1 cdma2000 Packet Data Security Assessment Christopher Carroll Verizon Wireless April 11, 2001
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
cdma2000 Packet DataSecurity Assessment
Christopher CarrollVerizon Wireless
April 11, 2001
2
Security Issues• MN-AAAh Secret not defined
–Cryptographically strong MN-AAAh key defined
• Mobile IP Key Distribution not defined–MN-HA key and MN-FA key key
agreement defined• Radio Access Layer security not
supported–Access Terminal (AT) key defined
3
Agenda• Entity vs. Message Authentication• Mobile IP Security
– Message authentication codes• AAA Recommendations
– MN-AAA Key Bootstrapping– MIP key distribution– Radio Access Layer Security
4
Why Packet Data Security?
- 802.11 Flaws published!- “The Security of data transmitted on a wireless
data service was a critical adoption issue. It appears that many felt that wireless data could be more vulnerable to interception than if transmitted over a wired connection.”
Verizon Wireless Data Service Qualitative Research Report (In Focus Marketing, September 2000)
5
TR-45 Challenge-Response Entity Authentication
Cell SiteCell SiteSubscriber TelephoneSubscriber Telephone
32-bit Challenge (Question)32-bit Challenge (Question)
18-bit Response (Answer)18-bit Response (Answer)SSD-ASSD-A11 SSD-ASSD-A11
6
TR-45 Entity Authentication
CAVECAVEHashHash
FunctionFunction
SSD-ASSD-A
ESNESN
Dialed DigitsDialed Digits18-bit Response18-bit Response
Random ChallengeRandom Challenge
MINMIN
7
Radius Entity Authentication
MD5MD5HashHash
FunctionFunction
MN-AAAh keyMN-AAAh key
NAINAI
Registration RequestRegistration Request128-bit Response128-bit Response
Random ChallengeRandom Challenge
MN-HA Auth. Ext.MN-HA Auth. Ext.
8
Pseudo-random Number Generator
MD5MD5
MN-AAAh KeyMN-AAAh Key11
MN-AAAh KeyMN-AAAh Key22
MN-AAAh KeyMN-AAAh Key33
MN-AAAh KeyMN-AAAh Keynn
010110100 . . . .010110100 . . . .
001010001 . . . .001010001 . . . .
110010110 . . . .110010110 . . . .
101011000 . . . .101011000 . . . .
9
Radius Authentication
Secret ResponseSecret Response
LibraryLibrary
BookBook
Page/ wordPage/ word
MD5MD5
MN-AAAh KeyMN-AAAh Key
ChallengeChallenge
10
Mobile IP Message Authentication
HashHashFunctionFunction
(MD5)(MD5)
““Send packets Send packets To IP address:To IP address:123.197.8.17”123.197.8.17”
128-bit MAC128-bit MAC
Secret KeySecret Key
11
Entity vs. Message
AuthenticationEntity:• Verify identity of an
entity• Prove shared secret• Vulnerable to Replay
attack• CHAP, MN-AAA
Authentication Ext.
Message:• Prevent manipulation
of message• Prove message sent
from entity• Vulnerable to Replay
attack• MIP Authenticator
12
Preventing Replay Attack(between MN and HA)
HashHashFunctionFunction(Keyed(KeyedMD5)MD5)
Registration RequestRegistration RequestMessageMessage
128-bit MAC128-bit MACMN-HA KeyMN-HA Key
FreshnessFreshness(Randomness (Randomness and/or nonce)and/or nonce)
Identification FieldIdentification Field
13
Challenge Extension
• Allows FA/PDSN or AAA server to authenticate the MN
• 32-bit (at least) Random Challenge issued by FA/PDSN in Agent Advertisement.
• MN includes Challenge before MN-AAA authentication Ext.
• Leverage randomness to generate MN-HA and MN-FA keys
14
Preventing Replay Attack(between MN and FA/PDSN)
HashHashFunctionFunction(Keyed(KeyedMD5)MD5)
Registration RequestRegistration RequestMessageMessage
128-bit MAC128-bit MAC(may be reduced(may be reducedIn length)In length)
MN-FA KeyMN-FA Key
FreshnessFreshness(Randomness (Randomness and/or nonce)and/or nonce)
Identification FieldIdentification Field
Challenge Ext.Challenge Ext.32-bit Randomness32-bit Randomness
15
AAA Authentication Extension
MN HAFA
PDSN
Registration RequestNAI
Extension
Mobile-HomeAuthentication
Extension
MN-FAChallengeExtension
MN-AAAAuthentication
Extension
AAAh
Mobile-Home Authenticator
MN-AAA Authenticator
16
Mobile IPv4 using Radius AAA
AAAH
MN
AAAL
HAFA
Agent AdvertisementChallenge Extension
VerifyMN-AAAAuthenticator(CHAP)
Registration RequestNAI Extension
Mobile-Home Authentication Ext.Challenge Extension
MN-AAA Authentication Extension
Registration RequestNAI
Challenge ExtensionMN-AAA Authentication Extension
(CHAP Response)
Registration RequestNAI Extension
Mobile-Home Authentication Ext.Foreign-Home Authentication Ext. (optional)
Access Accept
VerifyMobile-Home and/orForeign-HomeAuthenticator
MN-AAA Auth. Ext. (CHAP Response)Challenge Extension
17
Password Cracking Attack
Secret ResponseSecret Response
LibraryLibrary
BookBook
Page/ wordPage/ word
MD5MD5
UNIXUNIXPasswordPassword
ChallengeChallenge
Size of Library (Secret Space) significantly reduced Size of Library (Secret Space) significantly reduced by user-selected Books (secrets).by user-selected Books (secrets).
18
1xEV Password Cracking
MN FA
Agent AdvertisementChallenge Extension
Registration RequestMN-AAA AuthenticatorMN-HA Authenticator
Intercepts Challenge, Authenticator, andOther Registration info.Password Cracking Attack:1) Dictionary2) Brute Force Exhaustive Search
Hacker
19
MN-AAAh Key
• Shared secret between MN and AAAh must be cryptographically strong.
• MN-AAAh key field must be 128-bits long.
• MN-AAAh key must be at least 90-bits long.
• MN-AAAh key shall not be shared with the HA or any FA.
20
Internet Password Cracking
FA HA
Registration ResponseMN-HA Authenticator
Registration RequestMN-HA Authenticator
Intercepts Challenge, Authenticator, andOther Registration info.Password Cracking Attack:1) Dictionary2) Brute Force Exhaustive Search
IP PacketSniffer
21
MN-HA Key
• Shared secret between MN and HA must be cryptographically strong.
• MN-HA key field must be 128-bits long.
• MN-HA key must be at least 90-bits long.
• MN-HA key may be derived from the MN-AAAh key using a one-way function.
• MN-HA must protect the Registration Request message.
22
MN-FA Key• Currently optional in 1xEV.• Use MN-FA key to establish Radio Access Layer
SAs.• Shared secret between MN and FA must be
cryptographically strong.• MN-FA key field must be 128-bits long.• MN-FA key must be at least 90-bits long.• MN-FA key may be derived from the MN-AAAh
key using a one-way function.• MN-FA key can be used to generate Access
Terminal (AT) key.
23
Mobile IPv4 Security
• Message Authentication Only– Provided by Security Associations (SA)
• Mobile-Home Authentication Extension– Mobile-Home Secret Key
• Mobile-Foreign Authentication Extension– Mobile-Foreign Secret Key
• Foreign-Home Authentication Extension– Foreign-Home Secret Key
• Only Manual Key Distribution mandatory• Optional – DH, RSA, Secret key distribution• No Encryption / Privacy• IS-835 supplemented with IPsec (no end-to-end
privacy)
24
MIP Bootstrapping Problem
• IS-835 AAA doesn’t have defined scalable MN-AAAh / MN-HA key distribution process!
• Initial key distribution (Bootstrap) common problem for any security system.
• 3GPP2/TR-45 can’t let history repeat – CAVE A-key distribution problem.
• WWW download, manufacturer pre-load/EDI, smart cards, OTASP, Manual.
25
Multi-layer Encryption
BANK
AES 128-bit Stream Cipher
SSL 128-bit IDEA Encryption
IPsec 112-bit Triple DES Encryption
ATFA
PDSNMN
1xEV DOBS
HAPDSN
26
DIAMETER MN-FA Key Distribution
AAAh
MN
AAAL
HAFA
(MN-FA key) AAAh-MN Encrypted
Generate MN-FA keyEncrypt with AAAh-FA keyEncrypt with AAAh-MN key
(MN-FA key) AAAh-FA Encrypted(MN-FA key) AAAh-MN Encrypted
(MN-FA key) AAAh-FA Encrypted(MN-FA key) AAAh-MN Encrypted
27
Diameter MIP Key Distribution Problems
• MIP key is transmitted over-the-air– vulnerable to cryptanalysis
• Additional key management (AAAh-FA secret)
• Inefficient - AAAh encrypts MIP key twice• Redundant – AAA to PDSN interface will be
protected• Slow – MN must register before MN-FA key
delivered.
28
AAAh
Diameter Problem #1 (Rogue FA)(IETF-AAA Registration Keys for Mobile IP)
PDSNMN
MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret)
PDSN recovers MN Encryption Pad using the following technique:
MN Encryption Pad == MN-FA key XOR (MN-FA key XOR MN Encryption Pad
Assuming that MN Home IP Address remains constant
PDSN can recover MN-FA key used with other FAs.
29
Diameter Problem #2 (Fixed Mask)
PDSNMN
MN Encryption Pad == MD5 (MN-AAAh secret, MN Home IP, MN-AAAh secret)PDSN sends MN-FA key XOR MN Encryption Pad
Attacker combines MN-FA Update #1 with #2:Delta MN-FA key == ((MN-FA key #1 XOR MN Encryption Pad) XOR (MN-FA key #2XOR MN Encryption Pad))
Assuming that MN Home IP Address remains constant
Password protects Mask - Possible cryptanalysis of MN-FA Authentication
30
AAA Registration Keys for Mobile IP Enhancement
MN-HA key == MD5 (MN-AAAh key, NAI, HA IP address, Randomness)
MN-FA key == MD5 (MN-AAAh key, NAI, FA IP address, Randomness)
Assuming that MIP Keys are derived from root MN-AAAh key
Deliver Randomness in Unsolicited MN-FA or MN-HAKey From AAA Subtype (instead of encrypted key)Delivery keys to FA or HA in MIP Key Attribute.
Lifetime
AAA SPI
FA or HA SPI
MN-FA or MN-HA key Randomness
31
Proposed1xEV MIP Cryptographic Key
Hierarchy MN-AAAh Key
MN-FA Key MN-HA Key
128-bits 128-bits
128-bits
Root Secret key
• Bootstrap MN-AAAh key• MN-HA key = MD5 (MN-AAAh key || MN NAI || HA IP address || Challenge)• MN-HA key = MD5 (MN-AAAh key || MN NAI || FA IP address || Challenge)
FA-HA Key
32
Simple, Efficient, and SecureMIP Key Agreement
• MN-HA or MN-FA key are not exposed to the Air Interface
• Over-the-Air cryptanalysis precluded• Based on GSM, TR-45, 3GPP, and 3GPP2
key agreement techniques – proven key distribution method.
• No additional Air Interface Overhead• MIP key generation within MN and AAAh
independently• Vendor Specific MIP Key Attribute enables
network delivery to HA or FA
33
MN-FA Key Agreement
AAAh
MN
AAAL
HAFA
MN-FA key generated basedon Challenge and MN-AAAh key.
Generate MN-FA keyBased on Challenge and MN-AAAh key.Include in MIP Key Attribute
Access Accept(MN-FA key) MIP Key Attribute
Access Accept(MN-FA key) MIP Key Attribute
Challenge Extension
34
MN-HA Key Agreement
AAAh
MN HA
MN-HA key generated basedon Challenge and MN-AAAh key.
Generate MN-HA keyBased on Challenge and MN-AAAh key.Include in MIP Key Attribute
Access Accept(MN-HA key) MIP Key Attribute
Directed Agent AdvertisementChallenge Extension
(MN-HA key) MIP Key Attribute
35
“Directed” Agent Advertisement• Preference to assign Reserved bit in Agent
Advertisement as “MN-HA Update” bit.• IETF approval could take years.• Alternative – use MN Home IP address as the
Agent Advertisement Destination Address (or globally defined IP address).
• Agent Advertisement currently uses “all systems on this link” or “limited broadcast” as destination address.
• MN-HA key only updated when MN directed by HA.
36
MN-AAAh Key
FTCAuthKey
MN-HA Key
128-bits 128-bits
128-bits
Packet DataRoot
Secret key
MN-FA Key
A-key / NIAHash
1xRTTOTASP or
AAA Update
ManufacturerPreload
AT key
RTCEncKey
FTCEncKey
RTCAuthKey
1xEV DOAccess Layer
EncryptionAnd
Integrity keys
MIP Layer keys
WWWDownload
1xEV Cryptographic Key Hierarchy
37
1xEV DO MIM Attack
MN PDSN
D-H Key Exchange
MIM UATI
Registration Request (NAI)
Session Hijack - Packet Injection
MIM Device
UATI
FALSEPDSN
FALSEMN
D-H Key Exchange
MIM UATI UATI
Packet Injection and/or Information Extraction
38
Access Terminal (AT) Key
• Protects the MN-HA or MN-FA key from disclosure to Rogue AT.
• Enables Access Layer Privacy and Message Authentication.
• Shared secret between AT and RAN must be cryptographically strong.
• AT key field must be 128-bits long.
• AT key = MD5 (MN-HA key || UATI).
• AT key = MD5 (MN-FA key || UATI).
39
AT Key Generation
MN PDSN
Relay ModeMobile Station
AT
AT Key
UATIUATI
Laptop PC
MN-FA Key
MN-FA Key
Foreign Agent
UATI
AT Key
AT Key
AT Key
40
GSM SIM vs. cdma2000 MN
UIM HLR/ACMS
A5 Encryption Key
Smart Card (computer)Authentication Algorithm
Key Generation
Air Interface
BS
A5 Encryption Key
Authentication AlgorithmKey Generation
MNRadiusAAA
MS/AT
AT Key
Laptop computerAuthentication Algorithm
Key Generation
Air Interface
1xEV DOBS
AT Key
Authentication AlgorithmKey Generation
AT Key
AT Key
A5 Key
A5 Key
41
MN
BlueToothAT
1xEV DO UATI
802.11AT
1xEV DOAT
802.11 Radio Access Layer ID
Bluetooth RadioAccess Layer ID
AT Key AT Key AT Key
AT Key Transfer
42
Preventing MIM in 1xEV DO
MN PDSN
D-H Key Exchange
MIM UATI
Registration Request (NAI)
Session Hijack - Packet InjectionImproper MAC
MIM Device
UATI
FALSEPDSN
FALSEMN
D-H Key Exchange
MIM UATI UATI
Packet Injection and/or Information Extraction
Improper MAC
Packet MACFails check –
discarded
Packet MACFails check –
discarded
43
MN HA
RANRadiusAAA
RadiusAAAh
IP Layer Radius Authentication Secret
Access Layer RadiusAuthenticationSecret
AT PDSN
RadiusAAAL
RAN
Redundant AAA Servers
44
Simple IP
• Define MN-AAAh secret as a cryptographically strong secret (e.g., MN-AAAh key).
• MN-AAAh key must be at least 90-bits long.
• RFC 1750 guidelines.
45
1xEV Security Solutions• MN-AAAh Secret defined
–Cryptographically strong MN-AAAh key defined
• Mobile IP Key Distribution defined
–MN-HA key and MN-FA key key agreement defined
• Radio Access Layer security supported
–Access Terminal (AT) key defined
Related Documents
