc: Encryption key XRES Kc Authentication Data Request
{RAND, XRES, Kc}: Security triplet
{RAND, XRES, Kc}
RAND
RAND
MS/SIM Mobile Station / SubscriberKi
Identity Module
MSC/VLR Mobile Switching Centre /
A3 A8 Visitor Location Register
HLR/AuC Home Location Register /
Authentication CentreRES
RES Kc
IIR Fraud and Security Conference, March 2000 - 12 - 3G Security: Background and Context
6USECA
Encryption
• The VLR uses security data generated in the HLR/AuC to agree
an encryption key with the user during authentication of the user
• The VLR selects a GSM security triplet from the batch received
from the HLR/AuC
• The VLR sends the RAND to the user and compares the user
response RES with the expected response XRES in the triplet
• During call establishment, an encrypted mode of transmission is
established where the MSC/VLR transports the current Kc to the
base station and then instructs the MS to select the same Kc
generated in the SIM during authentication
• Once the encryption keys are in place, the encryption of user
traffic between the mobile station and the base station is started
IIR Fraud and Security Conference, March 2000 - 13 - 3G Security: Background and Context
USECA
The encryption mechanism
• The layer 1 data flow (DCCH or TCH) is encrypted before
modulation but after interleaving using the A5 stream cipher and
the encryption key Kc
• Plaintext is organised into blocks of 114 bits which are
transmitted during a time slot - successive slots for a given
physical channel are separated by at least 4.615 ms
• For encryption, A5 produces, each 4.615 ms, a sequence of
2x114 encryption bits (the keystream) which are bit-wise modulo
2 added to the plaintext blocks in each direction of transmission
• Decryption is performed by exactly the same method
• For each slot, decryption is performed on the MS side using the
first block of 114 keystream bits, and encryption is performed
using the second block
• On the BS side, the first block is used for encryption and the
second for decryption
IIR Fraud and Security Conference, March 2000 - 14 - 3G Security: Background and Context
7USECA
The encryption mechanism
MS/SIM BS MSC/VLR
Authentication and key agreement protocol
Kc
Kc Kc
Kc: Encryption key
A5: Algorithm forplaintext ciphertext ciphertext plaintext
encryption /
A5 A5 decryption
Uplink traffic MS/SIM Mobile Station /
Kc Kc Subscriber Identity
Module
plaintext ciphertext ciphertext plaintext BS Base Station
A5 A5 MSC/VLR Mobile Switching
Centre / Visitor
Location RegisterDownlink traffic
IIR Fraud and Security Conference, March 2000 - 15 - 3G Security: Background and Context
USECA
Allocation and use of temporary identities
• The user must be identified before the network can perform
authentication and key agreement or start the encryption mechanism
• To provide user identity and location confidentiality (user anonymity)
temporary identities are used
• In the case of the first registration, or if VLR data is not available, the
IMSI is used
• Subsequently, a temporary identity (TMSI) is allocated by the network
and distributed to the user over the encrypted signalling channel
• The temporary identity is then used to identify the user either on the
paging channel or on the initial message from the mobile to the core
network
• Once the temporary identity has been used to identity a user, a new
one can be allocated over the encrypted signalling channel
• In general, a temporary identity should only be used once to identify a
user
IIR Fraud and Security Conference, March 2000 - 16 - 3G Security: Background and Context
8USECA
Allocation and use of temporary identities
MS/SIM MSC/VLR
IMSI (for first time, or if data not available in current VLR)
subscriber authentication and ciphering
TMSI (encrypted)
subsequent location updates:
TMSI (unencrypted)old
subscriber authentication and ciphering
TMSI (encrypted)new
MS/SIM Mobile Station / Subscriber Identity Module
MSC/VLR Mobile Switching Centre / Visitor Location Register
IIR Fraud and Security Conference, March 2000 - 17 - 3G Security: Background and Context
USECA
Security for later GSM developments
• GPRS security
– Same architecture for authentication and key agreement
– Encryption applied at LLC layer and extended further back
into core network
– New encryption algorithms
• SIM toolkit security
– Allows a secure channel to be established between the SIM
and a network server
– For applications which demand security features beyond
those originally offered by GSM
• applications in electronic commerce
• secure remote management of SIMs or mobile stations
IIR Fraud and Security Conference, March 2000 - 18 - 3G Security: Background and Context
9USECA
Limitations considered
• COMP-128
•A5/1
• False base station attacks
• Encryption key length
• Terminated of encryption in the base station
• Core network signalling security
IIR Fraud and Security Conference, March 2000 - 19 - 3G Security: Background and Context
USECA
Lessons to be learnt
• Take advantage of the changing environment when designing
algorithms
• Consider active attacks as part of the threat analysis
• Extend the length of cryptographic parameters were appropriate
• Terminate encryption further back in the network
• Protect the signalling infrastructure in the core network
IIR Fraud and Security Conference, March 2000 - 20 - 3G Security: Background and Context
10