8/13/2019 Test Bed for-security IEEE
1/18
3G-WLAN Convergence: Vulnerability, Attacks
Possibilities and Security odel
u!a""ad S!er #!o"as agedan$%aculty o& 'lectrical 'ngineering ( Co")uter Science, %aculty o& 'lectrical 'ngineering ( Co")uter Science,
*nstitute &or #eleco""unication Syste", Ne+tGeneration
*nstitute &or #eleco""unication Syste", Ne+tGeneration
Netorks *ntegration AV., #ec!nical /niversity 0erlin1 Netorks *ntegration -AV., #ec!nical /niversity 0erlin1
%okus %raun!o&er #eleco""unication *nstitute %okus %raun!o&er #eleco""unication *nstitute0erlin, Ger"any 0erlin, Ger"any
s!er2&okus&raun!o&erde "agedan$2&okus&raun!o&erde
AbstractIn this paper we present the vulnerability, threats and
attacks for Third Generation (3G) networks converged with
W!" and propose the security #odel addressing the roa#ing
and non$roa#ing security scenarios% &any threats against 3Gnetwork resources can be realised by attacking the W!" access
network, therefore it is i#portant to identify the security
re'uire#ents for 3G$W!" inter$working and choose a security
solution that is robust and dyna#ic to different levels of W!"
access network% The proposed architecture is based on the
tensible !uthentication *rotocol (!*) for +I&
!uthentication - .ey !gree#ent (!.!) and authori/ation
procedures, and secure tunnel establish#ent using I.v0
(Internet .ey change) *rotocol to #ini#i/e security threats%
We will also discuss the ter#ination of fake or forge W!"
session to protect the user confidential infor#ation on vulnerable
wireless link% The develop#ent is part of ecure ervice
*rovisioning (*) 1ra#ework of I* &ulti#edia yste# (I&) at
3Gb Testbed of 1okus 1raunhofer%
Keywords- Third Generation Networks, Vulnerability, Threats
and Attacks, Authentication and Key Agreement), Secure Tunnel.
4 *N#567/C#*6N
#!e "a8or security c!allenge o& ireless netorking and"obile co""unication is to )rotect netork resources andsecure end users Additional security "easures are re9uired tocou) it! t!e interce)tion o& data on t!e radio inter&aces andillegiti"ate access to "obile services #!e interce)tion o&users data breaks t!e con&identiality o& users in&or"ation andt!e illegiti"ate use o& services cause "as9uerading and &alsec!arging t!e users %irst ti"e t!e security "easures ere takeninto account in second-generation digital cellular syste"s egin GS Global Syste" &or obile co""unications.netorks ;= !as ado)tedan en!anced security &ra"eork &or t!e /niversal obile#eleco""unication Syste"s /#S. to overco"e t!e
eaknesses o& security inGS and ot!er >G netorks*n re&erence o& 3G security:;3= identi&ies t!e security)rinci)les and ob8ectives, ;?=!ig!lig!ts t!e security t!reatsand re9uire"ents, ;@=e+)lains t!e access security&or *P-based services and ;,?= discuss t!e securityarc!itecture
#!e security and data
)rivacy is a big c!allenge in
t!e convergence o&
teleco""unication and
*nternet tec!nologies because
any single security solution is
not suitable to )rovideco")lete security #!e
integration o& di&&erent access
tec!nologies causes "uc!
vulnerability and t!e !ackers
get access to steal &inancial and
con&idential in&or"ation #!e
/S* /ser Service *dentity
odule. can be used re"otely
via WLAN client &ro" serial,
in&rared, or 0luetoot!
connection to act as a s"art
card reader #!is in&rastructure
is vulnerable involving "anyaccess tec!nologies like
*n&rared, 0luetoot! or
Bi)erlan> *n &act "any t!reats
on 3G netorks in&rastructure
"ay be understood by
attacking t!e WLAN access
netork #!ere&ore it is
i")ortant to identity t!e
security re9uire"ents &or 3G-
WLAN inter-orking and
c!oose a security solution t!at
is robust and dyna"ic to
di&&erent levels o& WLAN
access netork ;= #!e
)ro)ose 3G-WLAN security
"odel is designed in aligned
it! 3GPP tec!nical
s)eci&ications to secure *P
ulti"edia Subsyste" *S.
;D= services on to) o& WLAN
access netorks by )roviding
security and )rivacy solution to
users as ell as netork
)roviders
#!e )a)er is organi$ed as:section ** describes di&&erentWLAN access scenariosEsection *** e+)loresvulnerability, security treatsand attacks )ossibilitiesE
section *V is about t!esecurity "ec!anis"s to)rotect 3G netork resourcesand user in&or"ation overWLAN and last sectionconcludes t!e ork
3@ 3G-WLANACC'SSSC'NA5*6S
#!ere are to )ossible
scenarios o& 3G netorksit! WLAN access )oints
A. 3G Home Network overWLAN Architecture
*n t!e &irst scenario, t!eWLAN Access GateayWAG. ;= resides in 3G!o"e netork as s!on in&igure
8/13/2019 Test Bed for-security IEEE
2/18
%igure )rocedure is aut!enticated using '+tensibleAut!entication Protocol 'AP. S* or 'AP AFA ; #!e !o"enetork is res)onsible &or access control #!e c!argingrecords can be generated in t!e visited and1or t!e !o"e 3Gnetorks #!e W"and Wore&erence )oints are intra-o)erator
#!e !o"e 3G netork inter&aces to ot!er 3GPP netorks viat!e inter-o)erator W# re&erence )oint #!e 3G AAA )ro+yrelays access control signaling and accounting in&or"ation tot!e !o"e 3G AAA server uses W#re&erence )oint *t can alsoissue c!arging records to t!e visited netork o&&line c!argingsyste" !en re9uired ;= #!e 3G netork inter&aces toWLAN access netorks via Ware&erence )oint
8/13/2019 Test Bed for-security IEEE
3/18
8/13/2019 Test Bed for-security IEEE
4/18
H W!enever so"eone tries to re"otely access /S*,so"e sort o& alert ill be sent eg "essage like alloor disallo in order to aut!ori$e users access
3H #!e /*CC !olding device is res)onsible &orsc!eduling all access to t!e /*CC
?H #!e /S* security reuse ill be in consistent it!current security setting and ensure t!at user security isnot co")ro"ised ;=
3 ecurit' Attacks cearios*n a ty)ical WLAN-3G inter-orking scenarios t!e
attacker can set u) a rouge access )oint AP. &or e+a")leatte")t to get &ree access, "odi&y legiti"ate user tra&&ic orlaunc! denial o& service attack ost o& t!e attacks lunc! atWLAN access netork "ay !ave i")lications on 3Gnetorks #!e attacks can be de)loyed re"otely over t!e
*nternet by setting u) a radio 8u")er in a !ots)ot to t!eWLAN to beco"e a legiti"ate user #!e &olloing are t!e)ossible attacks on 3G t!roug! WLAN access netorks
1) Attacks at WLAN +ser ,*ui-met#!e user ter"inals "ay be in&ected by viruses, #ro8an
!orses or ot!er "alicious so&tare #!ese )rogra"s o)erateit!out t!e knoledge o& t!e user on !is ter"inal to launc!"ulti)le ty)es o& attacks:
H #ro8ans "ay "onitor user keyboard or sensitive datao)eration activities and &orard to anot!er "ac!ine
3H alicious so&tare residing on di&&erent !osts can beused to launc! 7istributed 7oS 77oS. attacksagainst a target
>. Attacks rom Attacker ,*ui-met or Access PoitSeveral ty)es o& attacks are )ossible i& t!e attacker !as
access to a la)to) it! WLAN inter&aces or Access Point %orso"e WLAN tec!nologies, layer > control signaling are not
integrity )rotected and causing 7oS attacks *& t!ey are not)rotected t!e attacker can easily eavesdro) on t!e tra&&icbeteen a user and AP #!is ty)e o& attack can cause di&&erentt!reats %or e+a")le:
8/13/2019 Test Bed for-security IEEE
5/18
8/13/2019 Test Bed for-security IEEE
6/18
%igure ? USIM EAP AKA Procedure
*nWLAN 3G*P
access,aut!entication is)er&or"ed ina)rotectedtunnel!ic!)rovidesencry)
tion,integrity)rotectionandre)lay)rotection #oestablis!tunnel&ast re-
aut!entication isused tos)eedu) t!e)rocedure *&identity
)rivacysu))ort isused by t!e!o"enetork
and t!e W-/'received ate")oraryidentity ina )reviousaut!entication, it illuse it int!e tunnelaut!entication )rocess;= !ic!ill bee+)lainedinsubsection7
#!ete")oraryidentity touser isassignednot &or along ti"eso t!at usercan not betraced *&identity)rivacy isused butt!e AAAserver &ailsto identi&yt!e user byits
te")oraryidentity,t!e AAAserver illre9uest t!e
ne+t one int!e&olloingt!e order:
8/13/2019 Test Bed for-security IEEE
7/18
8/13/2019 Test Bed for-security IEEE
8/18
B. ,AP Autheticatio a# /e' A!reemet 0A/A) Proce#ure#!e WLAN access aut!entication signaling are e+ecuted
beteen W-/' and 3G AAA server and based on '+tensibleAut!entication Protocol 'AP. ;
8/13/2019 Test Bed for-security IEEE
9/18
8/13/2019 Test Bed for-security IEEE
10/18
8/13/2019 Test Bed for-security IEEE
11/18
%igure @ USIM Fast Re-Authentication Procedure
SecondInternationalConference onAvailability,Reliability andSecurity (ARES'07)0-769-!77-!"07
#!0$00 % !007
Authorized
licensed uselimited to: IEEE
Xplore. Downloaded onMarch 23, 2009 at
11:53 from IEEE Xplore.Restrictions apply.
8/13/2019 Test Bed for-security IEEE
12/18
4. 6ast Re7Autheticatio Proce#ureW!en aut!entication )rocesses !ave to )er&or" &re9uently,
it can cause !eavy netork load and bandidt! congestion *nt!is situation it is "ore e&&icient to )er&or" &ast re-aut!entications #!e &ast re-aut!entication )rocess allos t!eWLAN-AN Access Netork. to aut!enticate )reviouslyaut!enticated user in a lig!ter )rocess as s!on in &igure @,instead o& )er&or"ing again &ull aut!entication , %ast re-
aut!entication re-uses keys )reviously derived during &ullaut!entication #!is )rocedure is brie&ly e+)lained as &ollos:
H #!e AAA server sends 'AP 5e9uest1AFA 5e-Aut!entication to W-/' via W-AN, containingCounter, Nounce, AC, )rotected ne+t aut!entication*7 and result *7 )ara"eters
3H #!e W-/' sends 5es)onse1AFA 5e-Aut!enticationcontaining Counter, AC and result *7 )ara"eters toAAA server
?H A&ter t!e veri&ication, t!e AAA server sends successnoti&ication in 'AP1AFA Noti&ication to client and t!eclient sends back AFA Noti&ication in t!e 'AP5es)onse
8/13/2019 Test Bed for-security IEEE
13/18
%igure USIM
Tunnel IKE
Procedure
SecondInternationalConferenceonAvailability,Reliability
and
Security(ARES'07)0-769-!77-!"07#!0$00 %!007
Authorizedlicensed use
limited to: IEEE Xplore.Downloaded on March 23,
2009 at 11:53 from IEEEXplore. Restrictions apply.
8/13/2019 Test Bed for-security IEEE
14/18
D. (ue% Autheticatio a# Authori8atio#!e P7G Packet 7ata Gateay. is t!e end device on
netork side &or tunnel and W-/' and AAA server use*nternet Fey '+c!ange *F'v>. )rotocol as s)eci&ied in ;4= toestablis! t!e tunnel #!e 'AP "essages over *F'v> ill bee+c!anged beteen AAA server and WLAN client via P7Gt!roug! W" inter&ace #!e P7G e+tracts t!e 'AP "essages
received &ro" t!e W-/' over *F'v>, and sends t!e" to t!eAAA server over 7ia"eter #!e co")lete )rocedure ise+)lained in &igure
8/13/2019 Test Bed for-security IEEE
15/18
8/13/2019 Test Bed for-security IEEE
16/18
%igure Fraud Detection and Session Termination
*& t!e in&or"ation is t!e sa"e as it! an ongoing session, t!en
t!e aut!entication e+c!ange is related to t!e ongoing session, so
t!ere is no need to do anyt!ing &or old sessions *& it is t!e sa"e
client but it! a di&&erent AC address, or it! a di&&erent
VPLN identity or it! di&&erent radio netork in&or"ation t!atis received t!an in any ongoing session, t!e AAA server t!en
considers t!at t!e aut!entication e+c!ange is related to a ne
WLAN access session *t ill ter"inate an old WLAN access
session a&ter t!e success&ul aut!entication o& t!e ne WLAN
Access session, based on t!e )olicy !et!er si"ultaneous
sessions are not alloed, or !et!er t!e nu"ber o& alloed
sessions !as been e+ceeded *& t!e AC addresses old and ne.
are e9ual and t!e WLAN radio netork
Second InternationalConference onAvailability, Reliabilityand Security (ARES'07)0-769-!77-!"07 #!0$00% !007
Authorized
licensed uselimited to: IEEE
Xplore. Downloaded onMarch 23, 2009 at
11:53 from IEEE Xplore.Restrictions apply.
8/13/2019 Test Bed for-security IEEE
17/18
in&or"ation received is di&&erent &ro" t!e old one, t!e nesession is considered to be a &raudulent one and t!e AAA
server ter"inates t!e ne session
>> C6NCL/S*6NS
#!is )a)er )rovides an arc!itectural and i")le"entation)ers)ective o& 3G Netork over WLAN security "odel #!e
)ro)osed "odel is based on 3GPP tec!nical s)eci&ications and)rotocols to use 3G services over WLAN access netorks in asecure and )rotected ay #!is researc! ork is )art o& SecureService Provisioning SSP. %ra"eork ;?= to )rovide secureservices to 3Gb #estbed ;, No3 >. >>@->@D, *SSN: ?: Q*nternet Fey '+c!ange*F'v>. ProtocolQ
;?
8/13/2019 Test Bed for-security IEEE
18/18
Authorized
licensed uselimited to: IEEE
Xplore. Downloaded onMarch 23, 2009 at
11:53 from IEEE Xplore.Restrictions apply.