Network Security Security in Traditional Wireless Networks 1
Network Security
Chapter 6. Security in Traditional Wireless Networks
Network Security Security in Traditional Wireless Networks 2
Security in First Generation TWNs
Security in Second Generation TWNs
Security in 2.5 Generation TWNs
Security in 3G TWNs
Summary
Objectives
Network Security Security in Traditional Wireless Networks 3
To the designer, they had too many other problems before security became a priority.
Since AMPS radio interface was analog and AMPS used no encryption.
Authentication–Mobile station sends ESN(Electronic Serial Number) to MTSO in clear text over the air interface.
–Eavesdrop on cellular telephone conversation
–Can capture valid ESN cloning.
Security in 1G TWNs
Network Security Security in Traditional Wireless Networks 5
Security in 2G TWNs
use digital system
Beyond the BTS is considered a controlled environment.
Aims to secure only the access network(MS/MEBTS).
Network Security Security in Traditional Wireless Networks 6
IMSI(International Mobile Subscriber Identity)–MS inform the network about IMSI’s new location when it crosses a cell boundary.
–this allows the network to route an incoming call to the correct cell.
–If eavesdropper can capture the IMSI over the air, they can determine the identity of the subscriber and their location.
TMSI(temporary mobile Subscriber Identity)–When a ISIM has authenticated with the network, the VLR allocate a TMSI to the scriber.
– GSM protects against subscriber traceability by using TMIS.
–Has only local significance.
–IMSI-TMSI mapping is maintained in VLR/MSC
–When it is switched off, the mobile station stores the TMSI on the SIM card to make sure it is available when it is switched on again,
Anonymity in GSM
Network Security Security in Traditional Wireless Networks 8
No key establishment protocol in the GSM security architecture model.
Use 128-bit pre-shared key Ki
Stored in SIM and AuC
Key Establishment in GSM
Network Security Security in Traditional Wireless Networks 9
Authentication in GSM
(1) MS BTS : sign-on msg {IMSI or TMSI} .
(2) MSC HLR : request 5 triplets { RAND, SRES, Kc}
(3) HLR MSC : send 5 triplets
(4) MSC MS : RAND
(5) MS MTS: SRES
(6) authenticated!! BSC-MSC-HLR channels are assumed to be secure
Network Security Security in Traditional Wireless Networks 10
Why 5 triplets request?
To improve roaming performance.
Instead of contacting the HLR for security triplets each time a ME roams into its coverage, the MSC gets five set of triplets : one for the current authentication process and four for future use.
Authentication in GSM
Network Security Security in Traditional Wireless Networks 11
Authentication and ciphering information transmission
Network Security Security in Traditional Wireless Networks 12
Session Key Kc Generation
A8
Ki(128 bit), RAND(128bit)
Kc (64 bits : appened with10 zeros)
Network Security Security in Traditional Wireless Networks 13
GSM : assume the core network beyond the BSC is secure.
–BTS BSC link is not part of core.
–GSM does not specify how to this link need to be connected.
–In practice, connected by microwave.
–susceptible to attacks.
Protection against equipment theft.–Authenticate SIM card and not the subscriber of the SIM card.
–When a ME was stolen, the user of the ME reports it to the service provider.
–The service provider maintain the compromised SIM card.
Authentication
Network Security Security in Traditional Wireless Networks 14
Provide confidentiality over the wireless(ME-BTS) interface.
A5 : GSM standard stream-ciphering algorithm.
–A5/0 – unencrypted,
–A5/1 (54 bit) – original, used by countries members of CEPT
(CEPT: European Conference of Post and Telecommunication Administrations)
–A5/2 (16 bit)– countries of non CEPT members.
–A5/3 – for 3G
–Implemented in hardware of ME.
–Kc : encryption key.
Confidentiality in GSM
Network Security Security in Traditional Wireless Networks 15
What’s wrong with GSM Security?
No provision for any integrity protection of data and message.
–Open to man-in-the-middle attack.
Only securing the ME-BTS interface.– BTS-BSC interface is not cryptographically protected.
–Sometimes this link is wireless attractive target for attacks.
Cipher algorithms(A5 family) are not published along with the SGM standards. does not allow public review.
Small key length - Kc : 64bits (54bits + 10 zeros)–Big enough to protect against real-time attack, but weak to off-line attack.
–GSM security architecture is inflexible - difficult to replace.
Network Security Security in Traditional Wireless Networks 16
SIM cloning – recover Ki from SIM card
–Chosen plaintext attack – (RAND, SRES) pair, 8 adaptively chosen plaintexts within a minute.
–Recover Ki using differential cryptanalysis or side channel attack.
–(1)Physical access to SIM card and communicate with SIM through smartcard reader.
•Recover in a matter of few hours.
–(2)Wireless contact over the air interface.
•Must be capable of masquerading as a rouge BTS
•ME is moving, not enough time to collect enough (chosen-plaintext, cipher text) pairs
What’s wrong with GSM Security?
Network Security Security in Traditional Wireless Networks 17
SIM cloning (continue)
–(3)Attempt to have the AuC generate the SRES of given RANDs
instead of using the SIM.
•Exploits the lack of security in the SS7 signaling network.
•Core signaling network is not cryptographically protected and incoming
messages are not verified for authenticity.
•So possible to use the AuC to generate SRESs for chosen RANDs
What’s wrong with GSM Security
Network Security Security in Traditional Wireless Networks 18
Clear transmission of cipher keys and Authentication values within and between networks
–Signaling system vulnerable to interception and impersonation.
One way authentication : no network authentication.–Attacker masquerade as BTS and hijack the ME.
Service provider can choose null encryption(A5/0)–ME is allowed to connect to.
What’s wrong with GSM Security?
Network Security Security in Traditional Wireless Networks 20
Security in 2.5G(GPRS) TWNs
For data service : allocate multiple time slotsEncryption/decryption : MSSGSN
−Protect link between BTS-SGSN
Network Security Security in Traditional Wireless Networks 21
GPRS Authentication and Key Derivation
Network Security Security in Traditional Wireless Networks 22
GPSR – provide ME to connect to internet.
End-to-end security is required.
HTTP/HTML is not optimized to ME(CPU-power, screen, bandwidth, memory)
WAP(Wireless Application Protocol)
Network Security Security in Traditional Wireless Networks 23
WAP(Wireless Application Protocol)
• WAP Gateway : WTP/WML HTTP/HTML• WTLS(Wireless Transport Layer Security) :
• provide end-to-end security
• similar to TLS
Network Security Security in Traditional Wireless Networks 24
ME in GPRS can download and run applets.
Malicious applet can harm the ME.
Applets are signed by CAs.–Before executing the applet, the subscriber can be informed of CA which has signed the applet.
–If the subscriber trusts that CA, they can allow the applet be executed on their applet.
Code Security
Network Security Security in Traditional Wireless Networks 26
UMTS(Universal Mobile telecommunications System)
Security Architecture
–Designed using the GSM Security as the starting point
–Adopt the GSM features that have proved to be secure
–Redesign the features that have been found to be weak.
–To ensure interoperability between GSM and UMTS.
Security in 3G TWNs
Network Security Security in Traditional Wireless Networks 29
Anonymity in UMTS Chicken and egg situation
–First ME identify(its IMSI) to the network.
–TMSI allocation should be performed after initiation of ciphering to ensure TMSI protection
–Ciphering can not start unless CK(cipher key) has been established between USIM and network.
–CK can not be established unless the network first identifies the subscriber using its IMSI.
VLRo : old VLR (previous VLR), VLRn : new VLR–ME VLRn : TMSI_old (previous one)
–VLRn VLRo : request IMSI corresponding to this TMSI
–If VLRn cannot retrieve, request ME to identify itself by its IMSI
–Now AKA starts or use a previous existing set of keys.
–Can you identify UMTS’s bottom line? See the text book.
Network Security Security in Traditional Wireless Networks 30
After completion of AKA(authentication and key
agreement) procedure, establish the KC between USIM
and network
Now assign a new TMSI to the ME
SQN(sequence number) : can be exploited to trace a
subscriber.
–Network maintains a per-subscriber SQN
–Need to be encrypted.
–AK(Anonymity key) - protect SQN to protect traceability.
AKA
Network Security Security in Traditional Wireless Networks 31
No key establishment protocol in UMTS.
128-bit pre-shared secret key Ki between USIM and AuC.
Authentication in UMTS is mutual.
Key establishment in UMTS
Network Security Security in Traditional Wireless Networks 32
Authentication in UMTS
(1) USIM VLR/MSC : sign-on
(2) VLR AuC/HLR : Auth data req.
(3) AuC VLR : Auth vectors(several
sets of Auth data)
(4) VLR select the first vector and store
the rest.
(5) VLRUSIM : RAND(128bit),
AUTN(128bit)
(6) USIM : if MAC in AUTH ?= XMAC,
SQN is in correct range ?
then authenticated.
(7) If verification is OK,
USIM VLR : RES
(8) VLR : If RES ?= XRES from AuC, then
authenticated
Network Security Security in Traditional Wireless Networks 34
UMTS Authentication Vector Generation
• AMF : authentication Management Field
Computation in HLR by VLR request (Step 2 in p.32)
Network Security Security in Traditional Wireless Networks 35
UMTS Response Generation at USIM(1) From VLR
(2) Inside of USIM
(3) Send RES to VRL
Network Security Security in Traditional Wireless Networks 36
Authentication in UMTS
After Mutual authentication has completed,
VLR and USMI establish CK, IK, AK
MILENAGE : recommended function for UMTS
Authentication.(corresponding to COMP-128)
But service provider can choose another function.
Network Security Security in Traditional Wireless Networks 37
Confidentiality in UMTS
• f8 : key stream generation algorithm KASUMI, use 128-bit session key.• Count-C (32-bit) : ciphering sequence number, updated every sequentially every
plaintext block• BARIER (5-bit) : bearer channel number• DIRECTION (1-bit): the direction of link(uplink or downlink)• LENGTH(16-bit) : length of key stream block
Network Security Security in Traditional Wireless Networks 39
Confidentiality in UMTS
Provide confidentiality to the link between ME – RNC–Include BTS-RNC link which is equivalent to BTS-BSC.
–Closing loopholes of GSM Security in BTS-BSC link.
UMTS encryption is applied to all subscriber traffic as well as signaling messages.
Network Security Security in Traditional Wireless Networks 40
GSM security did not provided integrity protection.
MUTS solve this problem using integrity key IK.
MAC-1 : attached to the message by the sender.
Integrity Protection in UMTS
• FRESH: 32-bit per connection nonce.
Network Security Security in Traditional Wireless Networks 42
Voice data integrity Protection in UMTS
Integrity protection involves a lot of overhead in terms of processing and bandwidth.
For a voice integrity, to integrity protect the number of user packets in conversation is sufficient.
Inserting, deleting or modifying words in a conversation would lead to a change in the number of packets.
In UMTS, periodically RNC send a message containing sequence number to the ME. This message is integrity protected.
Network Security Security in Traditional Wireless Networks 43
The MAC layer offers Data transfer to RLC and higher layers
The RLC(Radio Link Control) layer offers the following services to the higher layers:
–Layer 2 connection establishment/release–Transparent data transfer, i.e., no protocol overhead is appended to the information unit received from the higher layer
–Assured and un assured data transfer
The RRC(Radio Resource Control) layer offers the core network the following services:
–General control service, which is used as an information broadcast service
–Notification service, which is used for paging and notification of a selected UEs
–Dedicated control service, which is used for establishment/release of a connection and transfer of messages using the connection.
Layer in UMTS
Network Security Security in Traditional Wireless Networks 44
Putting the Pieces Together
(1) MS RNC : L2 connection
{User Encryption Algorithms(UEAs)
User Integrity Algorithms(UIAs)…}
(2) MSVRL : L3 connection Msg.(location update
req., routing update req., attach req...)
{IMIS or TMIS, Key set Identifier(KSI) for
CK,IK..,}
(3) Authentication and key generation(CK, IK)
{ new key or old key}
(4) –(11)
Network Security Security in Traditional Wireless Networks 45
Network Domain Security
• MAP(Mobile Application Part) : an SS7 protocol for UMTS.• MAPSEC : protect MAP message – In SS7 Network• KAC(Key Administration Center) establish a SA(Security
Association) with another KAC.• KACs use IKE(Internet Key Exchange) protocol.• KACs distribute SA to NEs ( key distribution )• NE use SAs to protect MAP messages.
Network Security Security in Traditional Wireless Networks 46
Network Domain Security for IP-based Network
UMTS is expected to be more closely tied to IP-based network. Replacing SS7 signaling(MAP) with IP-based signaling(like SIP)
MAP over IP for legacy networks.− SEG(Security Gateway) : establish SA with other SEG.
− Provide MAP message protection for NEs.