Page : 1 Cellular & Wireless Networks Technical University of Braunschweig IDA: Institute of Computer and Network Engineering Lecture-9 Mobile Security Fundamentals-III 3 rd Generation Security and Public Key Systems Fundamentals of Cellular and Wireless Networks Lecture ID: ET- IDA-113/114 20.07.2012 , v11 Prof. W. Adi
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page : 1 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Page : 2 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
New Trends in Mobile Security
Lessons learned in security design:
Successful attacks on GSM secret ciphers A5 and COMP128 1999-2003, Lead to standardizing publicly known and reviewed ciphers in the 3rd generation mobile systems
AES is a new International Ciphering Standard
Page : 3 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
AESAdvanced Encryption Standard
Proposed for 3G Mobile Authentication Functions
International Standard competition managed by NIST: US National Institute of Science and Technology 1998-2001
Page : 4 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Joan Daemen (of Proton World International)
Vincent Rijmen (of Katholieke Universiteit Leuven).
AES Round-3 Finalist Algorithms (finalized in 2001)
– MARS : IBM (USA)– RC6 : R. Rivest (MIT), creator of the widely used RC4 (USA)– Twofish : Counterpane Internet Security, Inc. (USA)– Serpent : Ross Anderson, Eli Biham and Lars Knudsen (USA)– Rijndael: Designed by J. Daemen and V. Rijmen (Belgium)
Page : 5 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
10 Encryption Rounds R1 … R10
Key
Round Keys
Key Expansion
R1X R2 R9 R10 Y
K1 K2 K9 K10...
...
Rijndael: Basic concept Key size128 to 256 bits
Rijndael: Basic concept
Page : 6 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Basic Encryption Round FunctionsRijndael AES:
b = [M] a-1 + C The Only non-linear mapping !
Byte sub
a2
Byte sub Byte subByte sub..
a1a16 a3
b1b2b3 b16
Clear Text (16 bytes)
Linear mappingB = [C] A
Round-Key Ki (128 bits)
Cipher Text (16 byts)
+B
A
Mix columnMix columnMix columnMix column
4 x 32 bits
Transposition
4 x 32 bits
Page : 7 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
- Published to the scientific community 1998- Is still not broken !!- No proof that Rijndael can not be broken !!
Security of AES/ Rijndael
Page : 8 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Experts learned over the years thatthe only way to assure security is:
• follow an open design process• encourage public scientific review Nobody is better than the rest of the research community.
Important Lessons in Security Design
2nd Generation security lessons
Page : 9 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
New 3G Security Features 1/2• Network Authentication
The user can provably identify the network• Network Security
Mechanisms to support security within and between networks• Switch Based Security
More switch based secrecy rather than only to base station • IMEI Integrity
Integrity mechanisms for IMEI provided from login• Secure Services
Protect against misuse of services provided by Service Network and Home Environment
Page : 10 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Secure ApplicationsProvide security for applications resident on USIM
• Fraud DetectionMechanisms to combating fraud in roaming situations
• FlexibilitySecurity features can be extended and enhanced as required by new
threats and services• Visibility and Configurability
Users are notified whether security is on and what level of security is available. Users can configure security features for individual services
• Lawful InterceptionMechanisms to provide authorized agencies with certain information
about subscribers
New 3G Security Features 2/2
In the following slides, the main 3G security functions are summarized.
Page : 11 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
3G User Confidentiality• User Confidentiality
Permanent user identity IMSI, user location, and user services cannot be determined by eavesdroppingAchieved by use of temporary identity (TMSI) which is assigned by VLR(IMSI is sent in clear text when establishing TMSI)
USIM VLR
IMSI
TMSI allocation
TMSI acknowledgement
IMSI request Visiting Location Register
Mobile Network
Page : 12 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Mutual AuthenticationDuring Authentication and Key Agreement (AKA) the user and network
authenticate each other, and also they agree on cipher and integrity key (CK, IK). CK and IK are used until their time expires. Assumption: trusted HE and SN, and trusted links between them. After AKA, security mode must be negotiated to agree on encryption and integrity algorithm.
Mutual Authentication Mechanism 1/2
Page : 13 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Generation of authenticationdata at “Home Network” site
Page : 14 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Data IntegrityIntegrity of data and source authentication of signaling data must be provided.The user and network agree on integrity key IK and algorithm such as f9 during AKA and security mode set-up. MAC (Message Authentication Code) is a mapping of the digest of the message through KSUMI cipher using the agreed integrity key KI. IF MAC-I and XMAC-I are equal, the message is seen as unmodified.
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
MAC -I
f 9
COUNT-I DIRECTION
MESSAGE FRESH
IK
XMAC -I
SenderUE or RNC
ReceiverRNC or UE
3G Data Integrity Mechanism
KASUMI
Message authentic if equal
Page : 15 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
• Data ConfidentialitySignaling and user data should be protected from eavesdropping.The user and network agree on cipher key CK and algorithm such as f8 (KASUMI) during AKA and security mode set-up. The generated keystream block is added modulo-2 to the plaintext to encrypt and decrypt correspondingly.
PLAINTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
CIPHERTEXTBLOCK
f8
COUNT-C DIRECTION
BEARER LENGTH
CK
KEYSTREAMBLOCK
PLAINTEXTBLOCK
SenderUE or RNC
ReceiverRNC or UE
3G Data Encryption Mechanism
KASUMI
Page : 16 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Problems with 3G Security• IMSI is sent in clear text when allocating TMSI to the
user
• The transmission of IMEI is not protected; Equipment identity is still not secured
• A user can be brought to camp on a false BS. Once the user camps on the radio channels of a false BS, the user is out of reach of the paging signals of the network
• Hijacking outgoing/incoming calls in networks with disabled encryption is possible. The intruder poses as a man-in-the-middle and drops the user once the call is set-up
Page : 17 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Published 1976 by (Diffie &Hellman) at Stanford University - Breakthrough: Proved for the first time that it is
possible to share secrets without secret agreement
- Many 3G mobile security applications in user layer
are expected to employ public-key cryptography (Mobile Commerce, mobile IP applications ...)
Modern CryptographyPublic-Key Cryptography
Page : 18 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering
Public-Key Security Systems
K-secret K-public
Two major schemes in Public Key Cryptography:• Diffie-Hellman key exchange scheme• RSA public key secrecy system
- Open and close with different keys!!- No Secret Key Agreement required
Secret Key Systems
K-open = K-close(Symmetric System)
- Open and close with the same key which has to be agreed secretly !!
K-open K-close(Asymmetric System)
Page : 19 Cellular & Wireless NetworksTechnical University of Braunschweig
IDA: Institute of Computer and Network Engineering