15 mobile communication - i4.de · – non-public identifier stored on the subscriber identity...

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0

1 15. Security in Mobile Communication

1 / 40Contents

Security in Mobile Communication

• Security Problems Unique to Wireless Communication• Security in GSM

→ GSM System Overview→ Security Functions of GSM→ Protecting the Subscriber’s Identity→ Location Privacy

• UMTS Security Advances Compared to GSM→ February 12th 2001: Guest Talk by Dr. Stefan Pütz (T-Mobil)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


2 / 40Security Problems Unique To Wireless Communication

Wireless communication (i.e. radio transmission) makes attacking easier:• eavesdropping on communication is simple• no access to special locations is required• impersonating a registered user is relatively simple

Analogue systems suffered from these problems in the 80’s

• GSM and Wireless LAN (IEEE 802.11, used by MoPS) face similar problems• security in 802.11 systems not mature• focus will be on the complex GSM system.

Major goals of wireless security:1. Protect network against unauthorised access2. Protect user from fraudulent impersonations3. Protect user’s privacy

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


3 / 40GSM - Common Architecture

EIRAUC

HLR VLR

PLMN, international

PSTNISDN

OMC

MSC

ISC

GMSC

BSC

BSC

4

4

4

AUC: Authentication CenterBSC: Base Station ControllerEIR: Equipment Identity RegisterGMSC: Gateway Mobile Switching CenterMSC: Mobile Services Switching CenterISC: International Switching CenterOMC: Operation and Maintenance Center

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


4 / 40Addresses and Identifiers in GSM (1)

• International Mobile Station Equipment Identity (IMEI)– serial number that uniquely identifies mobile equipment internationally– stored in the Equipment Identity Register (EIR)

• Mobile Subscriber ISDN Number (MSISDN)– "real telephone number" of a subscriber

Type Approval Final Assembly Serial Number Spare

66 6 1 decimal digits

CountryCode

Nat. Dest.Code

Subscriber Number

2-33 max. 10 decimal digits

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



• International Mobile Subscriber Identity (IMSI)– non-public identifier stored on the Subscriber Identity Module to identify a

subscriber within the network– separation of MSISDN and IMSI protects confidentiality, as IMSI is not public

and therefore faking of a false identity is more difficult

• Location Area Identity (LAI)– unique address to denote a location area internationally unique

MobileCountry

MobileNetwork

Mobile Subscriber IdentificationNumber

23 max. 10 decimal digits

CountryCode

NetworkCode

Location Area Code

23 max. 5 decimal digits

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



• Temporary Mobile Subscriber Identity (TMSI)– is only assigned during the mobile's presence in the area of one VLR, and can be

changed during this period (ID hopping)

– it is used in place of the IMSI for the identification and addressing of the mobilestation

– thus, nobody can determine the identity of the subscriber by listening to theradio channel

– together with the LAI, the TMSI replaces the IMSI and is used to identify asubscriber

– operator specific format; up to 4x8 bits

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


7 / 40Location Management - Introduction

• a location area represents the smallest unit forwhich the network maintains the currentsposition of a user

• it consists of a number of cells• in case of an incoming call

– the current location area of the subscriber can bedetermined by a database request

– the user is paged in all cells within his location area by broadcasting his TMSIon a dedicated broadcast channel that is sensed by all terminals

– after receiving the subscriber's TMSI, the mobile sends a response message

• location area concept represents a compromise between permanently keepingtrack of a subscriber's position on a cell basis (large amount of signallingtraffic due to frequent location updates) and paging him in all cells of thenetwork (large amount of paging costs)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


8 / 40Private Data Created by the User (1)

Private data created by a user in a mobile cellular network:1. The identity of the user, the serial number of the mobile phone and location

data are transmitted to the network internal databases2. To check the reachability of the mobile phone, the stored location data is

updated from time to time (periodic location update)

network carrier

D1

D2

E+

ITINERIS

MERCURY

SPRINT

SWISSCOM

country

Germany

Germany

Germany

France

England

USA

Switzerland

periodic location update time constant

6 hours

4 hours

12 hours

6 minutes

30 minutes to 4 hours

30 minutes

2 hourssee http://www.ii-mel.com/interception/mobile_tracegb.htm

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


9 / 40Private Data Created by the User (2)

In addition, locations of mobile users are backuped, although there is no reason to store a history of locations from the technical point of view

network carrier

D1

D2

E+

ITINERIS

SFR

SPRINT

SWISSCOM

country

Germany

Germany

Germany

France

France

USA

Switzerland

periodic location update time constant

-

2 days

2 days

-

15 days

7 dayssee http://www.ii-mel.com/interception/mobile_tracegb.htm

3. Each attempted call to a mobile phone is logged and stored by the network4. The implemented security protocols can be "broken" as a result of

implementation weakness

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


10 / 40Security functions of GSM

• Subscriber Identity Module

– access control by means of a smart card called subscriber identity module(SIM) and a personal identification number (PIN)

• Subscriber Authentication

– authentication of the users towards the network carrier and generation of asession key in order to prevent abuse

• Encryption of User Data

– encryption of communication on the radio interface, i.e. between mobile stationand base station

• Protection of Subscriber Identity

– concealing the user's identity on the radio interface, i.e. the TMSI is used forthe identification of a mobile user instead of the IMSI

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


11 / 40Subscriber Identity Module

• is in form of a credit card which is portable and therefore transferablebetween mobile stations

• distinction between terminal mobility and personal mobility– terminal mobility: the user can register into the locally available network with his SIM– personal mobility: the SIM-card can be deployed in different mobile stations and can

even be used as a telephone card in the fixed telephone network (not installed byGerman operators)

• stores the following security-related data:– International Mobile Subscriber Identity (IMSI)– Subscriber Authentication Key– PIN– Temporary Mobile Subscriber Identity (TMSI)– Location Area Identifier (LAI)

• additionally stores user-related data like short messages and telephonebooks

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


12 / 40Cryptographic Algorithms Used By GSM

GSM defines three algorithms A3, A5 and A8

Details:• A3

– used for authentication– not specified in standard; can be chosen independently by each operator

• A5– used for encryption– specified at international level to enable roaming

• A8– used for key management– not specified in standard; can be chosen independently by each operator

All algorithms are kept secret!No other Ax algorithms - A1, A2, etc. were place-holders during GSM design

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


13 / 40Subscriber Authentication (1)

• authentication is necessary during

– location registration

– location update with change of the VLR

– call setup

– sending a short message (SMS)

• the process of authentication is based on a subscriber authentication key,the A3-algorithm and a random number

• Subscriber Authentication Key is stored on the SIM

• on the network side, the subscriber authentication key is stored in the AUC

• the random value cannot be predetermined and therefore, recording thechannel transmission and playing it back cannot be used to fake an identity

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


14 / 40Subscriber Authentication (2)

Mobile Station Network

SignatureResponse(32 Bit)

SubscriberAuthenticationKey (128 Bit)

IMSI

Random(128 Bit)

A3

=

SubscriberAuthentication

Key

A3SignatureResponse (32 Bit)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


15 / 40Generation of the Cipher Key (1)

• a cipher key is used in the algorithm A5 for the symmetric encryption of userand signalling data

• it is generated at each side using the generator algorithm A8 and a randomnumber

• at the network side, the values of the cipher key are calculated in theAUC/HLR simultaneously with the signature response (see SubscriberAuthentication)

• the 3-tuples (random number, signature response, cipher key) are stored at theAUC/HLR and supplied on demand, if the subscriber authentication key isonly known to the HLR

• otherwise, i.e. if the VLR has access to the subscriber authentication key, thecipher key can be calculated directly by the VLR

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


16 / 40Generation of the Cipher Key (2)


SubscriberAuthenticationKey (128 Bit)

IMSI

Random(128 Bit)

A8

SubscriberAuthentication

Key

A8

Cipher Key (64 Bit) Cipher Key (64 Bit)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


17 / 40Symmetric Encryption of User Data (1)

Block coding,convolutional coding,

interleaving

User dataencryption

Burstbuilding

Differentialcoding andmodulation

Transceiver

• encryption of transmitted data is a special characteristic of GSM anddistinguishes GSM from analogue cellular and ISDN networks

• transmitting side: encryption after channel coding and interleaving

• receiving side: decryption directly follows the demodulation of the data stream

q block coding: generates the parity bit for a block of data thus allowing the detection of errors in this block

q convolutional coding: calculation of additional redundancy for error correction to correct errors caused by the radio channel

q interleaving: distribution of code words by spreading in time and merging them across several bursts for transmission (achieves better error correction results)

q burst building: each interleaving block (114 bit) is mapped onto a burstq differential coding and modulation: coding the bursts for transmission over the air interface

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Mobile Station

CipherKey

(64 Bit)

A5

TDMAFrame

Number(22 Bit)

key block(114 Bit)

plain text(114 Bit)(after interleav.)

CipherKey

(64 Bit)

A5

TDMAFrame

Number(22 Bit)

key block(114 Bit)

Network

plain text(114 Bit)

Ciphering Mode Command

ciphered message

encrypted within the radio part of the transmission path

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



1 0 1 1 0 0 1 1 0 1 1 0 0 1

0 1 1 0 0 1 0 0 1 1 0 0 1 0A5 A5User Data Flow User Data Flow

Key Flow Key Flow

Synchronization

Ciphering Deciphering

• Signalling and user data are encrypted together; for dedicated signallingchannels the same method is used as for traffic channels

• ciphering uses a bit stream which is added bitwise to the data to be enciphered(similar to a one-way key)

• deciphering consists of performing an EXCLUSIVE OR of the enciphereddata stream with the ciphering stream

• to synchronise, the deciphering mechanism has to be started at precisely thecorrect moment!

cipher key

frame number

cipher key

frame number

1101011

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


20 / 40Protection of Subscriber Identity (1)

Purpose• prevents disclosing which subscriber is using which resources in the network• ensures the confidentiality of user data and signalling traffic• prevents localising and tracking of a mobile station

Realisation• it should be avoided to transmit the IMSI unencrypted• instead of the IMSI, the TMSI is used on the radio channel for identification

purposes• the TMSI is temporary and has only validity within the coverage area of the

current VLR• the subscriber can only be uniquely identified by using the TMSI in

combination with the LAI• the association between IMSI and TMSI is stored in the VLR

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0




A5

LAIold, TMSIold

TMSIold unknownIdentity Request

Identity ResponseIMSI

Authentication

Assign and storeTMSInew

cipherkey

A5

cipherkey

store TMSInew

remove TSMIold

only neccessaryif TMSIold is lost

TMSI Reallocation CommandTMSInew (encrypted)

TMSI Reallocation Complete

Procedure for establishing a

new TMSI

unencrypted!

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



• algorithm for generating the TMSI is determined by thenetwork operator and is not subject to standardisation

• subscriber identity is protected against eavesdropping in two ways:– the temporary TMSI is used on the radio channel instead

of the IMSI– each new TMSI is transmitted in encrypted form

• in case of database failures (loss of TMSI, TMSI unknown at VLR,etc.), the IMSI must be transmitted as clear text before encryption isturned on

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


23 / 40Interaction of GSM Security Mechanisms


A5A5

A5A5

A5A5

A5A5

=

A3+A8 SRES

Authentication ResponseSRES

Ciphering Mode Command

Ciphering Mode Complete

TMSI Reallocation Command

Location Updating Accept

TMSI Reallocation Complete

Location Updating RequestTMSI old, LAI old

cipherkey

Ki, IMSI, TMSIRAND,SRESKi, IMSI, TMSI

KiAuthentication Request

RANDchallenge-responseauthentication

encryptedcommunication

cipherkeyauth.

result

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


24 / 40Location Privacy

Remaining problem:The subscriber’s movement profile is still known to the provider!

Required:A method for concealing subscriber’s current position (as long as terminal isready for communication but not actually engaged in a call)

Proposed solution (Kesdogan):• Address subscriber by pseudonym and not „real“ number (A pseudonym is e.g. a 100 digit random number)• Management of pseudonyms in HTD (Home Trusted Device)• HTD is a party trusted by all participants• HTD should be able to handle a large number of pseudonyms

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


25 / 40Location Privacy

Procedure: 1. Incoming call for subscriber Mr. X 2. Request at GMSC and HLR: where is Mr. X? 3. GMSC asks Home Trusted Device (HTD) 4. HTD returns current pseudonym of Mr. X 5. Subscriber can be found via pseudonym

In effect:• Network provider knows that there are „certain users“ in the network with „certain pseudonyms“• Provider also knows current LA of pseudonym• Provider DOES NOT KNOW who is hidden behind pseudonyms

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


26 / 40

Requirement:

• Pseudonyms have to be changed „frequently“ => „temporary pseudonyms“ (TP)

• Pseudonym changes must be conducted synchronously in MS and HTD– pseudo random number generator (PRG) with a common generator seed– PRGs determine time for next change

• Practical problem: clock drift– use time signal of GPS

– radio controlled clock– synchronise during calls

Temporary Pseudonyms

TP→VLR

HLR

TP→LA

VLR

TP := PRG(seed,t)

t

t

MSISDN→TP := PRG(seed,t)

HTD

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


27 / 40Temporary Pseudonyms

WHEN should pseudonyms be changed?

Answer:time differences should be exponentially distributedExponential distribution has property of being „memoryless“,i.e. time since last change holds no information on time to next change

eventmean time to next event 1/λ

nothing happens

t

mean time to next event also 1/λ

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Problems with „temporary pseudonyms“

• Passive attacks (i.e. just wait until subscriber makes a call)– when call is established pseudonimity is lost

=> pseudonyms should be changed rather often

• Active attacks– fake call of provider to find out:

· who is currently hiding behind a pseudonym

· which pseudonym is currently used by a specific user

– this could at least be monitored by keeping a logfile

• HTD-Management– what happens when HTD is down?

(central point of failure)

research is ongoingto resolve this

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


29 / 40Temporary Pseudonyms with Distributed Trusted Parties

Sensible:One large, redundant HTD used by many providers(a so-called „Trusted Third Party“)

What happens when Trusted Party is corrupted?

“Solution” (without considering cost!):„Distributed Trusted Party“(DTP): divide trusted party in severaldependent parts DTP1, ... , DTPn

Pseudonyms are produced jointly by all DTPi:â Underlying assumption: even corrupt DTPs will do correct algorithmic operations (or will at least be detected very soon)â However: we cannot guarantee that all DTP’s are not corruptâ DTPs could tell secrets to “malicious network providers”

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



DTPi stores:

Aggregate pseudonym: TP(MSr) = ⊕TPi(MSr)

Address of Mobile Station r

Returns seed for PRG of DTPi,as well as times t0<r>, t1<r>, t2<r>,..for pseudonym change

Component of MSr’s temporary pseudonym which is provided by DTPi

<MSr, PRGstart<r>, TPi(MSr)>

i=1

n

( i = 1, 2, .. , n )

Thus a single DTPi (or even n-1 DTPi’s)cannot determine the new pseudonym

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


31 / 40Distributed Trusted Party Signalling Example

GMSC

XORDTP1

DTP4

DTP3

DTP2

Incoming call for MS (identified by MSISDN)

TP(MSISDN) ?

MSISDN→TP4

MSISDN→TP3

MSISDN→TP2

MSISDN→TP1

TP :=TP1⊕TP2 ⊕TP3 ⊕TP4

1

2

3

45

Send Routing InfoTP

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Problems:• Costs• Reliability: what happens if DTPi becomes unavailable?• What happens when DTPs are corrupt? (At least one must be trustworthy)

Additional problem with corrupted DTP:

Pseudonym changein corrupted DTP

Concurrent change ofpseudonym in LA

Network provider can nowmap pseudonym to subscriber

DTP tells malicious networkprovider about change

Threat by cooperation between:• corrupted DTPi• malicious network provider

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Possible “solutions” for problem of corrupted DTPs:

1. All subscribers simultaneously change their pseudonyms (not possible due to enormously high signalling load.)

2. All subscribers of a „class“ change pseudonyms simultaneously

– number of classes must be large enough, such that the number of subscribers per class is low enough for the net to handle a class-change

– number of classes must be low enough to have a sufficient number of subscribers per class, so that no information can be gained concerning a single subscriber

3. Play off DTPs against each other

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


34 / 40Synchronised Pseudonyms

User divides DTPs in 2 partsw.l.o.g.:

• Idea: Prevent a party from predicting that a change of its partial pseudonym actually yields change of total pseudonym• Additional value pi per DTPi: determines probability for an actual change in pseudonym• Additional PRG2 per DTPi: generates random value which is compared to pi

• Only user knows which parties are synchronised (i.e. which parties share same seeds for PRG1)

DTP1DTP2

DTPn/2

DTPn/2+1DTPn/2+2

DTPn

mm

mm

Idea: contributions of DTP1 and DTP n/2+1

are very often the same; thus they canceleach other out due to XOR-operation.Therefore it doesn’t say a lot when DTP1 announces partial pseudonym...

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



PRG2 determines uj(i) ∈ [0;1[ (uniformly distributed)uj(i) < pi => propagate new partial pseudonymuj(i) ≥ pi => no change

• Each time partial pseudonym is generated by DTPi the partner DTPn/2+i generates the same partial pseudonym• User only accepts new pseudonym if both partners yield different results!

t1(i) t2(i) t3(i)

using PRG1

u1(i) u2(i) u3(i)

using PRG2

Times for change ofpartial pseudonym

At the same timeuj(i) is determined

DTPi:

Thus, the partial pseudonymis changed with prob. pi

Telling t1(i), t2(i), ...to malicious provider would give valuable information.But: u1(i), u2(i),... “hide” information.

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Determining time for change of total pseudonym becomes impossible,since DTPi (hopefully!) does not know who its partner is.

It can easily be shown:

• if all pi have same value p = pi

• if n is number of DTPs• and if time between two possible changes is exponentially distributed with parameter λ (i.e. mean time between arrivals is 1/ λ)

THEN:• Time between two “real” changes of total pseudonym is exp. distr. with parameter p (1-p) n λ.• Mean time between change: 1 /( p (1-p) n λ)

– long time to pseudonym change, when p either very small or very big

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



Sidenote: It is important that no pseudonym is used more than once at a time=> sufficiently large name space

How long should a pseudonym be used?• Naive answer: old pseudonym becomes invalid when new one is generated

– problem: concurrency of “create-delete” can unveil movement profile• Better: give pseudonym a time-to-live (TTL)

– TTL starts when user receives new pseudonym– this way a user always has several pseudonyms to choose from– make duration of TTL exponentially distributed (memoryless!)

PS1 PS2 PS3

Creation of newpseudonym

TTL(PS1)TTL(PS2)

1/λn

t

At this point the user has 3 pseudonyms! (PS1, PS2 and PS3)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0



How many pseudonyms coexist under this scheme?

• initially one per user (say N users in total)

• N λn / µTTL for additional pseudonyms, whereby

– µTTL = 1 / mean duration of a TTL

– λn = 1 / mean time between two pseudonym changes of a user

If λn = µTTL then the user holds two pseudonyms on average.

Note: Temporary Pseudonyms are not implemented in GSM!

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


39 / 40Summary of Security Problems in GSM

Security problem

Cryptoalgorithms (A3,A5,A8) are keptsecret; their actual strength must thus be trusted

Cryptomechanisms are symmetric; aninsider can decrypt all traffic and can useservices at the cost of the subscriber

Location privacy is not guaranteed againstinsiders

End-to-end encryption and authenticationis not supported

Mutual authentication is not supported(i.e. the subscriber cannot trust the identityof the network)

Potential solution

Disclosure of all algorithms; deployment of standardised and well-known mechanisms

Deployment of asymmetric cryptoalgorithmsfor authentication and exchange of sessionkeys (hybrid mechanism)

Temporary Pseudonyms;Distributed Trusted Parties

Appropriate mechanisms must be standardisedand implemented (not discussed here)

Solutions have been proposed (not discussed here)

Secu

rity

in C

omm

unic

atio

n N

etw

orks

WS‘

00/0


40 / 40Acronyms

AUC: Authentication CenterBSC: Base Station ControllerEIR: Equipment Identity RegisterGMSC: Gateway Mobile Switching CenterGSM: Global System for Mobile

CommunicationHLR: Home Location RegisterIMEI: International Mobile Equipment IdentityIMSI: International Mobile Subscriber IdentityISC: International Switching CenterISDN: Integrated Services Digital NetworkLAI: Location Area IdentificationMS: Mobile StationMSC: Mobile Services Switching CenterMSISDN: Mobile Subscriber ISDN NumberOMC: Operation and Maintenance Center

PLMN: Public Land Mobile NetworkSIM: Subscriber Identity ModuleSMS: Short Message ServiceTDMA: Time Division Multiple AccessTMSI: Temporary Mobile Subscriber

IdentityUMTS: Universal Mobile

Telecommunication SystemVLR: Visitor Location Register

15 mobile communication - i4.de · – non-public identifier stored on the subscriber identity...

Documents