15 mobile communication - i4.de · – non-public identifier stored on the subscriber identity...
TRANSCRIPT
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
1 / 40Contents
Security in Mobile Communication
• Security Problems Unique to Wireless Communication• Security in GSM
→ GSM System Overview→ Security Functions of GSM→ Protecting the Subscriber’s Identity→ Location Privacy
• UMTS Security Advances Compared to GSM→ February 12th 2001: Guest Talk by Dr. Stefan Pütz (T-Mobil)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
2 / 40Security Problems Unique To Wireless Communication
Wireless communication (i.e. radio transmission) makes attacking easier:• eavesdropping on communication is simple• no access to special locations is required• impersonating a registered user is relatively simple
Analogue systems suffered from these problems in the 80’s
• GSM and Wireless LAN (IEEE 802.11, used by MoPS) face similar problems• security in 802.11 systems not mature• focus will be on the complex GSM system.
Major goals of wireless security:1. Protect network against unauthorised access2. Protect user from fraudulent impersonations3. Protect user’s privacy
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
3 / 40GSM - Common Architecture
EIRAUC
HLR VLR
PLMN, international
PSTNISDN
OMC
MSC
ISC
GMSC
BSC
BSC
4
4
4
AUC: Authentication CenterBSC: Base Station ControllerEIR: Equipment Identity RegisterGMSC: Gateway Mobile Switching CenterMSC: Mobile Services Switching CenterISC: International Switching CenterOMC: Operation and Maintenance Center
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
4 / 40Addresses and Identifiers in GSM (1)
• International Mobile Station Equipment Identity (IMEI)– serial number that uniquely identifies mobile equipment internationally– stored in the Equipment Identity Register (EIR)
• Mobile Subscriber ISDN Number (MSISDN)– "real telephone number" of a subscriber
Type Approval Final Assembly Serial Number Spare
66 6 1 decimal digits
CountryCode
Nat. Dest.Code
Subscriber Number
2-33 max. 10 decimal digits
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
5 / 40Addresses and Identifiers in GSM (2)
• International Mobile Subscriber Identity (IMSI)– non-public identifier stored on the Subscriber Identity Module to identify a
subscriber within the network– separation of MSISDN and IMSI protects confidentiality, as IMSI is not public
and therefore faking of a false identity is more difficult
• Location Area Identity (LAI)– unique address to denote a location area internationally unique
MobileCountry
MobileNetwork
Mobile Subscriber IdentificationNumber
23 max. 10 decimal digits
CountryCode
NetworkCode
Location Area Code
23 max. 5 decimal digits
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
6 / 40Addresses and Identifiers in GSM (3)
• Temporary Mobile Subscriber Identity (TMSI)– is only assigned during the mobile's presence in the area of one VLR, and can be
changed during this period (ID hopping)
– it is used in place of the IMSI for the identification and addressing of the mobilestation
– thus, nobody can determine the identity of the subscriber by listening to theradio channel
– together with the LAI, the TMSI replaces the IMSI and is used to identify asubscriber
– operator specific format; up to 4x8 bits
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
7 / 40Location Management - Introduction
• a location area represents the smallest unit forwhich the network maintains the currentsposition of a user
• it consists of a number of cells• in case of an incoming call
– the current location area of the subscriber can bedetermined by a database request
– the user is paged in all cells within his location area by broadcasting his TMSIon a dedicated broadcast channel that is sensed by all terminals
– after receiving the subscriber's TMSI, the mobile sends a response message
• location area concept represents a compromise between permanently keepingtrack of a subscriber's position on a cell basis (large amount of signallingtraffic due to frequent location updates) and paging him in all cells of thenetwork (large amount of paging costs)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
8 / 40Private Data Created by the User (1)
Private data created by a user in a mobile cellular network:1. The identity of the user, the serial number of the mobile phone and location
data are transmitted to the network internal databases2. To check the reachability of the mobile phone, the stored location data is
updated from time to time (periodic location update)
network carrier
D1
D2
E+
ITINERIS
MERCURY
SPRINT
SWISSCOM
country
Germany
Germany
Germany
France
England
USA
Switzerland
periodic location update time constant
6 hours
4 hours
12 hours
6 minutes
30 minutes to 4 hours
30 minutes
2 hourssee http://www.ii-mel.com/interception/mobile_tracegb.htm
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
9 / 40Private Data Created by the User (2)
In addition, locations of mobile users are backuped, although there is no reason to store a history of locations from the technical point of view
network carrier
D1
D2
E+
ITINERIS
SFR
SPRINT
SWISSCOM
country
Germany
Germany
Germany
France
France
USA
Switzerland
periodic location update time constant
-
2 days
2 days
-
15 days
7 dayssee http://www.ii-mel.com/interception/mobile_tracegb.htm
3. Each attempted call to a mobile phone is logged and stored by the network4. The implemented security protocols can be "broken" as a result of
implementation weakness
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
10 / 40Security functions of GSM
• Subscriber Identity Module
– access control by means of a smart card called subscriber identity module(SIM) and a personal identification number (PIN)
• Subscriber Authentication
– authentication of the users towards the network carrier and generation of asession key in order to prevent abuse
• Encryption of User Data
– encryption of communication on the radio interface, i.e. between mobile stationand base station
• Protection of Subscriber Identity
– concealing the user's identity on the radio interface, i.e. the TMSI is used forthe identification of a mobile user instead of the IMSI
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
11 / 40Subscriber Identity Module
• is in form of a credit card which is portable and therefore transferablebetween mobile stations
• distinction between terminal mobility and personal mobility– terminal mobility: the user can register into the locally available network with his SIM– personal mobility: the SIM-card can be deployed in different mobile stations and can
even be used as a telephone card in the fixed telephone network (not installed byGerman operators)
• stores the following security-related data:– International Mobile Subscriber Identity (IMSI)– Subscriber Authentication Key– PIN– Temporary Mobile Subscriber Identity (TMSI)– Location Area Identifier (LAI)
• additionally stores user-related data like short messages and telephonebooks
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
12 / 40Cryptographic Algorithms Used By GSM
GSM defines three algorithms A3, A5 and A8
Details:• A3
– used for authentication– not specified in standard; can be chosen independently by each operator
• A5– used for encryption– specified at international level to enable roaming
• A8– used for key management– not specified in standard; can be chosen independently by each operator
All algorithms are kept secret!No other Ax algorithms - A1, A2, etc. were place-holders during GSM design
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
13 / 40Subscriber Authentication (1)
• authentication is necessary during
– location registration
– location update with change of the VLR
– call setup
– sending a short message (SMS)
• the process of authentication is based on a subscriber authentication key,the A3-algorithm and a random number
• Subscriber Authentication Key is stored on the SIM
• on the network side, the subscriber authentication key is stored in the AUC
• the random value cannot be predetermined and therefore, recording thechannel transmission and playing it back cannot be used to fake an identity
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
14 / 40Subscriber Authentication (2)
Mobile Station Network
SignatureResponse(32 Bit)
SubscriberAuthenticationKey (128 Bit)
IMSI
Random(128 Bit)
A3
=
SubscriberAuthentication
Key
A3SignatureResponse (32 Bit)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
15 / 40Generation of the Cipher Key (1)
• a cipher key is used in the algorithm A5 for the symmetric encryption of userand signalling data
• it is generated at each side using the generator algorithm A8 and a randomnumber
• at the network side, the values of the cipher key are calculated in theAUC/HLR simultaneously with the signature response (see SubscriberAuthentication)
• the 3-tuples (random number, signature response, cipher key) are stored at theAUC/HLR and supplied on demand, if the subscriber authentication key isonly known to the HLR
• otherwise, i.e. if the VLR has access to the subscriber authentication key, thecipher key can be calculated directly by the VLR
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
16 / 40Generation of the Cipher Key (2)
Mobile Station Network
SubscriberAuthenticationKey (128 Bit)
IMSI
Random(128 Bit)
A8
SubscriberAuthentication
Key
A8
Cipher Key (64 Bit) Cipher Key (64 Bit)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
17 / 40Symmetric Encryption of User Data (1)
Block coding,convolutional coding,
interleaving
User dataencryption
Burstbuilding
Differentialcoding andmodulation
Transceiver
• encryption of transmitted data is a special characteristic of GSM anddistinguishes GSM from analogue cellular and ISDN networks
• transmitting side: encryption after channel coding and interleaving
• receiving side: decryption directly follows the demodulation of the data stream
q block coding: generates the parity bit for a block of data thus allowing the detection of errors in this block
q convolutional coding: calculation of additional redundancy for error correction to correct errors caused by the radio channel
q interleaving: distribution of code words by spreading in time and merging them across several bursts for transmission (achieves better error correction results)
q burst building: each interleaving block (114 bit) is mapped onto a burstq differential coding and modulation: coding the bursts for transmission over the air interface
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
18 / 40Symmetric Encryption of User Data (2)
Mobile Station
CipherKey
(64 Bit)
A5
TDMAFrame
Number(22 Bit)
key block(114 Bit)
plain text(114 Bit)(after interleav.)
CipherKey
(64 Bit)
A5
TDMAFrame
Number(22 Bit)
key block(114 Bit)
Network
plain text(114 Bit)
Ciphering Mode Command
ciphered message
encrypted within the radio part of the transmission path
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
19 / 40Symmetric Encryption of User Data (3)
1 0 1 1 0 0 1 1 0 1 1 0 0 1
0 1 1 0 0 1 0 0 1 1 0 0 1 0A5 A5User Data Flow User Data Flow
Key Flow Key Flow
Synchronization
Ciphering Deciphering
• Signalling and user data are encrypted together; for dedicated signallingchannels the same method is used as for traffic channels
• ciphering uses a bit stream which is added bitwise to the data to be enciphered(similar to a one-way key)
• deciphering consists of performing an EXCLUSIVE OR of the enciphereddata stream with the ciphering stream
• to synchronise, the deciphering mechanism has to be started at precisely thecorrect moment!
cipher key
frame number
cipher key
frame number
1101011
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
20 / 40Protection of Subscriber Identity (1)
Purpose• prevents disclosing which subscriber is using which resources in the network• ensures the confidentiality of user data and signalling traffic• prevents localising and tracking of a mobile station
Realisation• it should be avoided to transmit the IMSI unencrypted• instead of the IMSI, the TMSI is used on the radio channel for identification
purposes• the TMSI is temporary and has only validity within the coverage area of the
current VLR• the subscriber can only be uniquely identified by using the TMSI in
combination with the LAI• the association between IMSI and TMSI is stored in the VLR
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
21 / 40Protection of Subscriber Identity (2)
Mobile Station Network
A5
LAIold, TMSIold
TMSIold unknownIdentity Request
Identity ResponseIMSI
Authentication
Assign and storeTMSInew
cipherkey
A5
cipherkey
store TMSInew
remove TSMIold
only neccessaryif TMSIold is lost
TMSI Reallocation CommandTMSInew (encrypted)
TMSI Reallocation Complete
Procedure for establishing a
new TMSI
unencrypted!
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
22 / 40Protection of Subscriber Identity (3)
• algorithm for generating the TMSI is determined by thenetwork operator and is not subject to standardisation
• subscriber identity is protected against eavesdropping in two ways:– the temporary TMSI is used on the radio channel instead
of the IMSI– each new TMSI is transmitted in encrypted form
• in case of database failures (loss of TMSI, TMSI unknown at VLR,etc.), the IMSI must be transmitted as clear text before encryption isturned on
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
23 / 40Interaction of GSM Security Mechanisms
Mobile Station Network
A5A5
A5A5
A5A5
A5A5
=
A3+A8 SRES
Authentication ResponseSRES
Ciphering Mode Command
Ciphering Mode Complete
TMSI Reallocation Command
Location Updating Accept
TMSI Reallocation Complete
Location Updating RequestTMSI old, LAI old
cipherkey
Ki, IMSI, TMSIRAND,SRESKi, IMSI, TMSI
KiAuthentication Request
RANDchallenge-responseauthentication
encryptedcommunication
cipherkeyauth.
result
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
24 / 40Location Privacy
Remaining problem:The subscriber’s movement profile is still known to the provider!
Required:A method for concealing subscriber’s current position (as long as terminal isready for communication but not actually engaged in a call)
Proposed solution (Kesdogan):• Address subscriber by pseudonym and not „real“ number (A pseudonym is e.g. a 100 digit random number)• Management of pseudonyms in HTD (Home Trusted Device)• HTD is a party trusted by all participants• HTD should be able to handle a large number of pseudonyms
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
25 / 40Location Privacy
Procedure: 1. Incoming call for subscriber Mr. X 2. Request at GMSC and HLR: where is Mr. X? 3. GMSC asks Home Trusted Device (HTD) 4. HTD returns current pseudonym of Mr. X 5. Subscriber can be found via pseudonym
In effect:• Network provider knows that there are „certain users“ in the network with „certain pseudonyms“• Provider also knows current LA of pseudonym• Provider DOES NOT KNOW who is hidden behind pseudonyms
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
26 / 40
Requirement:
• Pseudonyms have to be changed „frequently“ => „temporary pseudonyms“ (TP)
• Pseudonym changes must be conducted synchronously in MS and HTD– pseudo random number generator (PRG) with a common generator seed– PRGs determine time for next change
• Practical problem: clock drift– use time signal of GPS
– radio controlled clock– synchronise during calls
Temporary Pseudonyms
TP→VLR
HLR
TP→LA
VLR
TP := PRG(seed,t)
t
t
MSISDN→TP := PRG(seed,t)
HTD
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
27 / 40Temporary Pseudonyms
WHEN should pseudonyms be changed?
Answer:time differences should be exponentially distributedExponential distribution has property of being „memoryless“,i.e. time since last change holds no information on time to next change
eventmean time to next event 1/λ
nothing happens
t
mean time to next event also 1/λ
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
28 / 40Temporary Pseudonyms
Problems with „temporary pseudonyms“
• Passive attacks (i.e. just wait until subscriber makes a call)– when call is established pseudonimity is lost
=> pseudonyms should be changed rather often
• Active attacks– fake call of provider to find out:
· who is currently hiding behind a pseudonym
· which pseudonym is currently used by a specific user
– this could at least be monitored by keeping a logfile
• HTD-Management– what happens when HTD is down?
(central point of failure)
research is ongoingto resolve this
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
29 / 40Temporary Pseudonyms with Distributed Trusted Parties
Sensible:One large, redundant HTD used by many providers(a so-called „Trusted Third Party“)
What happens when Trusted Party is corrupted?
“Solution” (without considering cost!):„Distributed Trusted Party“(DTP): divide trusted party in severaldependent parts DTP1, ... , DTPn
Pseudonyms are produced jointly by all DTPi:â Underlying assumption: even corrupt DTPs will do correct algorithmic operations (or will at least be detected very soon)â However: we cannot guarantee that all DTP’s are not corruptâ DTPs could tell secrets to “malicious network providers”
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
30 / 40Temporary Pseudonyms with Distributed Trusted Parties
DTPi stores:
Aggregate pseudonym: TP(MSr) = ⊕TPi(MSr)
Address of Mobile Station r
Returns seed for PRG of DTPi,as well as times t0<r>, t1<r>, t2<r>,..for pseudonym change
Component of MSr’s temporary pseudonym which is provided by DTPi
<MSr, PRGstart<r>, TPi(MSr)>
i=1
n
( i = 1, 2, .. , n )
Thus a single DTPi (or even n-1 DTPi’s)cannot determine the new pseudonym
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
31 / 40Distributed Trusted Party Signalling Example
GMSC
XORDTP1
DTP4
DTP3
DTP2
Incoming call for MS (identified by MSISDN)
TP(MSISDN) ?
MSISDN→TP4
MSISDN→TP3
MSISDN→TP2
MSISDN→TP1
TP :=TP1⊕TP2 ⊕TP3 ⊕TP4
1
2
3
45
Send Routing InfoTP
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
32 / 40Temporary Pseudonyms with Distributed Trusted Parties
Problems:• Costs• Reliability: what happens if DTPi becomes unavailable?• What happens when DTPs are corrupt? (At least one must be trustworthy)
Additional problem with corrupted DTP:
Pseudonym changein corrupted DTP
Concurrent change ofpseudonym in LA
Network provider can nowmap pseudonym to subscriber
DTP tells malicious networkprovider about change
Threat by cooperation between:• corrupted DTPi• malicious network provider
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
33 / 40Temporary Pseudonyms with Distributed Trusted Parties
Possible “solutions” for problem of corrupted DTPs:
1. All subscribers simultaneously change their pseudonyms (not possible due to enormously high signalling load.)
2. All subscribers of a „class“ change pseudonyms simultaneously
– number of classes must be large enough, such that the number of subscribers per class is low enough for the net to handle a class-change
– number of classes must be low enough to have a sufficient number of subscribers per class, so that no information can be gained concerning a single subscriber
3. Play off DTPs against each other
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
34 / 40Synchronised Pseudonyms
User divides DTPs in 2 partsw.l.o.g.:
• Idea: Prevent a party from predicting that a change of its partial pseudonym actually yields change of total pseudonym• Additional value pi per DTPi: determines probability for an actual change in pseudonym• Additional PRG2 per DTPi: generates random value which is compared to pi
• Only user knows which parties are synchronised (i.e. which parties share same seeds for PRG1)
DTP1DTP2
DTPn/2
DTPn/2+1DTPn/2+2
DTPn
mm
mm
Idea: contributions of DTP1 and DTP n/2+1
are very often the same; thus they canceleach other out due to XOR-operation.Therefore it doesn’t say a lot when DTP1 announces partial pseudonym...
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
35 / 40Synchronised Pseudonyms
PRG2 determines uj(i) ∈ [0;1[ (uniformly distributed)uj(i) < pi => propagate new partial pseudonymuj(i) ≥ pi => no change
• Each time partial pseudonym is generated by DTPi the partner DTPn/2+i generates the same partial pseudonym• User only accepts new pseudonym if both partners yield different results!
t1(i) t2(i) t3(i)
using PRG1
u1(i) u2(i) u3(i)
using PRG2
Times for change ofpartial pseudonym
At the same timeuj(i) is determined
DTPi:
Thus, the partial pseudonymis changed with prob. pi
Telling t1(i), t2(i), ...to malicious provider would give valuable information.But: u1(i), u2(i),... “hide” information.
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
36 / 40Synchronised Pseudonyms
Determining time for change of total pseudonym becomes impossible,since DTPi (hopefully!) does not know who its partner is.
It can easily be shown:
• if all pi have same value p = pi
• if n is number of DTPs• and if time between two possible changes is exponentially distributed with parameter λ (i.e. mean time between arrivals is 1/ λ)
THEN:• Time between two “real” changes of total pseudonym is exp. distr. with parameter p (1-p) n λ.• Mean time between change: 1 /( p (1-p) n λ)
– long time to pseudonym change, when p either very small or very big
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
37 / 40Temporary Pseudonyms
Sidenote: It is important that no pseudonym is used more than once at a time=> sufficiently large name space
How long should a pseudonym be used?• Naive answer: old pseudonym becomes invalid when new one is generated
– problem: concurrency of “create-delete” can unveil movement profile• Better: give pseudonym a time-to-live (TTL)
– TTL starts when user receives new pseudonym– this way a user always has several pseudonyms to choose from– make duration of TTL exponentially distributed (memoryless!)
PS1 PS2 PS3
Creation of newpseudonym
TTL(PS1)TTL(PS2)
1/λn
t
At this point the user has 3 pseudonyms! (PS1, PS2 and PS3)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
38 / 40Temporary Pseudonyms
How many pseudonyms coexist under this scheme?
• initially one per user (say N users in total)
• N λn / µTTL for additional pseudonyms, whereby
– µTTL = 1 / mean duration of a TTL
– λn = 1 / mean time between two pseudonym changes of a user
If λn = µTTL then the user holds two pseudonyms on average.
Note: Temporary Pseudonyms are not implemented in GSM!
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
39 / 40Summary of Security Problems in GSM
Security problem
Cryptoalgorithms (A3,A5,A8) are keptsecret; their actual strength must thus be trusted
Cryptomechanisms are symmetric; aninsider can decrypt all traffic and can useservices at the cost of the subscriber
Location privacy is not guaranteed againstinsiders
End-to-end encryption and authenticationis not supported
Mutual authentication is not supported(i.e. the subscriber cannot trust the identityof the network)
Potential solution
Disclosure of all algorithms; deployment of standardised and well-known mechanisms
Deployment of asymmetric cryptoalgorithmsfor authentication and exchange of sessionkeys (hybrid mechanism)
Temporary Pseudonyms;Distributed Trusted Parties
Appropriate mechanisms must be standardisedand implemented (not discussed here)
Solutions have been proposed (not discussed here)
Secu
rity
in C
omm
unic
atio
n N
etw
orks
WS‘
00/0
1 15. Security in Mobile Communication
40 / 40Acronyms
AUC: Authentication CenterBSC: Base Station ControllerEIR: Equipment Identity RegisterGMSC: Gateway Mobile Switching CenterGSM: Global System for Mobile
CommunicationHLR: Home Location RegisterIMEI: International Mobile Equipment IdentityIMSI: International Mobile Subscriber IdentityISC: International Switching CenterISDN: Integrated Services Digital NetworkLAI: Location Area IdentificationMS: Mobile StationMSC: Mobile Services Switching CenterMSISDN: Mobile Subscriber ISDN NumberOMC: Operation and Maintenance Center
PLMN: Public Land Mobile NetworkSIM: Subscriber Identity ModuleSMS: Short Message ServiceTDMA: Time Division Multiple AccessTMSI: Temporary Mobile Subscriber
IdentityUMTS: Universal Mobile
Telecommunication SystemVLR: Visitor Location Register