GSM and UMTS Security Vishal Prajapati (08305030) Vishal Sevani (07405010) Om Pal (07405702) Sudhir Rana (05005002)
GSM and UMTS Security
Vishal Prajapati (08305030)Vishal Sevani (07405010)
Om Pal (07405702)Sudhir Rana (05005002)
GSM Security Architecture
Homenetwork
Switching and
routing
Other Networks (GSM, fixed, Internet, etc.)
Visited network
HLR/AuCVLR
SIM
GSM Security Features• Authentication
– network operator can verify the identity of the subscriber making it infeasible to clone someone else’s mobile phone
• Confidentiality– protects voice, data and sensitive signalling information (e.g.
dialled digits) against eavesdropping on the radio path• Anonymity
– protects against someone tracking the location of the user or identifying calls made to or from the user by eavesdropping on the radio path
GSM Authentication ProtocolMSC orSGSN
HLR/AuCSIM
RAND
RES
{RAND, XRES, Kc}
Authentication Data Request A3 A8
Ki RAND
Kc
Kc RES
A3 A8
Ki RAND
XRES
RES = XRES?
Encryption in GSM
GSM Encryption Principles
• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Base Transceiver Station (BTS)– protects user traffic and sensitive signalling data against
eavesdropping– extends the influence of authentication to the entire
duration of the call• Uses the encryption key (Kc) derived during
authentication
GSM User Identity Confidentiality
• User identity confidentiality on the radio access link– temporary identities (TMSIs) are allocated and used
instead of permanent identities (IMSIs)• Helps protect against:
– tracking a user’s location– obtaining information about a user’s calling pattern
IMSI: International Mobile Subscriber IdentityTMSI: Temporary Mobile Subscriber Identity
Specific GSM Security Problems
• The GSM cipher A5/2– A5/2 is now so weak that the cipher key can
be discovered in near real time using a very small amount of known plaintext
– Aim find the initial internal state of the registers.• Each frame in - 4.615 ms• So 2^8 frames in a sec.• After finding the initial state go backward and can
generate Kc
False Base Station Attack(1)
• Compromises User Identity Confidentiality
• Force MS to send IMSI• Cipher mode fault
False Base Station Attack(2)
• Active attack• IDENTITY REQUEST• Compromises User Data
Confidentiality
Source: LiTH-ISY-EX-3559-2004
Accessing Signaling network• No requirement of
decrypting skills• Need a instrument
that captures microwave
• Gains control of communication between MS and intended receiver
UMTS Security Mechanisms
Limitations of GSM Security
• Design only provides access security - communications and signalling in the fixed network portion aren’t protected
• Design does not address active attacks, whereby network elements may be impersonated
• Design goal was only ever to be as secure as the fixed networks to which GSM systems connect
• Short key size of Kc (64 bits) makes it more vulnerable to various attacks
Enhancements in UMTS vs GSM
• Mutual Authentication• provides enhanced protection against false base
station attacks by allowing the mobile to authenticate the network
• Data Integrity• provides enhanced protection against false base
station attacks by allowing the mobile to check the authenticity of certain signalling messages
• Network to Network Security• Secure communication between serving networks.
MAPSEC or IPsec can be used
UMTS Enhancements (contd)
• Wider Security Scope• Security is based within the RNC rather than
the base station
• Flexibility• Security features can be extended and
enhanced as required by new threats and services
• Longer Key Length• Key length is 128 as against 64 bits in GSM
HLRHLR AuCAuC
Access Network(UTRAN)
VisitedNetwork
User Equipment
D
RNCBTSUSIMUSIM MEME
SGSNSGSN
HMSCMSC
HomeNetwork
(2) Authentication
(1) Distribution of authentication vectors
UMTS Radio Access Link Security
(4) Protection of the access link (ME-RNC)
(3) CK,IK (3) CK, IK
MSC – circuit switched services
SGSN – packet switched services
Authentication and Key Agreement
• Mutual Authentication between user and the network
• Establishes a cipher key and integrity key
• Assures user that cipher/integrity keys were not used before, thereby providing protection against replay attacks
Authentication and Key Agreement
Authentication and Key Agreement
UMTS Integrity Protection Principles
• Protection of some radio interface signalling• protects against unauthorised modification, insertion and replay of
messages• applies to security mode establishment and other critical signalling
procedures • Helps extend the influence of authentication when encryption
is not applied• Uses the 128-bit integrity key (IK) derived during
authentication• Integrity applied at the Radio Resource Control (RRC) layer of
the UMTS radio protocol stack• signalling traffic only
Integrity and authentication of origin of signalling data provided. The integrity algorithm (KASUMI) uses 128 bit key and generates 64 bit message authentication code.
Integrity CheckIntegrity Check
UMTS Encryption Principles
• Data on the radio path is encrypted between the Mobile Equipment (ME) and the Radio Network Controller (RNC)
• protects user traffic and sensitive signalling data against eavesdropping
• extends the influence of authentication to the entire duration of the call
• Uses the 128-bit encryption key (CK) derived during authentication
Encryption
Signaling and user data protected from eavesdropping. Secret key, block cipher algorithm (KASUMI) uses 128 bit cipher key.
Protection Against Active Attacks
False Base Station Attack(1)
• Compromises User Identity Confidentiality
Reason
• No provision to ascertain the origin of information ie. lack of integrity check
False Base Station Attack(2)
• Exploits – user data confidentiality
Reason • No provision to ascertain
the origin of information ie. lack of integrity check
Source: LiTH-ISY-EX-3559-2004
False Base False Base Station AttackStation Attack
SolutionSolution
• Use of Integrity Use of Integrity CheckCheck
• After AKA SRNC After AKA SRNC sends integrity sends integrity protected message protected message containing security containing security capabilities of the capabilities of the ME, which the ME, which the mobile verifies to mobile verifies to ensure there is no ensure there is no foul playfoul play
Lack of Network Domain Security
• No security for communication between network elements in GSM
• Easy to gain access to sensitive information such as Kc
• Network Domain Security in UMTS foils these attacks
Summary of UMTS Security
UMTS builds upon security mechanisms of GSM, and in addition provides following enhancements,
Encryption terminates at the radio network controller Mutual authentication and integrity protection of critical
signalling procedures to give greater protection against false base station attacks
Longer key lengths (128-bit) Network Domain Security using MAPSEC or IPSec
References• UMTS security, Boman, K. Horn, G. Howard, P. Niemi, V.
Electronics & Communication Engineering Journal, Oct 2002, Volume: 14, Issue:5, pp. 191- 204
• "Evaluation of UMTS security architecture and services“, A. Bais, W. Penzhorn, P. Palensky, Proceedings of the 4th IEEE International Conference on Industrial Informatics, p. 6, Singapore, 2006
• UMTS Security, Valtteri Niemi, Kaisa Nyberg, published by John Wiley and Sons, 2003
• GSM-Security: a Survey and Evaluation of the Current Situation, Paul Yousef, Master’s thesis, Linkoping Institute of Technology, March 2004
• GSM: Security, Services, and the SIM Klaus Vedder, LNCS 1528, pp. 224-240, Springer-Verlag 1998
• Instant ciphertext-only cryptanalysis of GSM encrypted communication, Elad Barkan, Eli Biham, Nathan Keller, Advances in Cryptology – CRYPTO 2003