Cryptography in Public Wireless Networks Mats Näslund Communication Security Lab Ericsson Research [email protected] Feb 27, 2004
Jan 11, 2016
Cryptography in Public Wireless Networks
Mats Näslund
Communication Security Lab
Ericsson Research
Feb 27, 2004
Outline
• Overview of GSM Cryptography• Some possible “attacks” on GSM• Overview of WLAN Cryptography• How problems in one technology can spread
to another• How can you in practice fix a crypto problem
when thousands of devices are out there• Overview of “3G” UMTS Cryptography
History – GSM Security
• Use of a smart card SIM – Subscriber Identity Module, tamper resistant device containing critical subscriber information, e.g. 128-bit key shared with Home Operator
• SIM is the entity which is authenticated, basis for roaming• Initial GSM algorithms (were) not publicly available and
under the control of GSM-A, new (3G) algorithms are open• GSM ciphering on “first hop” only: stream ciphers using
54/64 bit keys, future 128 bits • One-sided challenge-response authentication• Basic user privacy support (“pseudonyms”)• No integrity/replay protection
GSM crypto is probably (one of) th
e most
frequently used crypto in the world.
History – GSM SecurityAccess security
Radio Base Station
RBS
MSC
SGSN
Base Station Controller
CS - Confidentiality, A5/1A5/2A5/3 (new, open)
GPRS - Confidentiality:GEA1GEA2GEA3 (new, open)
Authentication:A3 Algorithm
GSM Authentication: Overview
RBSMSC/VLR
AuC/HLR
Visited Network
Home Network
Req(IMSI)
RAND, XRES, KcRES
RES = XRES ?
RAND RAND, Kc
Ki
Ki
GSM Autentication: Details
A3 and A8: Authentication and key derivation (proprietary)A5: encryption (A5/1-4, standardized)
Ki(128)
rand (128)
res (32)
Kc (64)
A5/x
PhoneSIM
encr frame
Radio i/f
Rad
io B
ase
Sta
t ion
A3A8
(No netw auth, no integrity/replay protection)
data/speech
frame#
Cryptographic Transforms in Wireless
Wireless is subject to
• limited bandwidth• bit-errors (up to 1% RBER)
As consequence, most protocols:
• use stream ciphers (no padding, no error-propagation)
• do not use integrity protection (data expansion, loss)
GSM Encryption I: A5/1
output
cc
L1
L2
L3
“shift Li if middle bit of Li agrees with majority of middle bits in L1 L2 L3”
Sizes: 23, 22, 19 bit (i.e. 64 bit keys)
Status of A5/1
All Ax algorithms initially secret.
A5/1 ”leaked” in mid 90’s. A few attacks found.
[Biryukov, Wagner, Shamir 01]: 300Gb precomputed data and 2s known plaintext retrieve Kc 1min.
Little “sister”, A5/2 (reverse-engineered @Berkeley)
A5/2 (clock control)
R4 controls clocking
3 ”associated” bits, one per R1-R3
Ri (i =1,2,3) is clocked iff its ”associated” bit agrees with majority of the 3 bits
(At least two clocked)
The A5/2 Algorithm (details)
1. Kc (64 bits) bitwise sequentially XORed onto each Ri
First, set all four Ri to zero.
2. frame # (21 bits) bitwise sequentially XORed onto each Ri
3. Force certain bit in each Ri to ”1”
4. Run for 99 ”clocks” ignoring output
5. Run for 228 ”clocks” producing output
} exploited by attack…
Idea behind the attack
A5/2 is highly ”linear”, can be expressed as linear equation system in 660 unknowns 0/1 variables, of which 64 are Kc
If plaintext known, each 114-bit frame gives 114 equations
Only difference between frames is that frame numberincreases by one.
After 6 frames (in reality only 4) we have > 660 equations can solve!
If plaintext unknown, can still attack thanks to redundancyof channel coding (SACCH has 227 redundant bits per each 4-frame message).
Attack efficiency
Off-line stage (done once):
Storage for ”matrices”: approx 200MB
Pre-processing time: less than 3 hrs on a PC
On-line attack stage:
Requires 4-7 frames sent from UE on SACCH.
Retrieving Kc then takes less than 1 second.
Hardware requirement: normal PC and GSM capable receiver
Consequence 1: Passive attacks in A5/2 Network(Eavesdropping)
2 Cipher start A5/21 RAND, RES (and Kc)
Kc, Plaintext< 1 sec
New attackPC
< 1 sec of traffic
Consequence 2: Active attacks in any Network(False base-station/man-in-the-middle attacks)
6 Cipher start A5/2
2 RAND
8 Cipher stop9 Cipher start A5/1
5 Cipher start A5/1
1 RAND
7 Attack:: Kc
3 RES 4 RES
Consequence 3: Passive + Active attack
2 Cipher start A5/11 RAND, RES (and Kc)
Record
2 Cipher start A5/21 RAND, RES (and Kc)
Kc
Wireless LAN (802.11b, WEP) Security
CRC
CRC(msg)
keystream
RC4
kIV
40-104 bits 24 bitsrandom/per packet
msgcipher
Network fixed!
Will repeat:- for sure, after 224 msgs-after 5000 msgs (average) “two-time pad”
WLAN Security Problem No 2CRC is linear: CRC(msg ) = CRC(msg)CRC)
c’
keystreamm CRC(m )
m CRC(m)
keystream
c
Alice
c’
Bob
and so is any stream cipher:
Encr(k, msg) = Encr k, msg)
CRC()Eve:
WLAN Security Problem No 3
RC4 has only one “input”, the key. RC4kIV
This is “solved” by: RC4kIV append
IV || k
[Fluhrer, Mantin, Shamir, 2001]:The first bits of the RC4 key have significant “influence” on the RC4 ouput. Even if k is 1000 bits, knowing IVs makes it possible to break the WLAN encryption.
WLAN Security Problem No 4
Authentication protocol:
k
keystream
RC4
chall
k
chall = res
res
Observing a single “authentication”enables impersonation…
WLAN-Cellular Interworking Architecture
UTRANRNC
Node B
Node B
WSN/FA
WRAN
AP
AP
3GPP Home
NetworkSGSN
HLR
AuC
AAA
HSS
GGSN/FA
Gn
Gr(MAP)
Radius/Diameter
IP
Iu
ProxyAAA
Signalling and User DataSignalling Data
Subscriber Mgmt
Charging/Billing
“HOTSPOT”
Internet/Intranet
3GPP Visited
Network
E.g. SIM accessover Bluetoothor SIM reader
Motive: Mobile operators want to offer “hot-spots” for subscriber base.
WLAN/GSM Interworking Problems
GSM Security is not perfect, but “astronomically”better than WLAN (WEP). Can SIM re-use in WLAN threaten also GSM (and conversely)?
WLAN improvements under way, but will takesome time.
Major GSM upgrades not feasible (expensive,and we will soon have 3G anyway…)
Security Placement in Protocol Stack
L2 (media access control)
L1 (physical)
L3 (networking)
L4 (transport)
L5 (application)
GSM sec
WLAN sec “IPsec”
“TLS/SSL”
Fix by “gluing” onhigher layers, invisibleto lower layers
Security problems,risk of bad “interaction”
f( )f( )
Problem 2: Key Material Need
SIM can only provide one 64-bit key, goodencryption + integrity might need e.g. 256 bits.
RAND1, RAND2,…
Solution: bootstrap on top of SIM procedure
SIM/Terminal Network
K1 = A8(RAND1)K2 = A8(RAND2)…
f, one-way function, avoid possibly
weak A8 variants
Problem 2: WLAN Replay Attacks
Anybody can put up a “fake” WLAN AP at a very modest cost.
Record-GSM-then-WLAN-replay attacks possible.
Network authentication must be added.
RAND1, RAND2,…,
SIM/Terminal Network
K1 = f(A8(RAND1))K2 = f(A8(RAND2))…
RAND0
MAC(k, RAND0,…)Check MAC
Problem 3: GSM Replay Attacks
GSM has no replay protection either.
Record-WLAN-then-GSM-replay attacks possible.
Too expensive to add GSM network authentication.
Previous A5/2 problems must be fixed (As seen, also needed for GSM security as such)
Requirements
There are millions of mobile phones and SIMs and Thousands of network side equipment that potentially need upgrades to fix A5/2 problems. Need to affect as little as possible.
RBSMSC/VLR AuC/HLR
Visited Network Home Network
Recall the “security-relevant” nodes:
Possible fix I
1 RAND, RES (and Kc)2 Cipher start A5/x
Home net (HLR/AuC) signals ”special RAND” (fixed 32-bit prefix) and algorithm policy in RAND: A5/x allowed iff xth bit of RAND = 1
+ Simple (Home net+phone)
- 40 bits of RAND ”stolen”, impact on security?
Possible fix II (Ericsson)
+ Simple (visited net+phone)
+ Security ”understood”, key separation
RAND
Phone
SIM
A5/x
encr frame
A5/x
A5/x
Alg_idf
New alg: A5/x’
- Relies more on visited net
3G Security – UMTS, Improvements to GSM
• Mutual Authentication with Replay Protection• Protection of signalling data
– Secure negotiation of protection algorithms– Integrity protection and origin authentication– Confidentiality
• Protection of user data payload– Confidentiality
• “Open” algorithms (block-ciphers) basis for security– AES for authentication and key agreement– Kasumi for confidentiality/integrity
• Security level (key sizes): 128 bits• Protection further into the network
UMTS – Security
Node B MSC
SGSN
Integrity & ConfidentialityUIA & UEA algorithms (based on KASUMI)
Node B
Radio Network Controller
UMTS – Authentication and Key Agreement AKA
RBSMSC/VLR
AuC/HLR
Visited Network
Home Network
Req(IMSI)
RAND, XRES, CK, IK, AUTNRAND, AUTN
RES
RES = XRES ?
RAND, AUTN
Ki
Ki
Allows check ofauthenticity and “freshness”
Integrity protectionkey
Looks a lot like GSM, but…
UMTS Encryption: UEA/f8
Kasumi
Kasumi Kasumi Kasumi
Kasumi
c = 1 c = 2 c = B
CK(128 bits)
m (const)
keystream
COUNT || BEARER || DIR || 0…0 (64 bits)
“Provably” secure under
assumptions on Kasumi
“Masked” offset avoids known input/output pairs
“Counter” avoidsshort cycles
Inside Kasumi (actually: MISTY)
FI
+
16 bits 16 bits
FI
+
FI
+
8 rounds of:
FO+
32 bits 32 bits
k
security s2
S9
+
S7
+
S9
+
9 bits 7 bits
sec.s
security s4
security s8
(3 rounds)
UMTS Integrity Protection: UIA/f9
Kasumi
Kasumi Kasumi Kasumi
KasumiIK
COUNT || FRESH
M1
M2
MB
MAC (left 32 bits)
m’ Variant of CBC-MAC
(Used only on signaling, not on user data)
Comparison of Security Mechanisms
GSM GPRS WCDMA
Confidentiality
- Algorithm A5/1 & A5/2
A5/3 GEA1 & GEA2
GEA3 UEA (f8)
- Key length 64 (54) 64 (128) 64 (40) 64 (128) 128 - Public review No “Yes” No No Yes - Signalling Yes Yes Yes Yes Yes - User data Yes Yes Yes Yes Yes - Deployed Yes No Yes No ongoing Integrity - Algorithm - - - - UIA (f9) - Key length - - - - 128 - Tag length 32 - Public review - - - - Yes - Signalling - - - - Yes - User data - - - - No - Deployed - - - - ongoing
Any Public Key Techniques?
So far, only mentioned symmetric crypto, but public key is also used, typically for key-exchange (RSA, Diffie-Hellman, elliptic curves…):
• on “application level”, e.g. WAP
• for inter-operator signaling traffic
In general, too heavy for “bulk” use.
Summary
• Despite some recent attacks on GSM security, “2G” security is so far pretty much a success story
Main reason: convenience and invisibility to user
• Insecurity in one system can affect another when interacting
• “Fixing” bad crypto is easier said than done, practical cost is an issue
The
End
• “3G” crypto significantly more open and well-studied higher confidence