5Security features of 2G_3G_4G and 5G Mobile network.pdf

Full Transcript

Security Feature in 2G,3G,4G and 5G Mobile network INTRODUCTION Extensive measures have been taken, when specifying the GSM system, to substantially increase security with regard to both call theft and equipment theft. With GSM, both the Mobile Equipment (ME) and Mobile Subscriber are identified. The ME has a unique number coded into it when it is manufactured. This can be checked against a database every time the mobile makes a call to validate the actual equipment. The subscriber is authenticated by use of a smart card known as a Subscriber Identity Module (SIM), again this allows the network to check a MS subscriber against a database for authentication. DIGITAL AIRINTERFACE The main reasons why GSM uses a digital air interface: a) It is “noise robust”, enabling the use of tighter frequency re-use patterns and minimizing interference problems; b) It incorporates error correction, thus protecting the traffic that it carries; c) It offers greatly enhanced privacy to subscribers and security to network providers. The VLR controls the allocation of new Temporary Mobile Subscriber Identity (TMSI) numbers and notifies them to the HLR.The TMSI will be updated frequently, this makes it very difficult for the call to be traced and therefore provides a high degree of security for the subscriber. The TMSI may be updated in any of the following situations: Call setup, On entry to a new LAI, On entry to a new VLR. GSM also offers the capability to encrypt all signaling over the air interface. Different levels of encryption are available to meet different subscriber / country requirements.With the authentication processes for both the ME and subscriber, together with the encryption and the digital encoding of the air interface signals, it makes it very difficult for the casual “hacker”to listen-in to personal calls.In addition to this, the GSM air interface supports frequency hopping; this entails each “burst” of information being transmitted to/from the MS/base site on a different frequency, again making it very difficult for an observer (hacker) to follow/listen to a specific call. Although it should be noted that frequency hopping is employed to optimize network performance by overcoming interference problems in busy areas, to increase call quality and capacity. The SIM card, and the high degree of inbuilt system security, provide protection of the subscriber’s information and protection of networks against fraudulent access.SIM cards are designed to be difficult to duplicate. The SIM can be protected by use of Personal Identity Number (PIN) password, similar to bank / credit charge cards, to prevent unauthorized use of the card. It contains security related information (IMSI, Ki, PIN), other subscriber related information and the algorithms A3 and A8. Figure171:Securityin2G GSM ENCRYPTION Encryption is a process of a protecting voice or data information from being obtained by unauthorized users.Encryption involves the use of a data processing algorithm (formula program)that uses one or more secretkeys (numbers values) that both the sender and receiver of the information use to encrypt and decrypt the information. Without the encryption algorithm and key(s), authorized listeners cannot decode the message.The encryption algorithm is stored on the SIM card program memory. There can be more than one different encryption algorithms in different parts of the World. The BCCH channel of the base system broadcasts a code to tell the mobile stationwhichoftheencryptionalgorithmsisinusethatparticularbaseGSMinstallations. The GSM voice privacy encryption process uses the Vernam Cipher algorithm (called A5 in type GSM system) that modifies all the data bits that are to be transmitted with an encryption code.The encryption code (cipher mask) continuously varies and is synchronized to the hyper-frame counter at both the base and mobile stations.This produces a random ever changing group of 116 cipher mask bits for each normal burst in the data stream that is synchronized with the hyper-frame counter.While this group of bits appears to be random, both the base and mobile stations have properly synchronized copies of it.The cipher mask is added (modulo 2) to the transmit information and flag bits before differential encoding and modulation, and the same cipher mask is “subtracted” (modulo 2) at the corresponding point in the receiver.Thus, a person in the middle who has a radio receiver can receive the bit stream, but cannot understand its correct value without possessing a third copy of the properly synchronized cipher mask. Using a secret number called Kc, that is set to a different value for each call, generates the cipher mask.This number is used together with the hyper-frame counter in a process involving repeated re-arrangement and modulo 2 addition of the bits from the two items.The secret number is derived from the authentication process, described below. CIPHERING The security function that ciphers the information sent and received by the MS required the cipher key Kc.The generation of the Kc is based on the crypto graphical algorithms A8, and the Ki.Also A8 is located on the SIM. CIPHERING START PROCEDURE This ciphering start procedure is initiated from the MSC / VLR by sending the message a cipher mode command the Kc.The Kc will be removed from the message by the BTS before sending it on to the MS, so that the Kc will be never be sent on the air. When the MS receives this message it will be send the message cipher mode complete in the cipher mode using the calculated Kc stored on the SIM card.If the BTS can decipher this message it will be inform the MSC / VLR that ciphering has started. 3GSECURITYIMPROVEMENTSOVERGSM Figure172:Securityin3G 1. Mandatory integrity protection for signaling over the air is added 2. Authentication and Key Agreement:UMTS AKA provides key freshness guarantee by use of sequence number 3. Encryption terminates inprotected location(RNC) 4. Public design and evaluation of strong cryptographic algorithms 5. Sufficiently long encryption and integrity keys CK, IK of 128bits each 6. Core network signalling protected by Network Domain Security (a profile of IPsec/IKE) 1. No false base station attacks is impossible 2. User traffic on core network interfaces is not protected in a standardized way in 3G. This was a deliberate 3G design decision as user traffic is typically less security critical than signaling traffic carrying e.g. authentication data 3. Core network interface much less vulnerable than radio interfaces 4. Volumes of user traffic on core network interfaces can be very high, and protection hence very costly 5. IMSI catching by an active attack is still possible in 3G this was also a deliberate design decision as the possible solutions would have been too complex. This situation carries over into EPS. 6. Session keys CK, IK delivered to one3Gnetworkcanbeused in any other 3G network. This means that a security breach in an SGSN or RNC in one 3G network may affect other 3G networks. This issue was addressed in EPS by cryptographic network separation of authentication material 7. Session keys CK, IK are handed from one RNC to another. This is not a problemin3G as the RNCs are in protected locations deep inside the network, so it may be assumed that a compromise of an RNC would be rare in EPS session keys are handled by eNBs at the edge of the access network, which is a more vulnerable location. Hence, in EPS, forward security in handovers was introduced. 5G Security Procedure between UE and Network Security Types in 5G Network 1. Security required for UE to access network services comes under Network access security. This security mainly cover Authentication, Integrity and ciphering of Signalling and data. 2. Domain Security mainly covers secure communication between different Network nodes. 3. Application domain security covers security mechanism between peer applications. 4. There are two different kind of authentication Different Authentication, Ciphering and Integrity Algorithms   In most cases for Authentication Key Agreement(AKA), operators use Milenage/TUAK algorithm. But some cases proprietary algorithm. For Cyphering and Integrity Protection following Algorithms are used. Ciphering Algorithms Integrity Algorithms Key Distribution POSTS POSTED ONJANUARY 20, 2020 5G Security (5G AKA Authentication) 5G Security Procedure between UE and Network Security Types in 5G Network 1. Security required for UE to access network services comes under Network access security. This security mainly cover Authentication, Integrity and ciphering of Signalling and data. 2. Domain Security mainly covers secure communication between different Network nodes. 3. Application domain security covers security mechanism between peer applications. 4. There are two different kind of authentication Different Authentication, Ciphering and Integrity Algorithms   In most cases for Authentication Key Agreement(AKA), operators use Milenage/TUAK algorithm. But some cases proprietary algorithm. For Cyphering and Integrity Protection following Algorithms are used. Ciphering Algorithms Integrity Algorithms Key Distribution 5G AKA Authentication Procedure Authentication Flow Steps 1. After receiving Registration Request, AMF initiates authentication procedure with UE, if UE security context is not existing with AMF. 2. AMF sends Nausf_UEAuthentications Request with SUCI or SUPI and Serving network name. 3. AUSF based on the Serving Network name, determine if AMF is authorised to send this message. 4. Then AUSF, sends Nudm_UEAuthentication_Get Request with SUPI/SUCI to UDM. 5. UDM Calculates the 5G HE AV as below. UDM Uses Milenage functions to derive MAC, XRES, CK, IK and AK.  UDM derives Kausf is as follows using HMAC-SHA-256(K, S) KDF(Key Derivation Function) function as below.  UDM derives XRES* as follows using HMAC-SHA-256(K, S) KDF function.  UDM derives 5G HE AV from above derived keys as below and send it to AUSF with message “Nudm_Authentication get Response” 5G HE AV = RAND ‖ XRES* ‖ Kausf ‖ AUTN 6. Derivation of 5G SE AV at AUSF  HXRES* Calculation at AUSF: HXRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || XRES* as input to SHA-256 algorithm.  AUSF derives Kseaf from Kausf by passing K= Kausf and S = 0x6C || Serving Network Name || Lenth of Serving Network Name to KDF function.  AUSF calculates 5G AV and 5G SE AV as below and send 5G SE AV to AMF. 5G AV = RAND ‖ HXRES* ‖ Kseaf ‖ AUTN 5G SE AV = RAND ‖ HXRES* ‖ AUTN 7. AMF Sends NAS Authentication Request to UE with RAND and AUTN from 5G SE AV. 8. UE Uses Milenage functions to derive XMAC, RES, CK, IK as below. 9. UE Verify the MAC received in AUTN with XMAC calculated above to authenticate the network and check the freshness of AUTN. Here if the comparison fails then it will send authentication failure with AUTS. 10. UE derives RES* as follows using HMAC-SHA-256(K, S) KDF function. using keys calculated above, and then sends RES* to AMF. 11. AMF Calculates HRES* from RES* : HRES* is 128 bit MSB of the output of SHA-256 hash, calculated by passing RAND || RES* as input to SHA-256 algorithm. 12. AMF compares HRES*(Calculated above) with HXRES* received from AUSF to check for successful authentication. 13. AMF sends RES* received from UE to AUSF with “Authenticate Request” message. 14. AUSF compares RES* with the XRES*(part of 5G HE AV) received from UDM in step 5. 15. If Comparison is successful, AUSF sends Authentication Event notification to UDM with “Success”. 5G Identifiers SUPI and SUCI In telecommunication systems, network operator allocate to each SIM card a unique identifier, known up to the 4G as an IMSI (International Mobile Subscriber Identity) and for the 5G as a SUPI (Subscription Permanent Identifier). As authentication between a user and its network provider is based on a shared symmetric key, it can only take place after user identification. However, if the IMSI/SUPI values are sent in plaintext over the radio access link, then users can be identified, located and tracked using these permanent identifiers. To avoid this privacy breach, the SIM card is assigned temporary identifiers (called Temporary Mobile Subscriber Identity (TMSI) until 3G systems and GUTI for 4G and 5G systems) by the visited network. These frequently-changing temporary identifiers are then used for identification purposes over the radio access link. However, there are certain situations where authentication through the use of temporary identifiers is not possible e.g. when a user registers with a network for the first time and is not yet assigned a temporary identifier, another case is when the visited network is unable to resolve the IMSI/SUPI. from the presented TMSI/GUTI. An active man-in-the-middle adversary can intentionally simulate this scenario to force an unsuspecting user to reveal its long-term identity. These attacks are known as “IMSI catching” attacks and persist in today’s mobile networks including the 4G LTE/LTE-Adv. Solution to IMSI Catchers in 5G IMSI – catching attacks have threatened all generations (2G/3G/4G) of mobile telecommunication for decades. As a result of facilitating backwards compatibility for legacy reasons, this privacy problem appears to have persisted. However, the 3GPP has now decided to address this issue, albeit at the cost of backward compatibility. In case of identification failure via a 5G-GUTI, unlike earlier generations, 5G security specifications do not allow plain-text transmissions of the SUPI over the radio interface. Instead, an Elliptic Curve Integrated Encryption Scheme (ECIES) – based privacy-preserving identifier containing the concealed SUPI is transmitted. This concealed SUPI is known as SUCI (Subscription Concealed Identifier ) Subscription Permanent Identifier (SUPI) A SUPI is a 5G globally unique Subscription Permanent Identifier (SUPI) allocated to each subscriber and defined in 3GPP specification TS 23.501. The SUPI value is provisioned in USIM and UDM/UDR function in 5G Core. A Valid SUPI can be either of following   An IMSI (International Mobile Subscriber Identifier) as defined in TS 23.503 for 3GPP RAT NAI (Network Access Identifier) as defined in RFC 4282 based user identification as defined in TS 23.003 for non-3GPP RAT A SUPI is usually a string of 15 decimal digits. The first three digits represent the Mobile Country Code (MCC) while the next two or three form the Mobile Network Code (MNC) identifying the network operator. The remaining (nine or ten) digits are known as Mobile Subscriber Identification Number (MSIN) and represent the individual user of that particular operator. SUPI is equivalent to IMSI which uniquely identifies the ME, is also a string of 15 digits. Subscription Concealed Identifier (SUCI) Subscription Concealed Identier (SUCI) is a privacy preserving identifier containing the concealed SUPI. The UE generates a SUCI using a ECIES-based protection scheme with the public key of the Home Network that was securely provisioned to the USIM during the USIM registration. Only the MSIN part of the SUPI gets concealed by the protection scheme while the home network identifier i.e. MCC/MNC gets transmitted in plain-text. The data fields constituting the SUCI are following       SUPI Type: consisting in a value in the range 0 to 7. It identifies the type of the SUPI concealed in the SUCI. The following values are defined o 0: IMSI o 1: Network Access Identifier (NAI) o 2 to 7: spare values for future use. Home Network Identifier: identifying the home network of the subscriber. When the SUPI Type is an IMSI, the Home Network Identifier is composed of MCC and MNC. When the SUPI type is a Network Access Identifier, the Home Network Identifier consists of a string of characters with a variable length representing a domain name. e.g. [email protected] Routing Indicator: It is consist of 1 to 4 decimal digits assigned by the home network operator and provisioned within the USIM. Protection Scheme Identifier: It is consist of a value in the range of 0 to 15 and represented with 4 bits o null-scheme 0x0 o Profile 0x1 o Profile 0x2 Home Network Public Key Identifier: It is consist of a value in the range 0 to 255. It represents a public key provisioned by the HPLMN and it is used to identify the key used for SUPI protection. In case of null-scheme being used, this data field shall be set to the value as 0 Protection Scheme Output : It is consist of a string of characters with a variable length or hexadecimal digits, dependent on the used protection scheme 5G Identity Exchange between UE and Network The subscriber identification mechanism allows the identification of a UE on the over the air radio interface by means of the SUCI. The Identify exchange between UE and Network is shown in following figure. When UEs tries to register first time, UE encrypt SUPI into SUCI and send a Initial Registration Requested with SUCI. AMF forward this SUCI to AUSF & UDM to retrieve the SUPI with Authentication Request. AUSF shall reply with Authentication Response with SUPI information. Further AMF generates a GUTI for this SUPI and keeps the GUTI to SUPI mapping for further registrations or PDU session requests. In subsequent Registration request UE send registration request with GUTI. Now there can be two possible scenarios. 1. AMF able to generate SUPI using GUTI and SUPI mapping 2. AMF not able to generate SUPI In first case, AMF generate SUPI using GUTI and authentication with AUSF can be completed using SUPI. In second case when the UE is not identifiable using GUTI at AMF, AMF request UE for identity request and UE then may respond with the Identity Response, containing the SUCI. 5G NR Global Unique Temporary Identifier (GUTI) 5G Global Unique Temporary Identifier [5G – GUTI] is a core network temporary identifier and allocated by Access and Mobility Management function [AMF] to the UE.      GUTI is 80 bits long core network identifier It is consist of major three network identities PLMN + AMF ID + TMSI It is a temporary identifier so it’s associations is not fixed to a specific subscriber or mobile Single 5G-GUTI can be used for accessing 3GPP and non-3GPP technologies security context within the AMF An AMF may re-assign a new 5G-GUTI to the UE at any time under specified conditions  When the UE is in CM-IDLE, the AMF may delay in the assignment of a new 5G-GUTI until the next NAS transaction happens When AMF provides a New 5G-GUTI    Upon receiving Registration Request message of type “initial registration” or “mobility registration update” from a UE, the AMF shall send a new 5G-GUTI to the UE in Registration Accept message Upon receiving Registration Request message of type “periodic registration update” from a UE, the AMF should send a new 5G-GUTI to the UE in Registration Accept message Upon receiving network triggered Service Request message from the UE (i.e., Service Request message sent by the UE in response to a Paging message), the AMF shall use a UE Configuration Update procedure to send a new 5G-GUTI to the UE Exceptions   It is left to implementation to re-assign 5G-GUTI more frequently than in cases mentioned above It is left to implementation to generate 5G-GUTI containing 5G-TMSI that uniquely identifies the UE within the AMF 5G GUTI Structure Where GUAMI identifies one or more AMF(s). When the GUAMI identifies only one AMF, the 5G-TMSI identifies the UE uniquely within the AMF. However, when AMF assigns a 5GGUTI to the UE with a GUAMI value used by more than one AMF, the AMF shall ensure that the 5G-TMSI value used within the assigned 5G-GUTI is not already in use by the other AMF(s) sharing that GUAMI value. Globally Unique AMF ID (GUAMI) Structure (48 bits) Where AMF Region ID identifies the region, AMF Set ID uniquely identifies the AMF Set within the AMF Region and AMF Pointer identifies one or more AMFs within the AMF Set.  AMF Region ID addresses the case that there are more AMFs in the network than the number of AMFs that can be supported by AMF Set ID and AMF Pointer by enabling operators to re-use the same AMF Set IDs and AMF Pointers in different regions S-TMSI Structure (48 bits) S-TMSI is the shortened form of the GUTI to enable more efficient radio signalling procedures e.g. during Paging and Service Request and its structure is shown below.  In NG-RAN uses the 10 Least Significant Bits of the 5G-TMSI in the determination of the time at which different UEs are paged. Hence, the AMF shall ensure that the 10 LSB of the 5G-TMSI are evenly distributed 5G and 4G GUTI Mapping 3GPP has speficied a mapping between 5G-GUTI and 4G-GUTI. This mapping is required for UE mobility between 4G and 5G networks. For example, when a Mobile User moves from 5G to 4G, it requires to send a GUTI to MME, then mobile has to map the 5G-GUTI onto thw 4G-GUTI and forward it to MME. MME perform a reverse mapping of 4G GUTI to 5G-GUTI to find out the AMF from where the MME needs to contact to fetch the UE context. In similar way, when a mobile moves from 4G to 5G, mobile maps and send 4G GUTI to AMF and AMF decode the MME ID for retrieve the User context. Below figure show the mapping and bit wise detailed information for 5G and 4G GUTI.