security of mobile systems - universität hamburg · pdf file–imei (international...
TRANSCRIPT
1
SecurityofMobileSystems
Prof.Dr.HannesFederrathSicherheitinverteiltenSystemen(SVS)http://svs.informatik.uni-hamburg.de
2
Contents
§ Introduction§ SecurityfunctionsofGSM
– BasicsandarchitectureofGSM– Securityfunctions– Mobilitymanagementfunctions– Locationbasedsystems– Callmanagement
§ SecurityfunctionsoffurthermobileSystems– UMTS– Bluetooth– WLAN
§ Protectionoflocationsinmobilesystems– GSM– MobileIP
(extendedslidesetonly)
4
Mobilenetworkcommunicationvs.fixednetworks
§ Usersaremoving/roaming
§ Onairinterface:– Limitedbandwidth– Errors(bitfailures,bursterrors)– Communicationbreaks(lostconnectivity)
§ Newthreads– Sniffing/eavesdroppingofwirelesscommunication– Locationfinding(direction-finding,sense-finding)
5
Sensors
§ Sensorsinmobiledevicesmakenewappspossible– GPS– WiFi– Bluetooth– Microphones– Cameras– Motionsensors– Adaptersformoresensors
• Personal:heartratemonitors• Environmental
– Cars:CANbusadapters– Houses:smartmeter,heater,alarmsystem
…andnewtrackingpossibilities
http://blog.digifit.com/wp-content/uploads/2011/02/
6
Mobilecommunication– Classification
1.TypesofMobility
§ TerminalMobility:– Example:MobilePhone
• Wirelesscommunication• Mobiledevice
§ PersonalMobility:– Example:PublicTerminals
• Mobileuser• Location-independentaddress
– Specialkindofpersonalmobility:SessionMobility:• «SessionFreezing»andreactivationinotherlocationand/ordevice
7
Mobilecommunication– Classification
2.Wavelengths– Radio[waves] (f=100MHzuptoseveralGHz)– Light[waves](infrared)– Sonar[waves](e.g.acousticcoupler)
3.Cellsizes– Picocells d<100m– Microcells d<1km– Macrocells d<20km– Hypercells d<60km– Overlay cells d<400km
Furtherclassifications– Point-to-pointcommunication,Broadcast(pagingservices)– Analogue,Digitalsystems– Simplex,Duplexcommunicationchannels
8
ExamplesformobileSystems
§ Speechcommunication=massmarket
– 1.Generation:analogue
• C-Netz,CordlessTelephone,AMPS
– 2.Generation:digital
• GSM,DCS-1800,DECT
– 3.Generation:serviceintegration
• UMTS/IMT-2000/FPLMTS
§ Satelliteservices
– Iridium,Inmarsat,Globalstar,Odyssey
– GPS(GlobalPositioningSystem),Galileo(Europeansatellitenavigationsystem),GLONASS
§ Internet(MobileIP)
9
Securitydeficitsofexistingmobilenetworks
§ Exampleofsecuritydemands:Cooke,Brewster(1992)– protectionofuserdata– protectionofsignalinginformation,incl.location– userauthentication,equipmentverification– fraudprevention(correctbilling)
§ Generalsecuritydemands– Confidentiality– Integrity– Availability
§ Mobilenetworkcannotbeconsideredtrustworthy
10
§ Theattackermodeldefinesthemaximumstrengthofanadversaryregardingaspecificsecuritymechanism– Protectionagainstanomnipotentattackerisimpossible.
§ Aspectsofanattackermodel– Rolesofattacker(OutsiderorInsider,…)
• combinedrolesalso– Disseminationofattacker
• Whichstationsorchannelscanbecontrolled?– Behaviorofattacker
• passive/active,observing/modificating– Computingpowerofattacker
• unlimited:informationtheoretic• limited:complexitytheoretic
time
money
Attackermodel
11
Attackermodel(concrete)
§ Outsiders– Passiveattacksonly(confidentiality)
§ Insiders– Passiveandactivedatamodificationattacks(integrity)
§ Insidersandoutsiders– DenialofServiceattacksonairinterface
§ Mobiledevice– Trustwothy
§ Networkcomponents– Safeagainstoutsiders,butnotagainstinsiders
§ Airinterface– Location-finding(insidersandoutsiders)
13
GlobalSystemforMobileCommunication(GSM)
§ KeyfeaturesofGlobalSystemforMobileCommunication– Veryhighinternationalmobility– WorldwidecallerID– Highgeographiccoverage– Highusercapacity– Highspeechquality– Advancederrorcorrectionmechanisms– Advancedresourceallocationstrategies(e.g.FDMA,OACSU)– Priorityemergencycallservice– Built-inSecurityfunctions
1. SubscriberIdentityModule(SIM,smartcard)2. Authentication(Mobilestation® network)3. Pseudonymization ofusersontheairinterface4. Linkencryptionontheairinterface
15
ArchitectureofGSM
NetworkManagementCallManagementDatabaseManagement
OMC:OperationandMaintainance CenterHLR:HomeLocationRegisterAuC:AuthenticationCenterEIR:EquipmentIdentityRegisterMSC:MobileSwitchingCenterGMSC:GatewayMSCtofixednetworkVLR:VisitorLocationRegisterBSS:BaseStationSubsystemBSC:BaseStationControllerBTS:BaseTransceiverStationMS:MobileStationLA:LocationArea
(G)MSC VLR
MS
BTS
MS
BTS
MSMS MS
MSC
BSC BSCBSS
OMC
VLR
HLR AuC EIR
16
LocationManagementinGSM
§ GSM(GlobalSystemforMobileCommunication)– Distributedstorageatlocationregisters
• HomeLocationRegister(HLR)• VisitorLocationRegister(VLR)
– Networkoperatorhasglobalviewonlocationinformation§ Trackingofmobileusersispossible
HLR
databaserequest
VLRAddress of the VLR:A
Address ofthe LA:LAI
databaserequest
long distance from the location area near the location area
broadcastMSISDN
VLR
17
Securitydeficitsofexistingmobilenetworks
§ Exampleofsecuritydemands:Cooke,Brewster(1992)– protectionofuserdata– protectionofsignalinginformation,incl.location– userauthentication,equipmentverification– fraudprevention(correctbilling)
§ SecuritydeficitsofGSM(selection)– Onlysymmetriccryptography(algorithmsnoofficiallypublished)– Weakprotectionoflocations(againstoutsiders)– Noprotectionagainstinsiderattacks(location,messagecontent)– Noend-to-endservices(authentication,encryption)
§ Summary– GSMprovidesprotectionagainstexternalattacksonly.– «…thedesignersofGSMdidnotaimatalevelofsecuritymuchhigher
thanthatofthefixedtrunknetwork.» Mouly,Pautet (1992)
18
Databases(registers)inGSM
§ HomeLocationRegister(HLR):Semipermanentdata– IMSI(InternationalMobileSubscriberIdentity):max.15numbers
• MobileCountryCode(MCC,262)+MobileNetworkCode(MNC,01/02)+MobileSubscriberIdentificationNumber(MSIN)
– MSISDN(MobileSubscriberInternationalISDNNumber):15numbers• CountryCode(CC,49)+NationalDestinationCode(NDC,171/172)+HLRNumber+SubscriberNumber(SN)
• Numberporting:translationtable– Subscriberdata(name,address,accountetc.)– Serviceprofile(priorities,callforwarding,servicerestrictions,e.g.
roamingrestrictions)
19
Databases(registers)inGSM
§ HomeLocationRegister(HLR):Temporarydata– VLR address,MSCaddress– MSRN(MobileSubscriberRoamingNumber)
• CC+NDC+VLR numberVLR number=MSC number+SN
– AuthenticationSet,consistsofseveralAuthenticationTriplets:• RAND(128Bit),• SRES(32Bit),• Kc(64Bit)
– BillingdatalaterontransferredtoBilling Centres
20
Databases(registers)inGSM
§ VisitorLocationRegister(VLR)– TMSI(TemporaryMobileSubscriberIdentity)– LAI(LocationAreaIdentification)– MSRN– IMSI,MSISDN– MSC-address,HLR-address– CopyofServiceprofile– BillingdatalaterontransferredtoBillingCentres
21
Databases(registers)inGSM
§ EquipmentIdentityRegister(EIR)– IMEI(InternationalMobile
StationEquipmentIdentity):15numbers=serialnumberofmobilestation• white-lists(validmobiles,shortenedIMEI)• grey-lists(mobileswithfailuresareobserved)• black-lists(blocked,stolenmobiles)
– USSD(UnstructuredSupplementaryServiceData)codeforshowingIMEI:*#06#
22
SecurityfunctionsofGSM
§ Overview1. SubscriberIdentityModule(SIM,smartcard)
• Admissioncontrolandcryptoalgorithms2. Authentication(SIM® network)
• Challenge-Response-Authentication(A3)3. Pseudonymization ofusersontheairinterface
• TemporaryMobileSubscriberIdentity(TMSI)4. Linkencryptionontheairinterface
• Generationofsessionkey:A8• Encryption:A5
23
SubscriberIdentityModule(SIM)
§ Specializedsmartcard– DatastoredonSIM:
• IMSI(InternationalMobileSuscriberIdentity)• individualsymmetrickeyKi(SharedSecretKey)• PIN(PersonalIdentificationNumber):admissioncontrol• TMSI(TemporaryMobileSubscriberIdentity)• LAI(LocationAreaIdentification)
– Cryptographicalgorithms:• A3:Challenge-Response-Authentication• A8:SessionKeygeneration:Kc
24
=
MS MSC/VLR/AuC
Authentication RequestRAND
SRESAuthentication Response
Random Generator
A3
Ki
A3
Ki
Authentication Result
max. 128 Bit
32 Bit
128 Bit
Challenge-Response-Authentication
§ Wheninitializedbythemobilenetwork?– LocationRegistration– LocationUpdatewhenchangingtheVLR– CallSetup(bothdirections)– ShortMessageService
25
Challenge-Response-Authentication
§ AlgorithmA3– ImplementedonSIMcardandinAuthenticationCenter(AuC)– CryptographiconewayfunctionA3:
SRES’=A3(Ki,RAND) (Ki:individualuserkey)– Interfacesarestandardized,cryptographicalgorithmnot
=
MS MSC/VLR/AuC
Authentication RequestRAND
SRESAuthentication Response
Random Generator
A3
Ki
A3
Ki
Authentication Result
max. 128 Bit
32 Bit
128 Bit
26
Challenge-Response-Authentication
§ Specificalgorithmcanbeselectedbythenetworkoperator– Authenticationdata(RAND,SRES)are
requestedfromAuCbythevisitedMSC– visitedMSC:onlycomparesSRES==SRES’– visitedMSChastotrusthomenetworkoperator
=
MS MSC/VLR/AuC
Authentication RequestRAND
SRESAuthentication Response
Random Generator
A3
Ki
A3
Ki
Authentication Result
max. 128 Bit
32 Bit
128 Bit
27
Pseudonymizationonairinterface
§ TMSI(TemporaryMobileSubscriberIdentity)– hidesfromtraceabilityofmobileusersbyoutsiders– onairinterface:all(unencrypted)transactionsfromandtomobileuser
isaddressedwithTMSI– algorithmforTMSIgenerationisnetworkindividual(notstandardized)
§ IdentityRequest– firstcontact(homenetwork)– afterfailure
• IMSIisrequestedbyservingnetwork
FirstcontactFailure
IdentityRequest
MS Netz
alte TMSI im SIM (beliebige Nachricht, in der TMSI verwendet wird)
VLR: keine Zuordnung
TMSI — IMSImöglich
Authentikation
VLR: Neuver-gabe TMSI
Identity Response
Identity Request
IMSI aus SIM
IMSI
TMSI Reallocation Command
BSC: Chiffr. A5
cipher(TMSI new)
A5
neue TMSI im SIM
TMSI Reallocation Complete
Kc
LöschungTMSI old
LAI old, TMSI old
SpeicherungTMSI new
SpeicherungTMSI new
MS Netz
TMSI Reallocation Command
alte TMSI im SIM
LAI old, TMSI old
(beliebige Nachricht, in der TMSI verwendet wird)
VLR: Zuordnung TMSI — IMSI
Authentikation
BSC: Chiffr. A5
VLR: Neuver-gabe TMSI
cipher(TMSI new)
A5
neue TMSI im SIM
TMSI Reallocation Complete
Kc
SpeicherungTMSI new
LöschungTMSI oldSpeicherung
TMSI new
Normalcase
TMSIused
30
Linkencryptiononairinterface
§ Sessionkeygeneration:AlgorithmA8
MS Netz
(Authentication Request)RAND
Random Generator
A8
Ki
A8
Ki
Kcin HLR gespeichert
in BSC benutzt
max. 128 Bit
64 Bit
128 Bit
Kcin SIM gespeichert
in MS benutzt
31
Linkencryptiononairinterface
§ Sessionkeygeneration:AlgorithmA8
– implementedonSIMandinAuthenticationCentre(AuC)– cryptographicone-wayfunction– interfacesarestandardized– COMP128:well-knownimplementationofA3/A8
32
Linkencryptiononairinterface
§ Linkencryption:AlgorithmA5
MS Netz
(Verschlüsselungsmodus)
A5
Kc
A5
Kc
TDMA-Rahmen-nummer
64 Bit
Klartext-block
22 Bit
TDMA-Rahmen-nummer
114 BitSchlüssel-block
Schlüsseltext
Klartext-block
Ciphering Mode Command
(Ciphering Mode Complete)
33
Linkencryptiononairinterface
§ Linkencryption:AlgorithmA5– implementedinmobilestation(notSIM!)– standardizedalgorithms:
• A5orA5/1• A5*orA5/2«weakvariant»ofA5— (deprecated)• [A5/3basedonKASUMI(UMTS)withlength(Kc)=64bit]• [A5/4sameasA5/3withlength(Kc)=128bit]
§ SecurityofA5/1andA5/2– Cipherisbasedonnon-linearshiftregisters– Algorithmsconsideredinsecuretoday
• A5/1brokenbyNohl 2010– Attackuses≈2TByte ofpre-calculatedrainbowtables
34
Linkencryptiononairinterface
§ CipheringModeCommand(GSM04.08)
§ Ciphermodesettinginformationelement
8 7 6 5 4 3 2 1 1 0 0 1 0 0 0 SC=0 Ciph mode set IEI Spare Spare Spare SC=1
SC=0: No ciphering SC=1: Start ciphering
8 7 6 5 4 3 2 1 TI flag TI value Protocol discriminator octet 1
0 N(SD) Message type octet 2
Ciphering Mode Command octet 3
35
ActiveMan-in-the-MiddleAttackonA5/3
A5/1EncryptedCommunication
AuthenticationRequestRAND
AuthenticationResponseSRES
CipheringModeCommandStartCipheringwithA5/1
CipheringModeComplete
A5/1Encrypted«Communication»
MS BTS
AuthenticationRequestRAND
AuthenticationResponseSRES
CipheringModeCommandStartCipheringwithA5/3
CipheringModeComplete
A5/3EncryptedCommunication
Attacker
KnowsKc
CrackKcin
realtime
36
GSMsecurityfunctionsoverviewmobile station visited network home network
Location Updating Request
air interface
TMSIKiRANDKi
A3+A8
Kc(encryption
key)
A5
A5
A5
A5
Kc
A3+A8
SRES’
A5
A5
A5
A5
=
auth. result
Authentication Request
RAND
Authentication Response
SRES
Ciphering Mode Command
Start Ciphering
Ciphering Mode Complete
TMSI Reallocation Command
TMSI new
Location Updating Accept
TMSI Reallocation Complete
encryptionkey
challenge-
response
authenti-
cation
encrypted
communi-
cation
37
Attacks– Telephoneattheexpenseofothers
§ SIMcloning– Weaknessofauthenticationalgorithm
§ Interceptionofauthenticationdata– Eavesdroppingofinternalcommunicationlinks
§ IMSIcatcher– Man-in-the-middleattackontheairinterface
38
SIMcloning
§ Scope– Telephoneattheexpenseofothers– DetermineKiinSIMcard
§ Attack1– MarcBriceno (SmartCardDevelopersAssociation),IanGoldbergand
DaveWagner(bothUniversityofCaliforniainBerkeley)• http://www.isaac.cs.berkeley.edu/isaac/gsm.html
– AttackusesaweaknessofalgorithmCOMP128,whichimplementsA3/A8
– SIMcard(incl.PIN)mustbeundercontroloftheattackerforatleast8-12hours
– Needs217 RANDvalues(≈150.000calculations)todetermineKi(max.128bit)
– 6,25calculationspersecondonly,duetoslowserialinterfaceofSIMcard
39
SIMcloning
§ Scope– Telephoneattheexpenseofothers– DetermineKiinSIMcard
Source:http://www.ccc.de/gsm/
40
SIMcloning
§ Scope– Telephoneattheexpenseofothers– DetermineKiinSIMcard
§ Attack2– SideChannelAttackonSIMcard– Measurementofchippowerconsumptionduringauthenticationreveals
Ki– AttackontheimplementationofCOMP128,notthealgorithmitself– Veryfast:500-1000randominputsusedforpracticalattack
– Morereading:• Rao,Rohatgi,Scherzer,Tinguely:PartitioningAttacks:OrHowtoRapidlyCloneSomeGSMCards.Proc.2002IEEESymposiumonSecurityandPrivacy,2002
41
Interceptionofauthenticationdata
§ Scope– Telephoneattheexpenseofothers– DescribedbyRossAnderson(UniversityofCambridge)– Eavesdroppingofunencryptedinternaltransmissionofauthentication
data(RAND,SRES,Kc)fromAuC tovisitedMSC
§ Weakness– GSMstandardonlydescribesinterfacesbetweennetworkcomponents.– Theyforgotthedemandforinternalencryption.– Microwavelinks arewidelyusedforinternallinkageofnetwork
components.
42
Noencryptionofinternallinks
mobilestation
airinterface(encrypted)
BTS
Microwave link
(notencrypted)(Gateway)-MSC
fixednetwork(notencrypted)
fakedmobilestation visitednetwork homenetwork
(anymessage)
airinterface
TMSIKiRAND
A5
SRES’
A5
auth.res.
Auth.Request
RAND
Auth.Response
SRES
CipheringModeCmd.
StartCiphering
CipheringModeCompl.
ProvideAuth.Info
microwavelink(notencrypted)
AuthenticationInformation
RAND,SRES,Kc
mappingTMSI–IMSI IMSI
storeauth.info
storeauth.info
Lookup
Kc
InterceptionofAuthenticationTriplets
RAND,SRES,Kc
......
...
Kc
A3+A8
=
Interceptionofauthenticationdata
44
IMSI-Catcher
§ Scope– Identitiesofusersofacertainradiocell– Eavesdroppingofcommunications– (Telephoneattheexpenseofothers)
§ Man-in-the-middleattack(Masquerade)
§ Weakness– Noprotectionagainstmaliciousorfakednetworkcomponents
§ EP1051053B1– April2000byRohde&Schwarz
45
IMSI-Catcher
Pictures:Verfassungsschutz,http://www.datenschutz-und-datensicherheit.de/jhrg26/imsicatcher-fox-2002.pdfhttp://www.heise.de/ct/artikel/Digitale-Selbstverteidigung-mit-dem-IMSI-Catcher-Catcher-2303215.html
47
IMSI-Catcher:GettingIMSIandIMEI
LocationUpd.Request(TMSI)
IdentityRequest
IdentityResponse(IMSI,IMEI)
Note: TheIMSI-Catchersendsits«locationareaidentity»withahigherpowerthanthegenuineBTS
BCCH BCCH
MS network
knowsidentities
IMSI-Catcher
LocationUpd.Request(IMSI)
AuthenticationRequest(RAND)
AuthenticationResponse(SRES)
LocationUpdatingAccept
AuthenticationRequest(RAND)
AuthenticationResponse(SRES)
LocationUpdatingAccept… …
onlyrelevantforeavesdropping
48
IMSI-Catcher:EavesdroppingMobileOriginatedCalls
CMServiceRequest
IMSICatcheropensacallonasecondphonewithsuppressedorfakedcallerID
Notencrypted Encrypted
AuthenticationRequest(RAND)
AuthenticationResponse(SRES)
Ciph.ModeCmd.(NoCiphering)
IMSI-Catcher mobilenetworkMScamps oncell of IMSI-Catcher
49
Ciph.ModeCmd.(StartCiphering)
IMSI-Catcher:EavesdroppingMobileTerminatedCalls
PagingRequest
Ciph.ModeCmd.(NoCiphering)
IMSI-Catcher mobilenetworkMScamps oncell of IMSI-Catcher
Incomingcall
AuthenticationRequest(RAND)
AuthenticationResponse(SRES)
AuthenticationRequest(RAND)
AuthenticationResponse(SRES)
CipheringModeComplete(Fault)
Ciph.ModeCmd.(NoCiphering)
suppressciphering
Notencrypted Notencrypted
50
IMSI-Catcher(1)
§ AllBTS'sendalistoffrequenciesofBCCHsoftheirneighboringcellsandtheownLAI
§ Examples:– BTS7:f4,f5,f8;LA2– BTS8:f7,f4,f5,f6,f9;LA2
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
51
IMSI-Catcher(2)
§ IMSI-Catcher– receivefromBCCHofcurrentcell(5)
• BTS5:f1,f2,f3,f4,f6,f7,f8,f9;LA1– selectanyfrequency(e.g.f4)andreceivesfromBCCHonf4
• BTS4:f1,f2,f5,f8,f7;LA1– chooseanyLAIwhichdiffersfromactualLAIsinneighborhood(e.g.LA9)– sendonf4withhighpower
• IMSI-C.:f1,f2,f5,f8,f7;LA9
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
52
IMSI-Catcher(3)
§ MS(campsoncell5)– monitorsBCCHsofcells1-9– findsbestsignalonf4(transmittedbyIMSI-Catcher)andlearnsthatcell
belongstoanewLA– sendaLUPrequesttoIMSI-Catcher
§ IMSI-Catcher– respondswithaIdentityRequest
§ MS– answerswithIMSIandIMEI
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
53
IMSI-Catcher(4)
§ IMSI-Catcher– sendsjunk(non-decodabledata)onPagingChannel(PCH)and– sendsafrequencylistofBTSwhichdonotsendthefrequencyofIMSI-
Catcher(f4)intheirfrequencylists• IMSI-C.:f3,f6,f9;LA9
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
54
IMSI-Catcher(5)
§ MS– receivesjunkonPCHand(accordingtoGSM05.05)doesacell
reselection:– MSmonitorssignalstrengthsoff3,f6,f9– changestothebestcell(LUP)
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
55
IMSI-Catcher(5)
§ Result– MSisbackinthenetworkagain– becauseBTS3,6and9donotsendf4intheirfrequencylists,theMS
doesnotrecognizethepowerfulIMSI-Catchersignalagain(andsubsequentlydoesnotchangebacktoit)
BTS5:
f5/LA1
BTS4:f4/LA1
BTS6:f6/LA3
BTS2:f2/LA3
BTS1:f1/LA1
BTS3:f3/LA3
BTS8:f8/LA2
BTS7:f7/LA2
BTS9:f9/LA2
IMSI-Catcher
56
IMSI-Catcherdetectors
§ AIMSICD– https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
§ SnoopSnitch– from SRLabs (KarstenNohl)
§ Darshak– TUBerlin
§ GSMKCryptoPhone– special Smarthone
§ IMSI-Catcher-Catcher(ICC)– SBAResearch(Adrian
Dabrowski)
Sources:https://www.privacy-handbuch.de/handbuch_75.htmhttp://www.heise.de/ct/artikel/Digitale-Selbstverteidigung-mit-dem-IMSI-Catcher-Catcher-2303215.html
Picture(ICC):heise.de
57
LocationManagement
§ Centralizedapproach– ChangeofLocationArea(LA),i.e.LocationUpdating,needs
communicationwithHLR(farawayfromLA)– Efficiency:GoodatlowLocationUpdatingrates
§ UsedinMobileIP– HLR=HomeAgent
speichert Adresse des LA zusammen mit der MSISDN
HLR
Broadcast im LA
MSISDNenthältNummer desHLR
incoming call:
Datenbank-abfrage
Vermittlung des Rufs ins LA
MS
besuchtes LA
B
A
BTSMSISDN, LAI
58
LocationManagement
§ 2-stagedapproach– ChangeofLocationArea(LA)changesVLRentry– VLRservesgeographicallylimitedarea(VLR-Area)– RarechangesofVLR-AreachangesHLRentry– Reducedsignalingcostsinwideareanetwork– Tradeoff: Delayedcallsetup(mobileterminated)
HLR
Datenbank-abfrage
Vermittlung des Rufs ins LA
VLRAdressedes VLR:A
Adressedes LA:LAI
Datenbank-abfrage
weit entfernt vom LA in der Nähe des LA
BroadcastMSISDN
VLR
59
LocationManagement
§ Multi-stagedstorage– Manyproposalsfor3rdGenerationSystems(UMTS),neverrealizedin
thefield– Variations:Hierarchicalstorage,Forwardingstrategies
Datenbankabfragen/Weitervermittlung
HLR
BroadcastMSISDN
Entfernung vom LA
A ...
R2 R3 Rn
LAIA A
Granularität der Lokalisierungsinformationgrob
groß klein
fein
R2 R3 R4
R1
LocationUpdatingSituations
§ Legend:a) Changeofradiocellb) ChangeofLAc) ChangeofVLR/MSCaread) ChangeofMSCarea
LA1(belongstoMSC1andVLR1)LA2(belongstoMSC2andVLR2)LA3(belongstoMSC2andVLR2)LA4(belongstoMSC3andVLR2)
MovementofMS
Radiocell
MS MSC/VLR
Location Updating Request
TMSI Reallocation Complete
TMSI Reallocation Commandcipher(TMSI new)
Location Updating Accept
AllocationTMSI new
De-AllocationTMSI old
A3 + A8
Authentication RequestRAND
SRES
Ki
Kc
Authentication Response
Ciphering Mode Command
Ciphering Mode Complete
=
TMSI old, LAI old
Sicherheitsmanagement:
Authentikation,Verschlüsselungsmodus setzen,Zuweisung TMSI new
Sicherheitsmanagement:
Bestätigung TMSI newLöschen TMSI alt
LocationUpdating:NewLA
§ NewLA,oldVLR(TMSIfound)– LocationUpdatingRequest
(TMSI,LAI)old– Securitymanagement
• Authentication• CipheringMode• TMSIReallocation
– LocationUpdatingAccept
LocationUpdating:NewVLRarea
TMSIold,LAIold
MS MSC/VLRnew MSC/VLRold
LocationUpdating Request
IMSI,Auth.Set
UpdateLocation
UpdateLocationResult
LocationUpdating Accept
Cancel Location
IMSI,MSC/VLRnew
TMSIold,LAIold
HLR
Sicherheitsmanagement:Authentikation,Verschlüsselungsmodussetzen,ZuweisungTMSInew
Sicherheitsmanagement:BestätigungTMSInewLöschenTMSIold
De-AllocationTMSIold
MobileTerminatedCallSetup(MTCSU)
send routing informationMSC2 (eigentlich MSRN)
incoming call
visited MSC2
Broadcast-nachricht im LA1
MSISDN-B enthält Routing-Information zum gebuchten GSM-Netz des Mobilfunkteilnehmers B
Gateway MSC
HLR
MSISDN/IMSI-AMSISDN/IMSI-B...MSISDN/IMSI-XMSISDN/IMSI-YMSISDN/IMSI-Z
MSC3MSC2...MSC4MSC1MSC2
liest den Datenbankeintrag für MSISDN/IMSI-B und vermittelt zum entsprechenden MSC weiter
IMSI-B
VLR2
IMSI-BIMSI-C...
LA1, TMSI-BLA3, TMSI-C...
liest das LA für IMSI-B
send info for incoming call
Station erkennt Verbindungswunschnachricht an ausgestrahlter TMSI-B
TMSI-B
LA1, TMSI-B
B
LA1
KanalanforderunganBSS
KanalzuweisungbeiOACSU
Data
Kanalzuweisungearly TCH
MS
MSC VLR HLR GMSCSendRoutingInformationProvide RoutingInfo.
SendRoutingInfoResultProv.Rout.Info.Result
SendInfo
Pag.Request
InitialAddress Message(MSRN)
Paging Request
Paging Response
AuthenticationTripletsAuthenticationRequestRAND
AuthenticationResponseSRES
Ciphering ModeCommandStartCiphering
Ciphering ModeComplete
TMSIRealloc.CommandTMSInew
TMSIRealloc.Complete
Setup
Alert
Connect
Adress Complete Message
Answer Message
Disconnect Release
MSRNMSRN
IMSI MSISDN
LAI,TMSITMSI(evtl.IMSI)
MTCSU
Sicherheitsmanagement
MobileOriginatedCallSetup
MS MSC/VLR PSTN/GMSC
CM Service Request
Kanalanforderung an BSS
Setup
Kanalzuweisung bei early-TCH- Assignment
Alert
Connect
Initial Address Message
Answer Message
Adress Complete Message
Sicherheitsmanagement: Authentikation, Verschlüsselungsmodus
Kanalzuweisung bei OACSU
DisconnectRelease
Data
68
MessageformatGSM04.08
§ Protocoldiscriminator4321 bitnumber0011 callcontrol,packet-mode,connectioncontrolandcallrelatedSSmsgs0101 mobilitymanagementmessages0110 radioresourcesmanagementmessages1001 shortmessageservicemessages1011 noncallrelatedSSmessages1111 reservedfortestsproceduresAllothervaluesarereserved
8 7 6 5 4 3 2 1 TI flag TI value Protocol discriminator octet 1
0 N(SD) Message type octet 2
Data
octet 3 …
69
MessageformatGSM04.08
§ Transactionidentifier(TI)– UsedfordistinctionofparallelactivitiesofMS
• TIflag:0:messagesentfromtheoriginatedTIside1: messagesenttotheoriginatedTIside
§ TIvalue– Number000…110(bin:0…6)– 111reserved
8 7 6 5 4 3 2 1 TI flag TI value Protocol discriminator octet 1
0 N(SD) Message type octet 2
Data
octet 3 …
70
MessageformatGSM04.08
§ 3Classes:– Radio resourcesmanagement– Mobilitymanagement– Callcontrol
§ N(SD)– SequencenumberorExtensionBit
8 7 6 5 4 3 2 1 TI flag TI value Protocol discriminator octet 1
0 N(SD) Message type octet 2
Data
octet 3 …
71
Messagetype(1)
§ Radioresourcesmanagement(1)8 7 6 5 4 3 2 1 bit number-----------------------------------------------------0 0 1 1 1 – – - Channel establishment messages
0 1 1 ADDITIONAL ASSIGNMENT1 1 1 IMMEDIATE ASSIGNMENT0 0 1 IMMEDIATE ASSIGNMENT EXTENDED0 1 0 IMMEDIATE ASSIGNMENT REJECT
0 0 1 1 0 – – - Ciphering messages1 0 1 CIPHERING MODE ASSIGNEMT0 1 0 CIPHERING MODE COMPLETE
0 0 1 0 1 – – - Handover messages1 1 0 ASSIGNEMT COMMAND0 0 0 ASSIGNEMT COMPLETE1 1 1 ASSIGNMENT FAILURE0 1 1 HANDOVER COMMAND1 0 0 HANDOVER COMPLETE0 0 0 HANDOVER FAILURE1 0 1 PHYSICAL INFORMATION
0 0 0 0 1 – – - Channel release messages1 0 1 CHANNEL RELEASE0 1 0 PARTIAL RELEASE1 1 1 PARTIAL RELEASE COMPLETE
...
72
Messagetype(1)
§ Radioresourcesmanagement(2)8 7 6 5 4 3 2 1 bit number-----------------------------------------------------
...
0 0 1 0 0 – – - Paging messages0 0 1 PAGING REQUEST TYPE 10 1 0 PAGING REQUEST TYPE 21 0 0 PAGING REQUEST TYPE 31 1 1 PAGING RESPONSE
0 0 0 1 1 – – - System information messages0 0 1 SYSTEM INFORMATION TYPE 10 1 0 SYSTEM INFORMATION TYPE 20 1 1 SYSTEM INFORMATION TYPE 31 0 0 SYSTEM INFORMATION TYPE 41 0 1 SYSTEM INFORMATION TYPE 51 1 0 SYSTEM INFORMATION TYPE 6
0 0 0 1 0 – – - Miscellaneous messages0 0 0 CHANNEL MODE MODIFY0 1 0 RR-STATUS1 1 1 CHANNEL MODE MODIFY ACKNOWLEDGE1 0 0 FREQUENCY REDEFINITION1 0 1 MEASUREMENT REPORT1 1 0 CLASSMARK CHANGE
73
Messagetype(2)
§ Mobilitymanagement– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent
8 7 6 5 4 3 2 1 bit number----------------------------------------------0 x 0 0 – – – - Registration messages
0 0 0 1 IMSI DETACH INDICATION0 0 1 0 LOCATION UPDATING ACCEPT0 1 0 0 LOCATION UPDATING REJECT1 0 0 0 LOCATION UPDATING REQUEST
0 x 0 1 – – – - Security messages0 0 0 1 AUTHENTICATION REJECT0 0 1 0 AUTHENTICATION REQUEST0 1 0 0 AUTHENTICATION RESPONSE1 0 0 0 IDENTITY REQUEST1 0 0 1 IDENTITY RESPONSE1 0 1 0 TMSI REALLOCATION COMMAND1 0 1 1 TMSI REALLOCATION COMPLETE
0 x 1 0 – – – - Connection management messages0 0 0 1 CM SERVICE ACCEPT0 0 1 0 CM SERVICE REJECT0 1 0 0 CM SERVICE REQUEST1 0 0 0 CM REESTABLISHMENT REQUEST
0 x 1 1 – – – - Connection management messages0 0 0 1 MM STATUS
74
Messagetype(3)
§ Callcontrol(1)– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent
– Nationallyspecificmessages:nextoctetscontainmessage8 7 6 5 4 3 2 1 bit number-------------------------------------------0 x 0 0 0 0 0 0 Escape to nationally
specific message types0 x 0 0 – – – - Call establishment messages
0 0 0 1 ALERTING1 0 0 0 CALL CONFIRMED0 0 1 0 CALL PROCEEDING0 1 1 1 CONNECT1 1 1 1 CONNECT ACKNOWLEDGE1 1 1 0 EMERGENCY SETUP0 0 1 1 PROGRESS0 1 0 1 SETUP
0 x 0 1 – – – - Call information phasemessages
0 1 1 1 MODIFY1 1 1 1 MODIFY COMPLETE0 0 1 1 MODIFY REJECTED0 0 0 0 USER INFORMATION
...
75
Messagetype(3)
§ Callcontrol(2)– Bits7and8(value:00)reservedasextensionbits– Bit7:mobileoriginatedonly:1,ifsequencenumberissent
8 7 6 5 4 3 2 1 bit number-------------------------------------------
...
0 x 1 0 – – – - Call clearing messages0 1 0 1 DISCONNECT1 1 0 1 RELEASE1 0 1 0 RELEASE COMPLETE
0 x 1 1 – – – - Miscellaneous messages1 0 0 1 CONGESTION CONTROL1 1 1 0 NOTIFY1 1 0 1 STATUS0 1 0 0 STATUS ENQUIRY0 1 0 1 START DTMF0 0 0 1 STOP DTMF0 0 1 0 STOP DTMF ACKNOWLEDGE0 1 1 0 START DTMF ACKNOWLEDGE0 1 1 1 START DTMF REJECT
76
MovementprofilinginGSM
§ Variants:– AccessHLRandVLRdata(insidersonly)– Directionfinding(German: «Peilung»)
§ Protection:– Privacyprotectionofdatabaseentries– DirectSequenceSpreadSpectrum
AccessHLRandVLRdata
OMC
MSC VLR
HLR
BSC
BTSBTS
BSS
kennt VLR bzw. MSC
kennt LA
bei existierender Verbindung:kennt Zelle
hat Zugriff auf Netzkomponenten
LA
... kennt Frequenzsprungparameter (Hopping Parameters)
80
LocationBasedServices
§ Terminal-basedlocating
– GlobalPositioningSystem(GPS)• Accuracy:10…100m• Locationtime:upto30sec
– Assisted-GPS(A-GPS)• GPSsignalsre-broadcastedbyBTS• Increasedlocationspeed(andaccuracy)
– ObservedTimeDifference(OTD)• BTS1…BTS3sendalocationsignal• ReceivedafterDt1,Dt2 andDt3 byMS• IfDti ==Dtj thenOTD=0
Assisted-GPS(A-GPS)
BTS MSC
1.MSandA-GPSServerreceivesamesatellitesignals
A-GPSServer
2.Calculatessupportinformationforfastlocalization(doppler shift,pseudorandom noisephase)
6.Calculatesexactlocation
3.Supportinformation
MSwithsimplifiedGPSreceiver
4.PerformsexactmeasureandtransmitsvaluestoA-GPSserver
5.Exactmeasurevalues
82
LocationBasedServices
§ Network-basedlocating
– TimeofArrival(TOA)– Mobilestationsendssignal– BTSreceivesignalafterDti (i=1,2,3)
– CellofOrigin(COO)• Cell-IDisassociatedwithgeographiclocation• Accuracy:100m…35km
83
SpreadSpectrumSystems
§ Radiocommunicationbetweenmilitarydivisions
– Sendersendsonfrequencyf0 withbandwidthB
§ Problems:
– Spectrumanalyzerdetectsenergyaroundf0anddirectionalantennaslocatesourceofsignal
– Jammermayinterferecommunication
f0
84
Sender
Receiver
TransmisionmodelSpreadSpectrumSystems
HFdemodulator Spreadingdemodulator data
data HFmodulatorSpreadingmodulator
Spreadingsequence(highbandwidth)
Highfrequencybearer
Spreadingsequence(highbandwidth)
Highfrequencybearer
85
f0
Spreading
§ Dataismodulatedwithhigh-bandwidthspreadingsequence:– Walshfunctions(orthogonal
codes)– Pseudo-Noise-Sequence(PN-
Code)
86
f0
Spreading
§ Dataismodulatedwithhigh-bandwidthspreadingsequence:– Walshfunctions(orthogonal
codes)– Pseudo-Noise-Sequence(PN-
Code)§ Spectralspreadingofsignal§ Dispersionofenergyonalarge
frequencyspectrum
88
f0
De-Spreading
§ Spreaddatainterferedby(random)noise
§ Spectralspreadingofnoise§ De-spreadingofdata
interference
data
89
Missingend-to-end-ServicesinGSM
§ SpeechchannelsofGSMarenotbittransparentchannels– Lossycompressionofspeechchannels
§ Usedatachannelforadditionalend-to-endencryption– Asanexternaladd-on(e.g.GSMTopSecMed)– Asintegratedservice(e.g.GSMTopSecGSM)
– BothisnotGSMstandardsconformadd-on– UsersneedcompatibledevicesorsoftwareonMS
Signalingofchanneltype(speech,data)inGSM
TX/RX
TA
A5A/D CODEC
MS-A (sendet) BSS
type:=speech
TRAU RateAdaption
Trans-coder
TX/RX
A5 Logik
MS-B (empfängt)
MSC
type:=data
TX/RX
TA
A5A/D CODEC
BSS
TRAU
RateAdaption
Trans-coder
TX/RX
A5 Logik MSC
IF type=data THEN Rate AdaptionELSEIF type=speech THEN Transcoder
MS Mobile Station A5 GSM Link Encryption BSS Base Station Subsystem TX/RX Transmitter/Receiver A/D Analog-Digital-Converter TRAU Transcoder/Rate Adaption Unit CODEC Speech Coder/Decoder MSC Mobile Switching Centre TA Terminal Adaption
Bittransparentdatachannelforend-to-endspeechencryption
TX/RX
TA
A5A/D CODEC
MS-A
TX/RX
A5 TRAU
BSS
MSC
E/DA/D CODEC∗
Zusatz zu MS-A
TX/RX
TA
A5A/D CODEC
MS-B
TX/RX
A5 TRAU
BSS
MSC
E/DA/D CODEC∗
Zusatz zu MS-B
Example:
TopSec MED(Rohde&Schwarz):externaldevicebluetooth connectedtomobilephone
Bittransparentdatachannel– internaluseforend-to-endenc.
MS-A (modifiziert, sendet)
TX/RX
TA
A/D CODEC
MS-B (modifiziert, empfängt)
E/D
A5
Logik
IF edtype=encrypted_speech THEN E/D ELSE TA
BSS
TRAU
TX/RX
A5MSC
BSS
TRAU
TX/RX
A5 MSC
TX/RX
TA
A/D CODEC
E/D
A5
type:=dataedtype:=encrypted_speech
Example:
TopSec GSM(Rohde&Schwarz):modifiedSiemensS35iwith Cryptoprocessor,128bit encryption
93
Softwaresolutionsforend-to-endencryption
§ Example:SecureGSM ·http://www.securegsm.com– ForWindowsMobileSmartphones– Bittransparentdatachannelused– Asymmetrickeyagreement(«4Kbit»)– TripleencryptionwithAES,SerpentandTowfish
withtriple256bitsessionkeys
Screenshots:http://www.securegsm
.com
94
SummaryofsecurityproblemsinGSM
§ Hard– Weaklinkencryption«protects»againstoutsidersonly– Nobittransparentspeechchannels–>noend-to-endencryption– Locationfindingforinsiderspossible– Mutualauthenticationismissing
§ Further– Symmetricencryption– Noanonymousnetworkusagepossible– Trustintoaccountingisnecessary
96
Universalmobiletelecommunicationsystem(UMTS)
§ SecurityfunctionsofUMTS->«inspired»byGSMsecurityfunctions§ FromGSM
– Subscriberidentityconfidentiality(TMSI)– Subscriberauthentication– Radiointerfaceencryption– SIMcard(nowcalledUSIM)– AuthenticationofsubscribertowardsSIMbymeansofaPIN– Delegationofauthenticationtovisitednetwork– Noneedtoadoptstandardizedauthenticationalgorithms
§ AdditionalUMTSsecurityfeatures– EnhancedUMTSauthenticationandkeyagreementmechanism– Integrityprotectionofsignalinginformation(preventsfalse-base-station
attacks)– Newciphering/keyagreement/integrityprotectionalgorithms…andafewminorfeatures
97
UMTSSecurityArchitecture
USIM MSNodeB
(BaseStation) VLR HLR/AuC
HomeEnvironment
ServingNetwork
Ciphering/integrityprotection
Userauthentication
Networkauthentication
cipherkeyCK,integritykeyIKcipheringfunctionf8integrityfunctionf9
authenticationkeyK,authenticationfunctionf1,f2
keygenerationfunctionf3,f4,f5sequencenumbermanagementSQN
USIM UMTS Subscriber Identity ModuleMS Mobile StationRNC Radio Network ControllerVLR Visitor Location Reg.HLR Home Location RegisterAuC Authentication Centre
RNC
98
Generationofauthenticationvectors(networkside)
f1 f2 f3 f4 f5
RAND
K
AMF
SQN
GenerateSQN
GenerateRAND
AUTN:=SQNÅ AK||AMF||MACAV:=RAND||XRES||CK||IK||AUTN
MAC XRES CK IK AK[64] [32…128] [128] [128] [48]
[48][128]
[128]
[16]
99
Abbreviations
SQN Sequence numberRAND Random numberAMF Authenticated Management FieldK Secret Key
MAC Message authentication codeXRES Expected responseRES ResponseCK Cipher keyIK Integrity keyAK Anonymity key
AUTN Authentication tokenAV Authentication vector
[…] # of bits
False-base-stationattackspossibleifattackercaneavesdropAVonnetworkinternalcommunicationlines
100
AuthenticationfunctionintheUSIM(userside)
f5
RAND
K
AMF
SQN
VerifyMAC==XMAC,thanverifythatSQNisinthecorrectrange
AK
SQNÅ AK MAC
f1 f2 f3 f4
XMAC RES CK IK
AUTN
[32…128]
[48]
[128]
[16]
[64] [128][128]
[64][48]
[48]
[128]
102
Cipheralgorithmf8§ CombinationofOutputFeedbackmode(OFB)andcountermode§ FirstencryptionunderCK’preventschosenplaintextattacks(initializationvectoris
encrypted,KM:keymodifier)
KASUMI
COUNT||BEARER||DIRECTION||0…0
BLKCTR=0
KASUMICK KASUMICK
BLKCTR=1
KS[0]…KS[63] KS[64]…KS[127]
KASUMICK
BLKCTR=2
KS[128]…KS[191]
KASUMICK
BLKCTR=n
KS[64·n]…KS[64·(n+1)–1]
KeystreamisXORed withMESSAGEblock
CK’=CKÅ KM
103
IK’=IKÅ KM
COUNT||FRESH
IK IK
MESSAGE[0]…MESSAGE[63]
IK IK
FinalMessageBlock(padded)
MESSAGE[64]…MESSAGE[127]
Integrityalgorithmf9:ISO/IEC9797-1(MACalgorithm2)
§ Senderandreceiverusef9§ ReceiververifiesMAC==XMAC
MACorXMAC(left32bits)
KASUMI
KASUMI KASUMI KASUMI KASUMI
104
OwnbasestationinUMTS
§ Example:VodafoneSuperSignal– basestationconnectedviaIPwithUMTSnetwork– femto cellathome,notarepeater
USIM MS
UMTShomerouter(IP)
VodafoneSuperSignal
viaIP
Source:http://www.vodafone.de/business/hilfe-support/umts-basisstation-vodafone-supersignal.html
105
LongTermEvolution(LTE)Architecture
USIM ME eNode B
USIM UMTS Subscriber Identity ModuleME Mobile EquipmentE-UTRAN Evolved UMTS Terrestrial Radio Access NetworkMME Mobility Management EntityHSS Home Subscriber ServiceS-GW Serving GatewayP-GW Packet Data Network GatewayIP Internet Protocol
E-UTRAN
P-GW(G-MSC)
HSS(HLR/AuC)
IPNetwork
S-GW(MSC)
MME(VLR)
106
LongTermEvolution(LTE)
§ Characteristics– Trafficchannels:Dataservicesonly,SpeechisrealizedviaVoice-over-IP– SMSisrealizedviasignallingmessages(similartoGSM)
§ Security:inspiredandcloselyrelatedtoUMTS– IndividualsymmetrickeyatUSIMandHSS– Authenticationvector
• CalculatedatUSIMandHSS• CheckedatMME
– Pseudonymization onairinterface:• GloballyUniqueTemporaryIdentity(GUTI)
– Dataencryption• Airinterface:AdvancedEncryptionStandard(AES)• Networkinternalcommunication:IPSec
->False-base-stationattacks:impossible
108
Bluetooth
§ Development– InitiatedbyEricsson– BluetoothSpecialInterestGroup(SIG)
• Ericsson,Nokia,IBM,Toshiba,Intelandmanyother§ Standard
– IEEE802.15.1§ Benefits
– Lowenergyconsumption– Lowinterferencesensibility(spreadspectrumtechniques)
§ Disadvantages– LowBandwidth– Limitedsignalcoverage(radius)– Limitednumberofusers
109
TechnicalDetails
§ PhysicalLayer– LicensefreeISM-Band:2,4GHz(ISM:Industrial,Scientific,Medical)– 2402to2480MHz– 79channelsper1MHzbandwidth– Frequency-Hoppingwith1600chips(changespersecond)
§ LinkLayer(DLL)– Modulationmethod:
• GaussianFrequencyShiftKeying– ForwardErrorCorrection(FEC)– CyclicRedundancyCheck(CRC)
110
TechnischeDetails
§ Specifications– 1.0:Firstspec,stillimmature,ca.732kbpsdatarate– 1.1:Broadlyused– 1.2:AdaptiveFrequencyHopping,improvederrorcorrection– 2.0(Nov2004): Dataratesupto 2Mbps– 3.0(Apr2009):Dataratesupto24Mbps– 4.0(Dec2009):BluetoothLowEnergy
§ Classification– Pico-Bluetooth
• 2,5mW /1mW transmissionpower(Class2and3)• Radiusupto50m/10m
– Mega-Bluetooth• 100mW transmittingpower(Class1)• Radiusupto100m
111
Developmentofnetworks
a) Point-to-Point
b) Pico-Network:1Master,upto7activeslaves
c) Scatter-Network:variousoverlappingPico-Networks
S
S S
S
M
M
S S
S
M
S
M
a)
b)
c)
S S
S
M
112
Protocols
BluetoothRadio
Baseband
LMP L2CAP
RFCOMM
OBEX(vCard,vCal) AT-Commands
SDP
IP
PPP
OBEX OBject EXchange protocolIP Internet ProtocolPPP Point-to-Point ProtocolSDP Service Discovery Protocol
Voice
According to:BluetoothSpecification Version2.0+EDR[vol 4]S.22
AudioTCS …
RFCOMM Serial cable emulation protocolTCS Telephony Control protocol SpecificationLMP Link Manager ProtocolL2CAP Logical Link Control and Adaption Protocol
113
Protocols(2)
§ BluetoothRadio– AirInterface
§ Baseband– FunctionsforLinkconnection,Frequency-Hopping,etc.
§ LinkManagerProtocol(LMP)– Securityfeatures,clocksynchronisation
§ LogicalLinkControlandAdaptionProtocol(L2CAP)– Interfaceforhigherprotocollayerstoaccessbaseband
§ ServiceDiscoveryProtocol(SDP)– Informationaboutdevicetypes,services,etc.
§ RFCOMM(Serialcableemulationprotocol)– BasedonETSITS07.10;foruniversaluse(Modem,IP,…)
§ TelephonyControlprotocolSpecification(TCS)– Fordevicecontrol
114
Security
§ Securityfunctions– Securedevicepairing– Symmetricauthentication(onesidedandmutual)– Symmetricencryption
§ Basicalgorithmforpairingandauthentication– SAFER+
• Publiclyknown• 1of15candidatesforAES(AdvancedEncryptionStandard)
– CharacteristicsofSAFER+• Blockcipherwith128Bitblocklength• 8rounds• Keylength128Bit
– UsedinE21,E22,E1undE3
115
Pairing
§ Objectives– IdentificationoftwodevicesAandB– GeneratesasymmetrickeyKAB
§ PairingProcedure1. ExchangeofdeviceaddressesBD_ADDRA andBD_ADDRB2. GenerateInitializationkeyKinit (intermediatestep)3. GenerateKAB
116
Pairing(1)
§ GenerateInitializationkeyKinit (AlgorithmE22)
§ Input:– Deviceaddress
(BD_ADDRB,48Bit)– PIN(8-128Bit,typ.
atleast4digits)– Randomnumber
(IN_RAND,128Bit)
§ Output:– Kinit (128Bit)
Kinit Kinit
IN_RAND(128Bit)
DeviceA DeviceBAir
interface
E22
PINBD_ADDRB(48Bit)
E22
PIN BD_ADDRB
IN_RAND
BD_ADDRA
BD_ADDRB
PIN
Notoverairinterface
117
KAB
LK_KA LK_KB
KAB
LK_KA LK_KB
Pairing(2)
§ GenerateKAB (AlgorithmE21)
§ Input:– Randomnumbers
(LK_RANDA/B,128Bit)
– Deviceaddress(BD_ADDRA/B,48Bit)
– InitializationkeyKinit
§ Output:– KAB (128Bit)
LK_RANDA(128Bit)
E21BD_ADDR
A
LK_RANDA
E21
BD_ADDRB
LK_RANDB
Kinit
LK_RANDA+Kinit
LK_RANDB+Kinit
Kinit LK_RANDB(128Bit)
E21
BD_ADDRA
LK_RANDA
E21
BD_ADDRB
LK_RANDB
DeviceA DeviceBAirinterface
118
Authentication(onesidedormutual)
§ AlgorithmE1
§ Input:– Randomnumber
AU_RAND– KAB– DeviceaddressA
BD_ADDRA
§ Output:– trueorfalse– ACO(Authenticated
Chiphering Offset,96Bit)
SRESA
E1
BD_ADDRA
AU_RAN
DA
Verifier(A)
KAB
Claimant(B)
AU_RAND(128Bit)
AU_RAND
Airinterface
SRES’A
E1AU
_RANDA
BD_ADDRA
KAB
=?
OK
NOHALT
32Bit
Onesidedauthentication
SRESA
ACOACO
119
Encryption
§ 2Steps– GeneratekeyKc withalgorithmE3– DataencryptionwithstreamcipherE0
§ AlgorithmE3
§ Input:– Randomnumber(EN_RANDA,128Bit)– CipheringOffsetNumber(COF,
96Bit)=ACO(fromAuthentication)– KAB (128Bit)
§ Output:– Kc (8-128Bit,manufacturerspecific)
E3
Kc
EN_RANDA
COF(=ACO)
KAB
AandBidentical:
120
Encryption(2)
§ AlgorithmE0– LinearFeedbackShiftRegister– Streamcipherwithvariableblocklengthupto64Bit
§ Input:– Kc– Deviceaddress(BD_ADDRA)– Clock(counter)– PlaintextorCiphertext
Payloadkeygenerator
Kc
BD_ADDRA
Clock
Payloadkey Keystreamgenerator
Plaintext/Ciphertext
Ciphertext/Plaintext
AandBidentical:
E0
121
Encryption(3)
E0
Kcipher
BD_ADDRA
ClockA
KC
EN_RANDA
«startencryption»
dataA-B
E0
Kcipher
BD_ADDRA
ClockA
KC
Airinterface
DeviceA DeviceB
encrypteddata
122
Summary:Safetyfunctions
§ Initialization(Pairing)– GeneratesymmetrickeyKAB betweendevices– KABsaved– Kinit nolongerneeded
§ Authentication– Challenge-ResponsebasedonKAB
§ Encryption– SessionkeyKc generatedfromKAB– Pseudo-One-Time-Pad– Kc canbechangedautomaticallywhilebeingconnected
123
Vulnerabilities
§ UsedPINwithPairing– Oftentooshort(4digits)– Fixedinthedevice(1234or0000)– Oftenoneforalldevicesusedbyuser(convenience)– Somedevicescanonlyprocessmax.16-digitPINs
§ Locationfindingiseasy– BD_ADDRusedtodiscoverdevices– ServiceDiscoveryProtocol(SDP)– Generatingrouteprofiles
§ Deviceaddresscanbefaked
§ HighlevelofvulnerabilitytoDoS-attacks– Repeatedrefusedqueries
• Result:batteryisdischarged
124
Knownattacks(selection)1/2
§ Range:withantennaupto2km– Salzburgresearch,August2004
§ BlueBug:Usesimplementationerrors– MarcelHoltmann,Sept 2003– BlueSnarf:changephonebook,sendSMS,…– Chaos-Attack:initiateunnoticedcalls,possibilitieslikeBlueSnarf– Nopairingnecessary
§ BlueSmack:– DoS-Attack(useecho-requests)
125
Knownattacks(selection)2/2
PINlengths Timeins
4 0,063
5 0,75
6 7,609
7 76,127
ResultswithPentiumIV3GHz
§ PINCracking– Yaniv Shaked andAvishai Wool,Juni 2005– Brute-forceattackonKinit (andKAB)– Passiveattack
• Pairingprocessissniffedbyattacker– ActiveAttack
• AttackerprovokesRe-PairingandhopesforweakPIN– Notpossible,ifPIN>64Bit≈19digits
126
Security
§ Ingeneral– nouseofBluetooth,asfaraspossible– ifnotused,switchitoff– disablevisibilityofdevice
§ Pairing– nopairinginthepublic– pairingwithothertechnology(e.g.NFC=NearFieldCommunication)– use(morethan18digits)non-trivialPINs– multipledevicesmusthavedifferentPINs
§ Hopeforgoodimplementation– firmwareupdateifnecessary
128
WLAN:WirelessLocalAreaNetworks
§ Wirelessconnectionofsystems– increasedmobility– no physical(wired)connections
§ Topologies– Ad-hocmode:peer-to-peerconnections(client-to-client)– Infrastructuremode:viaAccessPoint(AP)
§ IEEE802.11standard– IEEE:InstituteofElectricalandElectronicsEngineers– defineslayer1andpartsoflayer2ofOSIref.model– hasLogicalLinkControl(802.2)togetherwithother802standards
129
IEEE802.11 Standard
mobileterminal
accesspoint
fixedterminal
application
TCP
802.11PHY
802.11MAC
IP
802.3MAC
802.3PHY
application
TCP
802.3PHY
802.3MAC
IP
802.11MAC
802.11PHY
LLC
infrastructurenetwork
LLC LLC
130
IEEE802.11Protocolfamily
§ Well-knownWLAN-standards:– IEEE802.11:
• Infrared(IR)• 1or2Mbpsviaradioin2,4-GHzISMband
– IEEE802.11b:11Mbpsin2,4-GHzISMband– IEEE802.11a:54Mbpsin5-GHzISMband– IEEE802.11g:54Mbpsin2,4-GHzISMband– IEEE802.11n:600Mbpsin2,4-GHzand5-GHzISMband– IEEE802.11p:27Mbpsaround5-GHzCar-to-Car
§ Security– IEEE802.11i:Security(WPA2)– Outdated:
• WEP(WiredEquivalentPrivacy)• WPA(WiFi ProtectedAccess)andothers
131
WLAN
§ Securitydemands
– Confidentiality:• Protectionagainsteavesdropping
– Integrity:• Protectionagainstmodificationofmessages• Protectionagainstunauthorizedaccess
– Availability• Protectionagainstdenial-of-serviceattacks
132
Protectionagainstunauthorizedaccess
§ Weakprotection:MACaddresses– LimitaccesstospecificMACaddressesonthenetwork
§ Problem:– ManagementofvalidMAC
addresses– MACaddressescanbe
spoofed(MACspoofing)
133
WEP:WiredEquivalentPrivacy
§ General– Optionalsub-protocolofIEEE802.11– Encryption,integrityprotectionandauthentication– ImplementedinvirtuallyallWLANdevices
§ Encryption– Symmetricencryptionwith40or104bitkeys,based onRC4
§ Integrityprotection– CRC(CyclicRedundancyCheck)
§ Authentication– Method1:«Open»:noauthentication– Method2:«SharedKey»:Challenge-Response-Authentication
134
WEP:Encryption
§ Symmetricstreamcipher– PlaintextXORed withkeystream
§ Generationof keystream– Initializationvector(IV,24bit)– Key(K,40or104bit)– RC4algorithmusedasPseudoRandomNumberGenerator(PRNG)
§ IVissendinclear
§ Decryption– Receivergeneratessamekeystream– Ciphertext XORed withkeystream– CiphertextandkeystreamlinkedagainwithXOR
135
WEP:EncryptionandIntegrityprotection
InitializationvectorIV24BitCiphertextC
IV
KeyK RC4(PZZG)seed Keystream
||
PlaintextM
40or104Bit
CRC
||
|| concatenation
XOR IV||(M||CRC(M))Å RC4(IV||K)
64or128Bit
IV,(M,CRC(M))Å RC4(IV,K)Orshorter:
ICVIntegrityCheckValue
137
WEP:Decryptionandintegrityprotection
CiphertextCIV
K
M
|| RC4(PZZG)seed
CRCICV
ICV’?=
OK
NO
HALT
|| concatenation
XOR
||Reversefunctionof
138
WEP:Authentication
§ Twooptions– OpenandSharedKey
§ Open(=noauthentication)– disableauthentication(onlySSID,ServerSetID)
§ SharedKey– Challenge-Response-Authentication– AccessPointsendsunencryptedchallengevalue– Clientsendschallengevaluebackasencryptedresponse– Accesstonetwork,ifchallengeisencryptedcorrectly
139
WEP:Vulnerabilities
1. Initializationvector– IVtooshort,repeatedusageofequalIVs– SomeproductsimplementIV++withstartvalueIV=0– ResultsinKnown-Plaintext-Attack:
• Attackercanstoreatableof(IV,Keystream):– Ciphertext C=(M,CRC(M))Å RC4(IV,K)– Attackerknowsciphertext,IVandM:
CalculateKeystream=RC4(IV,K)IfIVagainoccurs,attackercandecrypt
– Message-relatedbreak:Breakindividualmessages,withoutfindingthekeyK
1. KeyK– Tooshortkeylengthwith40Bit(Brute-Force-Attack)
140
WEP:Vulnerabilities
3. WeaknessinRC4anditsusage– «weak»IVscanbeusedtocalculateKwithstatisticattack:
• AttackerknowsIV,ciphertext andbeginningofplaintext– Beginningofplaintext:Data packetsstartwithM=0xAAAA03(SNAP-Header,SubNetworkAccessProtocol)->Attackerknowsfirstthreebytesofkeystream
– DetermineKeystream(outputofRC4)fromciphertext andMC=KeystreamXORM
• WithknowledgeofmanyIVsandmanyKeystreams:– PossibleexploitationofvulnerabilityfromRC4:partialLinearityofRC4allowsdeterminationofKKeystream=RC4(IV,K)
red =knownblue =unknown
141
WEP:Vulnerabilities
3. WeaknessinRC4anditsusageIV
CiphertextIV
K RC4(PZZG)seed KeystreamS
||
M
CRC
||
|| concatenation
XOR
AAAA03…
searchedStatisticalanalysis:RC4(IV1,K)=S1RC4(IV2,K)=S2RC4(IV3,K)=S3RC4(IV4,K)=S4…Resultofweakness:K canbecalculated
red=knownblue=unknown
143
WEP:Vulnerabilities
3. WeaknessinRC4anditsusage– Practicalattack
• 4-6milliondatapacketsrequiredtogather«weak»IVs:≈5%IVsareweak(≈900.000of224).
• needs8-12hours(avg.netloadof1Mbps)andupto12GBHDDspace
• alldatapacketsbeginswithSNAPpattern0xAAAA03• partiallinearityofRC4onweakIVs
– Improvement1:• AttackercanenforceusageofweakIVstoreducenetworkloadbychoosingtheIV,andsendingandreceivingpackets
– Improvement2:• Tews etal(2007)foundfurtherweakness inRC4toimprovespeedofWEPattackto≈ 1minandnoneedofweakIVs
WeakIVs:AttackonlypossibleifcertainbitcombinationsinIV
144
WEP:Vulnerabilities
3. WeaknessinRC4anditsusage
– Literature:• ScottFluhrer,Itsik Mantin,Adi Shamir:WeaknessesintheKeySchedulingAlgorithmofRC4.2001.
• AdamStubblefield,JohnIoannidis,Aviel D.Rubin:UsingtheFluhrer,Mantin,andShamirAttacktoBreakWEP.2001.
• ErikTews,Ralf-PhilippWeinmann,AndreiPyshkin:Breaking104bitWEPinlessthan60seconds.2007
145
WEP:Vulnerabilities
4. WeaknessofCRC– CRCandencryptionarelinear:
• c(aÅ b)=c(a)Å c(b)– Modificationofdatapacketsiseasy:
• XORarandomnumberto(encrypted)plaintext• XORaCRCto(encrypted)checksum
146
WEP:Vulnerabilities
4. WeaknessofCRC– Let
(M,CRC(M))Å RC4(IV,K)=C– AttackersendsaCÅ X:with X=(M’,CRC(M’))
XÅ (M,CRC(M))Å RC4(IV,K)=CÅ X– Recipient decrypts:
XÅ (M,CRC(M))=(M’,CRC(M’))Å (M,CRC(M))– Becauseofthedataformat andthelinearityoftheencryption (orXOR)
andCRC:CRC(MÅM’)=CRC(M)Å CRC(M’)
– Result:AttackerhassentavalidmessageMÅM’• CRCcanbeusedtodetectrandomerrors,butnottodetect
modificationsofdatabyanattacker
147
WEP:Vulnerabilities
4. WeaknessofCRCC=(M,CRC(M))Å RC4(IV,K)Ciphertext fromsender:
X=(M’,CRC(M’))
(M’,CRC(M’))Å (M,CRC(M))Å RC4(IV,K))
Xofattacker:
AttackersendsCÅ X:
(M’,CRC(M’))Å (M,CRC(M))Receiverdecrypts:
ReceiverchecksCRC(alwayssuccessfulhere),
CRC(aÅb)=CRC(a)Å CRC(b)
CRC(M)Å CRC(M’)
ICV
?=OK
NO
STOP
CRC
Å
M CRC(M)
M’ CRC(M’)Å
MÅM’
148
WEP:Vulnerabilities
5. Nomutualauthentication– NoprotectionagainstfalseAccessPoints
6. Ineffectiveauthentication– AttackereavesdropsChallenge-Response-Pairs(x/C)
• Knowsx=MandC(andIV)• CalculatesKeystream=RC4(IV,K)
– AttackeropenshisownSession• ReceivesaChallengex’• Calculates:x’Å RC4(IV,K)• Weakness:AttackerchoosessameIV
149
WEP:Vulnerabilities:Ineffectiveauthentication
§ AttackermonitorsIV,xandxÅ RC4(IV,K)§ CalculatesKeystreamRC4(IV,K)fromx
Auth Request
Challengex
xÅ RC4(IV,K),IV- KnowsK- Choosesarandomx
- KnowsK- ChoosesIV
Auth Request
Challengex’
x’Å RC4(IV,K),IV- KnowsK- Choosesarandomx’
- KnowsKeystream- ChoosesmonitoredIV
AuthorizedClient
Attacker
150
DevelopmentofWiFi Security
§ Evolutionsteps– WEP128– WEPplus– FastPacketKeying– WEP2– EAP(ExtensibleAuthenticationProtocol)– WPA(WiFi ProtectedAccess)
§ IEEE802.11i– «WPA2»– coverssomeoftheevolutionalextensionsbyonestandard
151
ComparisonofWEP,WPA,WPA2
WEP WPA WPA2
Encryption RC4 RC4 AES
Keylength 40Bit 128Bit 128Bit
IV 24Bit 48Bit 48Bit
Dataintegrity CRC-32 Michael CCM
Headerintegrity – Michael CCM
Replayattacks – IVsequence IVsequence
Keymanagement – Based onEAP Based onEAP
152
Evolutionarysolutions
§ WEP128– ProprietaryextensionofWEPstandard– WEPwith128bitencryption(24BitIVplus104Bitkey)
§ WEPplus– AnotherproprietaryextensionofWEPstandard– DefinedbyAgere Systems(ORiNOCO-Chipsetproducer)– Preventoccurrenceof«weak»IVs
§ Unsolved:– Nousefulauthentication– Nocryptographicintegrity– Replay/repetitionofIVsstillverylikely
153
TATKIV
128Bit 48Bit16Bit
128Bit
24Bit 104Bit
FastPacketKeying
§ ExtensionforWEPby RSASecurityInc.(DeveloperofRC4)– prevent«weak»IVs– preventrepeatedcombinationsofIV andKey– Keystream=RC4(PHASE2(PHASE1(TK,TA),IV))
TKTemporalKeyTATransmitterAddressPPKPerPacketKeyTTAKKeyMixingof TKand TAPhase1:KeyMixingPhase2:GeneratingaPerPacketKey
TTAK=PHASE1(TK,TA)
PPK=PHASE2(TTAK,IV)
RC4
||
154
FastPacketKeying
§ Functionality– SymmetrickeyTK(TemporalKey),128Bit– KeyMixing:newkeyisgeneratedfromTKanddeviceaddressTA
(TransmitterAddress),48Bit– PacketKeyGeneration:24BitIVandWEPKeyisgeneratedfroma16Bit
IVandmixedkey– InputofRC4isrepeatedafter4·1021years
§ Unsolved:– Nousefulauthentication– Nocryptographicintegrity
155
WEP2
§ TaskGroupi(TGi)withinIEEE:– Objective:ImprovementofWEP– Newstandards:WEP2,WPA,WPA2
§ WEP2– ExtensionofIVto128Bit– OptionalauthenticationofAccessPointsandClientsviaKerberos– IntroductionofSessionKeys
§ Problems:– ReplayofIVsstillpossible– WeakIVsnotexcluded– SecurityvulnerabilityinKerberos– Ineffectiveauthentication
156
EAP
§ ExtensibleAuthenticationProtocol– IntroducedforRemoteAccesswithDial-Inconnections– Partof802.1Xstandard– Authenticationandkeymanagement– LowimplementationcostsinAccessPoints(AP)– Nofirmware-Upgradenecessary
§ Functionality– Threesystemsinvolved:Client,AP,Authenticationserver– APworksasaproxybetweenclientandAuthenticationserver– APgrantsaccesstonetworkaftersuccessfulauthentication
157
WPA(WiFi ProtectedAccess)
§ WPAispartofIEEE802.11i
§ Functionality– AuthenticationviaEAP– EncryptionbasedonRC4with128Bitkeys– Newcryptographicintegrityprotectionbyalg.«Michael»– Mechanismtonegotiatekeylengthandauthenticationprocedure– either:SessionKey DistributionoverRADIUSservers(Remote
AuthenticationDial-InUserService)– or:withoutserverviaBroadcast/Multicast– IVisincrementedwitheachpacket(preventreplayofIV)
158
WPA(WiFi ProtectedAccess)
§ WPAispartofIEEE802.11i
§ Problems– Broadcast/Multicastkeyisknowntoallstations– «Michael»isrelativelyweak:O(220..30)– 1-minuteshut-downofAPwhilereceivingmorethanonewrong
authenticatepacket(withinagiventime)• Denial-of-Service attackseasy• Possibleimprovements:
– Reductionofdeactivation/disconnectiontime(ca.100ms)– Afternauthenticationerrors,renegotiateSession Keys