Network Security: Cellular Networks PDF
Document Details
Uploaded by SmilingHibiscus5596
Universität Bern
2024
Prof. Dr. Torsten Braun
Tags
Summary
This document is a presentation on network security, specifically focused on cellular networks. It covers topics such as GSM, UMTS, LTE, and 5G, along with their security features and architectures. It includes information about security mechanisms, components, and terminologies.
Full Transcript
Network Security IX. Cellular Networks Prof. Dr. Torsten Braun, Institut für Informatik Bern, 11.11.2024 – 18.11.2024 Network Security: Cellular Networks Cellular Networks Table of Contents 1. Introduction 2. GSM (2G) 3. UMTS (3G) 4. LTE (4G) 5. 5G 3 Network Security: Cellular Networks Intro...
Network Security IX. Cellular Networks Prof. Dr. Torsten Braun, Institut für Informatik Bern, 11.11.2024 – 18.11.2024 Network Security: Cellular Networks Cellular Networks Table of Contents 1. Introduction 2. GSM (2G) 3. UMTS (3G) 4. LTE (4G) 5. 5G 3 Network Security: Cellular Networks Introduction 1. Literature Books Articles - Eberspächer et al.: - Ahmad et al.: GSM – Architecture, Protocols and Services, 3rd edition Security for 5G and Beyond, IEEE Communications Surveys & - Forsberg et al.: Tutorials, Vol. 21, No. 4, 2019 LTE Security, 2nd edition - Penttinen (ed.): The LTE/SAE Deployment - Zou et al.: A Survey on Wireless Security, Handbook Recent Advances and Future Trends, - Kreher et al.: LTE Signaling Proceedings of the IEEE, Vol. 104, No. 9, September 2016 - Penttinen: 5G Explained 4 Network Security: Cellular Networks 1. Introduction 2. Security Evolution 5 Network Security: Cellular Networks 2. GSM 1.1 Components Network Operation and Switching Maintenance Subsystem Subsystem BSC OMC BTS Mobile Station MSC EIR BSC BTS AUC VLR BTS Base Station Subsystem HLR 6 Radio Subsystem Network Security: Cellular Networks 2. GSM 1.2 Components - Mobile device - Home Location Register - per GSM network - Subscriber Identity Module - Entries for each registered user with its fixed and for user identification temporary data, e.g., ISDN number, subscribed services, - Tamper-resistant smart-card current location - stores - Visitor Location Register - static data, e.g., Identifiers, - for one or more MSC regions Authentication keys, Serial number - includes data of visiting users - dynamic data, e.g., Location information, Carrier frequencies, Encryption keys, Short - registration of a mobile station via MSC messages, Telephone numbers - informs user’s HLR - Base Station Subsystem - Operation and Maintenance Center - Base Transceiver Station - Authentication Center - Base Station Controller - Equipment Identity Register - Mobile Switching Center 7 Network Security: Cellular Networks 2. GSM 2. Tables CI,LAI BSIC BTS BSC MSC IMEI LMSI MSRN IMSI TMSI MSISDN LAI VLR IMEI EIR IMSI SIM HLR Random Number MSISDN AUC TMSI Signature Response IMSI MSISDN MSRN MSRN IMSI RAND SRES Ki Kc PIN PUK K i, K c 8 Network Security: Cellular Networks 2. GSM 3. Terminology - International Mobile Station Subscriber Identity - Cell Identifier - for accounting purposes - for cell identification - Mobile Subscriber ISDN Number - Base Transceiver Station Identity Code - Broadcast by base stations, - Personal Identity Number to distinguish base stations - for SIM activation - Mobile Station Roaming Number - PIN Unblocking Key - Temporary location dependent ISDN number - for de-blocking after wrong PIN inputs - assigned by VLR to mobile station - allows identification of responsible MSC - Authentication key Ki - Temporary Mobile Subscriber Identity - Encryption key Kc - for unique identification of a subscriber (TMSI + LAI) during visit of VLR region - Location Area Identity - replaces IMSI - Broadcast by base station to support LAI change - Local Mobile Station Identity 9 - to support fast search Network Security: Cellular Networks 2. GSM 4. Security Functions - Subscriber identity confidentiality - Subscriber identity authentication - Signaling information element confidentiality - Data confidentiality 10 Network Security: Cellular Networks 2. GSM 5.1 Subscriber Identity Protection I - use TMSI instead of IMSI on radio BS/MSC/VLR channel for identification of subscribers LAIold, TMSIold - TMSI is issued by VLR when Resource setup and MS changes between LAs. ciphering commencement Assign TMSInew Ciphered(TMSInew) Ack 11 Network Security: Cellular Networks 2. GSM 5.2 Subscriber Identity Protection II BS/MSC/VLR LAIold, TMSIold In certain cases, the IMSI is requested from MS. TMSIold unknow - VLR database failures Request ID n - No correct subscriber data available IMSI (loss of TMSI, unknown TMSI) Resource setup and ciphering commencement Assign TMSInew Ciphered(TMSInew) 12 Ack Network Security: Cellular Networks 2. GSM 6. Cryptographic Algorithms - A3: Subscriber Authentication - A5: Key Generation - A8: Radio Encryption - A5/1: weak stream cipher - A3 and A8 are based on - A5/2: weaker than A5/1 COMP algorithm - A5/3: based on KASUMI - COMP block cipher in counter mode - 9 rounds with hashing with 64-bit keys 256 to 128 bits - A5/4: A5/3 with 128-bit keys - relatively unsecure. 13 Network Security: Cellular Networks 2. GSM 7.1 Weakly Secure Authentication - Secret authentication VLR IMSI key Ki is stored at SIM. RAND Ki Ki - Signature Response SRES = Ki(RAND) A3 A3 - Transmission of Ki from SRES AUC to VLR needed SRES = 14 Network Security: Cellular Networks 2. GSM 7.2 Generation of Security Data for HLR - Security data calculated by AUC allows keeping KiHLR AUC at AUC. Authentication Information Request (IMSI) RAND IMSI - Kc: encryption key Ki A3 & A8 SRES, Kc Authentication Information (IMSI, Kc, RAND, SRES) 15 Network Security: Cellular Networks 2. GSM 7.3 Highly Secure Subscriber Authentication Authentication information HLR/AUC BS/MSC/VLR (RAND, SRES) can be Authentication Information Request (IMSI) pre-calculated by AUC, RAND[n] IMSI stored by HLR and retrieved by VLR Ki A3 SRES[n] Authentication Vector Response (RAND[n], SRES[n]) 16 Network Security: Cellular Networks 2. GSM 8.1 Encryption of Signalling and User Data Channel Burst Encryption Modulation Transceiver coding formation RAND IMSI VLR BTS Ki Ki Data Kc Kc Data A8 A8 A5 A5 Kc(Data) Kc Kc 17 Network Security: Cellular Networks 2. GSM 8.2 Combining Payload Data and Ciphering Stream Key flow Key flow Kc 0 1 1 0 0 1 0 0 1 0 0 1 1 0 Kc A5 A5 Frame FN Number User data flow + + User data flow 1 0 1 1 0 0 1 1 0 1 1 0 0 1 18 Network Security: Cellular Networks 2. GSM 9.1 Location Registration 19 Network Security: Cellular Networks 2. GSM 9.2 Location Update I 20 Network Security: Cellular Networks 2. GSM 9.3 Location Update II 21 Network Security: Cellular Networks 2. GSM 9.4 Outgoing Call 22 Network Security: Cellular Networks 2. GSM 9.5 Incoming Call 23 Network Security: Cellular Networks 2. GSM 9.6 SMS 24 Network Security: Cellular Networks 3. UMTS 1.1 Network Architecture (3GPP Release 99) Core Network Access Packet Switched Network, Domain SG GG Internet e.g., UTRAN ME SN SN Node RNC B Register (AUC, EIR, HLR) Node B Access Radio Network Network, Subsystem e.g., GERAN GM PSTN, MSC ISDN (GSM/EDGE SC Circuit Switched RAN) Domain 25 Network Security: Cellular Networks 3. UMTS 1.2 Components - Radio Network Controller - GPRS Support Node - Radio Access Network - Serving GSN - UMTS Terrestrial RAN - Gateway GSN - General Packet Radio Service - Mobile Equipment - Universal SIM 26 Network Security: Cellular Networks 3. UMTS 2. UMTS Approaches Addressing GSM Security Weaknesses - Possible active attacks by - Encryption only covers radio false networks interface → 3G encryption → mutual authentication between ME and RNC - Encryption keys and - No data integrity credentials are transmitted in → signaling integrity protection clear text between and within - Home network does not know networks whether Serving Network → network domain security authenticates mobile users → mandatory integrity and 27 authentication Network Security: Cellular Networks 3. UMTS 3. Authentication and Key Agreement - Permanent key K shared - Prerequisites between ME and AUC. - Users trust their home networks. K never leaves ME and AUC. - Secure network between home network and SN - Authentication after - Symmetric key-based functions f1-f5 transmitting IMSI or TMSI to - Goals VLR or SGSN - Entity authentication - AUC generates - Session key agreement and authentication vectors freshness for users. - User identity confidentiality (TMSI) 28 Network Security: Cellular Networks 3. UMTS 4. Encryption Parameters - Cipher Key is obtained by RNC from AUC. - Counter: Connection Frame Number and Hyperframe Number - Radio Bearer Identity - Direction: uplink / downlink Radio Link Control 29 Network Security: Cellular Networks 3. UMTS 5. Integrity Protection Parameters - Secret key IK generated during AKA procedure - Random number FRESH as protection against replay attacks Radio Resource Control 30 Network Security: Cellular Networks 3. UMTS 6. Identity Confidentiality - TMSI and P-TMSI - If UE arrives in a new area, the for CS and PS domains. association between IMSI and - (P-)TMSI are transferred to (P-)TMSI can be derived from old user once encryption has location area. been turned on. - If old area can not be determined - (P-)TMSI are used for paging, or contacted, then IMSI must be requested from ME. location update, attach and detach procedures. - Possible risk at places where people switch on their phones, e.g., airports 31 Network Security: Cellular Networks 3. UMTS 7. Cryptographic Algorithms - KASUMI - SNOW 3G - UIA2 R1 R R 2 3 Linear Feedback Shift Register Finite State Machine Register One Time Password 32 Network Security: Cellular Networks 3. UMTS 8. Network Domain Security - Security domain is administrated by a single authority, i.e., a single operator - Security gateways at border of domains - Services by NDS/IP - Data integrity - Data origin authentication - Anti-replay protection - Confidentiality - Limited protection against traffic analysis - Mechanisms - IPsec ESP SAs - IKE - Transport Layer Security 33 Network Security: Cellular Networks 3. UMTS 9. WLAN Interworking with EAP-Authentication and Key Agreement - Security procedures to support users accessing 3G networks via WiFi - Approach: use (U)SIM for Authentication, Authorization, and Accounting - EAP methods - EAP-SIM (GSM) - EAP-AKA (3G) 3. EAP server fetches authentication vectors and sends random number and authentication token to peer. 4. Peer decrypts parts of message with keys from USIM and responds to challenge 5. EAP Server checks RES/XRES 34 and confirms message integrity. Network Security: Cellular Networks 4. LTE 1. Network Architecture: Evolved Packet System Internet Evolved Packet Core Radio Access Network - Mobility Management Entity - evolved Node B EPC - Authentication - Scheduling and resource control PCRF PGW - Mobility management and handover - Bearer and connection management - User Equipment - Home Subscription Server HSS MME SGW - stores authentication and subscription information - PDN Gateway S1-MME S1- - bridging EPC to the Internet U - Packet Data Network control eNB eNB - Policy and Charging Rules Function dat X2 - Filtering rules for PGW a - Serving Gateway RAN UE 35 - Mobility anchor for UE Network Security: Cellular Networks 4. LTE 2.1 EPS Security Features - User and Device - Signaling Data Integrity Confidentiality - eNB platform security - Transmission of device identities after traffic - Lawful interception protection activation - Emergency calls - Mutual UE and Network - Interworking Security with other authentication systems - User and Signaling Data - Network Domain Security (from 3G) Confidentiality 36 Network Security: Cellular Networks 4. LTE 2.2 EPS Design Decisions - Permanent Security Association - Termination of encryption and integrity between UE and AUC protection deeper in the network - End-to-end encryption between UE - Reuse of 3G USIMs, and MME for Non-Access Stratum but no reuse of 2G SIMs signaling - Delegated Authentication - Advanced Key Hierarchy - MME requests authentication vectors from HSS, - Key Separation in Handovers checks authentication response - Problem: and distributes session keys. Key handover in case of handovers - MME must provide fresh keys to 37 eNBs after handovers. Network Security: Cellular Networks 4. LTE 3.1 EPS Security Architecture - MME triggers AKA protocol with UE (= ME + UICC). - MME and UE share key KASME to derive keys for encryption and authentication for signaling and data - Another key is derived for eNB 38 Network Security: Cellular Networks 4. LTE 3.2 EPS Signaling Plane Protection 39 Network Security: Cellular Networks 4. LTE 3.3 Data Plane Protection 40 Network Security: Cellular Networks 4. LTE 4.1 EPS Authentication and Key Agreement - Identification - User identification based on IMSI using Globally Unique Temporary UE Identity (like TMSI) - Transmission of IMSI after activation of NAS security - AKA procedure - Generation of EPS authentication vectors - Mutual authentication of SN and UE - Keys are bound to SN 41 - Distribution of authentication data inside SN Network Security: Cellular Networks 4. LTE 4.2 Authentication Vector Generation in HSS - Sequence Number - expected Response - 128-bit random number - KASME: local master key - Access Security Management Entity - Cipher Key - Integrity Key - Anonymity Key - Authentication Management Field - Key Derivation Function - Authentication Token 42 Network Security: Cellular Networks 4. LTE 4.3 User Authentication in USIM 43 Network Security: Cellular Networks 4. LTE 5. Distribution of Authentication Data inside SNs - GUTI is used for signaling - Solution - Problem - Translation of GUTI into IMSI by old MME or request it from UE - A new MME (due to - Exchange of authentication data reattachment or mobility) does not know GUTI. - Transfer of EPS security context and EPS Authentication Vector between MMEs of the same SN - Transfer of EPS security context (includes SN ID) between MMEs of trusted SNs 44 Network Security: Cellular Networks 4. LTE 6. Key Hierarchy - Cryptographic Keys are derived from intermediate key KASME. - KASME is generated at UE and distributed from HSS to MMEs. - KASME is less exposed and always kept in the core network. - KASME does not have to be renewed often. 45 Network Security: Cellular Networks 4. LTE 7. Security Contexts = security parameters, cryptographic - partly stored at USIM keys, and algorithm identifiers - can be transferred from one - EPS NAS context to protect MME to another, signaling between MME and UE even in different networks, - KASME, UE security capabilities, or from MME to eNB. NAS uplink and downlink COUNT - EPS AS context to protect radio link between UE and eNB - Cryptographic keys at AS level 46 Network Security: Cellular Networks 4. LTE 8.1 General Handover Options UE and eNB share keys, - Optimistic access: UE uses new eNB also must share a key. preliminary ticket to get access prior to final authentication - Options how to transfer keys - Pre-authentication: - Delegated authentication, e.g., UE authenticates to multiple base from HSS to MME by deriving a stations through a single base key from root key. station and pre-establishes keys - Key request from base station - Session Keys Context contains to Key Distributor multiple session keys encrypted - Pre-distribution of base station for each base station and is specific keys from KD to base moved between them. stations 47 Network Security: Cellular Networks 4. LTE 8.2 LTE Key Handling in Handovers - MME is informed before/after - LTE provides backward key S1/X2 handover. separation, i.e., source base - MME can provide fresh key station uses a one-way material to target eNB Key Derivation Function for the before/after S1/X2 handover. target base station specific key. → target base station can not deduce source base station key 48 Network Security: Cellular Networks 4. LTE 9. Lawful Interception - Authorized and official access to private communications - can also be implemented at HSS and S-GW / P-GW - Administration Function 49 Network Security: Cellular Networks 5. 5G 1.1 Service-Based Network Architecture NRF PCF UDM NEF AF AUSF AMF SMF Internet gNB UPF 50 Network Security: Cellular Networks 5. 5G 1.2 Network Architecture Components - Access and Mobility Management - Network Repository Function Function - provides registration & discovery - handles mobility procedures. functionality so that Network Functions - terminates NAS signalling. can discover each other. - mobility management - Network Slice Selection Function - Authentication Server Function - assists in the selection of suitable - supports UE authentication. network slice instances for users. - Network Exposure Function - provides an interface for outside applications to communicate with the 3GPP network. 51 Network Security: Cellular Networks 5. 5G 1.3 Network Architecture Components - Policy Control Function - Unified Data Management - supports unified policy framework to - Access authorization based on subscription govern network behaviour - provides policy rules to Control data, e.g., roaming restrictions Plane function(s) and to enforce - UE's Serving NF Registration Management them - Support to service/session continuity, - Session Management Function e.g., by keeping SMF assignment of - supports the establishment, ongoing sessions. modification and release of a data session - User Plane Function - configuration of traffic steering - serves as the anchor point for intra/inter policies at the UPF Radio Access Technology mobility, - IP address allocation and packet routing, traffic reporting policy enforcement. - handles user plane Quality of Service. 52 Network Security: Cellular Networks 5. 5G 2.1 Features - New Radio - Softwarization - Millimeter waves - Network Function Virtualization - Directional transmission - Hypervisors - Beam-forming - Application-level protocols such as HTTP - Positioning - Network Slicing - Multiple Input Multiple Output - Edge Computing - New Services - Software-Defined Networking - e.g., massive Machine - Centralized management & Type Communications, monitoring Internet of Things 53 Network Security: Cellular Networks 5. 5G 2.2 Mobile Edge Protection - Protection of cached data and - Protection of virtualized authentication vectors computing environments - Isolation might help. - But resources must be protected. 54 Network Security: Cellular Networks 5. 5G 3. 3GPP System Security Architecture 1. Network access security features for UE to authenticate and access services securely. These features protect the radio interface and deliver security context from SN to UE. 2. Network domain security features to securely exchange user data and signalling. 3. User domain security features secure user access to ME. 4. Application domain security features for applications to exchange messages securely. 5. Service-based architecture domain security features include network element registration, discovery, authorization security, and protection for the service-based interfaces. 6. Visibility and configurability of security features to inform user if a security feature is in operation. 55 Network Security: Cellular Networks 5. 5G 4. Security Architecture and Key Hierarchy 56 Network Security: Cellular Networks 5. 5G 5. Universal Integrated Circuit Card Evolution 57 Thanks a lot for your Attentation Prof. Dr. Torsten Braun, Institut für Informatik Bern, 11.11.2024 – 18.11.2024
