GSM Security.pptx

Full Transcript

Kuwait University
Computer Engineering Department
CpE 451: Wireless and Mobile
Networking

GSM Security

1

GSM Security Concerns
• Operators
• Bills right people
• Avoid fraud
• Protect Services

• Customers
• Privacy
• Anonymity

• Make a system at least secure as PSTN

2

GSM Security Goals
• Confidentiality and Anonymity on the radio path
• Strong client authentication to protect the operator
against the billing fraud
• Prevention of operators from compromising of each
others’ security
• Inadvertently
• Competition pressure

3

GSM Security Design Requirements
• The security mechanism
• MUST NOT
•
•
•
•

Add significant overhead on call set up
Increase bandwidth of the channel
Increase error rate
Add expensive complexity to the system

• MUST
• Cost effective scheme

• Define security procedures
• Generation and distribution of keys
• Exchange information between operators
• Confidentiality of algorithms
4

GSM Security Features
• Key management is independent of equipment
• Can change handsets without compromising security

• Subscriber identity protection
• not easy to identify the user of the system or intercepting a user data

• Detection of compromised equipment
• Detection mechanism whether a mobile device was compromised or not

• Subscriber authentication
• Operator knows for billing purposes who is using the system

• Signaling and user data protection
• Signaling & data channels are protected over the radio path

5

GSM Mobile Station
• Mobile Station
• Mobile Equipment (ME)
• Physical mobile device
• Identifiers
• IMEI – International Mobile Equipment Identity

• Subscriber Identity Module (SIM)
• Smart Card containing keys, identifiers and
algorithms
• Identifiers
•
•
•
•

Ki – Subscriber Authentication Key
IMSI – International Mobile Subscriber Identity
TMSI – Temporary Mobile Subscriber Identity
MSISDN – Mobile Station International Service Digital
Network
• PIN – Personal Identity Number protecting a SIM
• LAI – location area identity
6

GSM Architecture
Mobile Stations

Base Station
Subsystem

Network
Management

Subscriber and terminal
equipment databases

OMC
BTS

BTS

Exchange
System

BSC

MSC

VLR
HLR

BTS

AUC

EIR
7

Subscriber Identity Protection
• TMSI – Temporary Mobile Subscriber Identity
• Goals
• TMSI is used instead of IMSI as an a temporary subscriber
identifier
• TMSI prevents an eavesdropper from identifying of
subscriber

• Usage
• TMSI is assigned when IMSI is transmitted to AuC on the
first phone switch on
• Every time a location update (new MSC) occur the networks
assigns a new TMSI
• TMSI is used by the MS to report to the network or during a
call initialization
• Network uses TMSI to communicate with MS
• On MS switch off TMSI is stored on SIM card to be reused
next time

• The Visitor Location Register (VLR) performs assignment,
administration and update of the TMSI

8

Key Management Scheme
• Ki – Subscriber Authentication Key

• Shared 128 bit key used for authentication of
subscriber by the operator
• Key Storage
• Subscriber’s SIM (owned by operator, i.e. trusted)
• Operator’s Home Locator Register (HLR) of the
subscriber’s home network

• SIM can be used with different equipment

9

Detection of Compromised Equipment
• IMEI

• Identifier allowing to identify mobiles
• IMEI is independent of SIM
• Used to identify stolen or compromised equipment

• EIR

• Black list – stolen or non-type mobiles
• White list - valid mobiles
• Gray list – local tracking mobiles

• Central Equipment Identity Register (CEIR)

• Approved mobile type (type approval authorities)
• Consolidated black list (posted by operators)
10

Authentication
• Authentication Goals
• Subscriber (SIM holder) authentication
• Protection of the network against unauthorized use
• Create a session key

• Authentication Scheme
• Subscriber identification: IMSI or TMSI
• Challenge-Response authentication of the subscriber by the
operator

11

Authentication & Encryption
Scheme
Mobile Station

Radio Link

GSM Operator

Challenge RAND

SIM
Ki
A3

A3
Signed response (SRES)

SRES

Authentication: are
SRES values equal?

A8
Fn
mi

SRES
A8
Kc

Kc
A5

Ki

Encrypted Data

A5

Fn
mi

12

Authentication
• AuC – Authentication Center

• Provides parameters for authentication and encryption
functions (RAND, SRES, Kc)

• HLR – Home Location Register

• Provides MSC (Mobile Switching Center) with triples (RAND,
SRES, Kc)
• Handles MS location

• VLR – Visitor Location Register

• Stores generated triples by the HLR when a subscriber is not
in his home network
• One operator doesn’t have access to subscriber keys of the
another operator.

13

A3 – MS Authentication Algorithm
• Goal
• Generation of SRES response to MSC’s random challenge
RAND
RAND (128 bit)

Ki (128 bit)

A3

SRES (32 bit)
14

A8 – Voice Privacy Key Generation
Algorithm
• Goal
• Generation of session key Kc
• A8 specification was never made public
RAND (128 bit)

Ki (128 bit)

A8

KC (64 bit)
15

Logical Implementation
of A3 and A8
• Both A3 and A8 algorithms are implemented on the SIM
• Operator can decide, which algorithm to use.
• Algorithms implementation is independent of hardware
manufacturers and network operators.

16

Logical Implementation
of A3 and A8
• COMP128 is used for both A3 and A8 in most GSM
networks.
• COMP128 is a keyed hash function
RAND (128 bit)

Ki (128 bit)

COMP128

128 bit output
SRES 32 bit and Kc 64 bit
17

A5 – Encryption Algorithm
• A5 is a stream cipher
• Implemented very efficiently on hardware
• Design was never made public

• Variants
• A5/1 – the strong version
• A5/2 – the weak version
• A5/3
• GSM Association Security Group and 3GPP design
• used in 3G mobile systems

18

Logical A5 Implementation
BTS

Mobile Station
Fn (22 bit)

Kc (64 bit)

Fn (22 bit)

A5

Kc (64 bit)

A5
114 bit

Data (114 bit)

114 bit

Ciphertext (114 bit)
XOR

Data (114 bit)
XOR

Real A5 output is 228 bit for both directions
19

A5 Encryption
Mobile Stations

Base Station
Subsystem

Network
Management

Subscriber and terminal
equipment databases

OMC
BTS

BTS

Exchange
System

BSC

MSC

VLR
HLR

BTS
A5 Encryption

AUC

EIR
20

SIM Anatomy
• Subscriber Identification Module (SIM)
• Smart Card – a single chip computer containing OS,
File System, Applications
• Protected by PIN
• Owned by operator (i.e. trusted)
• SIM applications can be written with SIM Toolkit

21

Smart Card Anatomy

22

Microprocessor Cards
• Typical specification
•
•
•
•
•

8 bit CPU
16 K ROM
256 bytes RAM
4K EEPROM
Cost: $5-50

• Smart Card Technology
• Based on ISO 7816 defining
• Card size, contact layout, electrical characteristics
• I/O Protocols: byte/block based
• File Structure
23

Attack Categories
• SIM Attacks
• Radio-link interception attacks
• Operator network attacks
• GSM does not protect an operator’s network

24

Attack History
• 1991
• First GSM implementation.

• April 1998
• The Smartcard Developer Association (SDA) together with U.C. Berkeley researches
cracked the COMP128 algorithm stored in SIM and succeeded to get K i within
several hours. They discovered that Kc uses only 54 bits.

• August 1999
• The week A5/2 was cracked using a single PC within seconds.

• December 1999
• Alex Biryukov, Adi Shamir and David Wagner have published the scheme breaking
the strong A5/1 algorithm. Within two minutes of intercepted call the attack time
was only 1 second.

• May 2002
• The IBM Research group discovered a new way to quickly extract the COMP128
keys using side channels.
25