topics in information security instant ciphertext-only cryptanalysis of gsm encrypted communication...
TRANSCRIPT
Topics In Information SecurityTopics In Information Security
Instant Ciphertext-Only Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Cryptanalysis of GSM Encrypted
CommunicationCommunication
Presented by Idan Sheetrit Presented by Idan Sheetrit
[email protected]@post.tau.ac.il
Elad Barkan Eli Biham Nathan KellerElad Barkan Eli Biham Nathan Keller
IntroductionIntroduction
• GSM is the most widely used cellular system GSM is the most widely used cellular system in the world (over a billion customers).in the world (over a billion customers).
• Based on second generation cellular Based on second generation cellular technology (offer digitalized voice).technology (offer digitalized voice).
• GSM was the first cellular system which GSM was the first cellular system which seriously considered security threats.seriously considered security threats.
• GSM was influenced by the political GSM was influenced by the political atmosphere around cryptology at the 1980s atmosphere around cryptology at the 1980s (did not allow civilians to use strong (did not allow civilians to use strong cryptography).cryptography).
• Protect only the air interface.Protect only the air interface.
MSCBSC
Modem/TA
ISDN/PSTN
Internet
BTS
BSCBSC - Base Station - Base Station ControllerController
BTS - Base Transceiver StationBTS - Base Transceiver Station
MSC - Mobile Switching CenterMSC - Mobile Switching CenterAuC - Authentication CentreAuC - Authentication CentreTA - Terminal AdapterTA - Terminal Adapter
GSM structureGSM structure
BTS
AuC
GSM SecurityGSM Security
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
KcKc
mi Encrypted Data mi
SIM
Signed response (SRES) SRESSRESAuthentication: are SRES values equal?
• Ki – pre-shared secretKi – pre-shared secret• A3,A8 – One way functions.A3,A8 – One way functions.• A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker)A5/0 – no encryption. A5/1 – export restricted. A5/2 – for export (weaker)
Fn Fn
Challenge RAND
Description of A5/2Description of A5/2
The key setup of A5/2:
Description of A5/2 (2)Description of A5/2 (2)
• First initialize A5/2 with Kc and f.First initialize A5/2 with Kc and f.
• Run A5/2 for 99 cyclesRun A5/2 for 99 cycles
• Run A5/2 for 228 cycles and use the Run A5/2 for 228 cycles and use the output as keystream.output as keystream.
• First 114 bits is used as a keystream to First 114 bits is used as a keystream to encrypt the downlink and the second encrypt the downlink and the second half of 114 bits is used for the uplink. half of 114 bits is used for the uplink.
Previous workPrevious work
• A5/1 and A5/2 was reversed A5/1 and A5/2 was reversed engineeredengineered
• Several Known-plaintext attacks Several Known-plaintext attacks were publishedwere published
• The best attack requires only four The best attack requires only four plaintext data frames.plaintext data frames.
Ciphertext-Only Attack on Ciphertext-Only Attack on A5/2A5/2• GSM must use error correction to GSM must use error correction to
withstand reception errors.withstand reception errors.
• During transmission a message is first During transmission a message is first subjected to an error-correction code, subjected to an error-correction code, Then encrypted.Then encrypted.
• Structured redundancy in the message, Structured redundancy in the message, Can be used for ciphertext-only attack.Can be used for ciphertext-only attack.
Ciphertext-Only Attack on Ciphertext-Only Attack on A5/2A5/2• Coding and interleaving operations can be Coding and interleaving operations can be
modeled as a multipication of the message by modeled as a multipication of the message by constant matrix.constant matrix.– P - 184 bit messageP - 184 bit message– G – constant 456x184 matrix over GF(2)G – constant 456x184 matrix over GF(2)– g – constant vectorg – constant vector– M = (G · P) xor g (divided into 4 data frames)M = (G · P) xor g (divided into 4 data frames)
• G is binary matrix so there are 456-184=272 G is binary matrix so there are 456-184=272 equations that describe the kernel of the inverse equations that describe the kernel of the inverse transformation.transformation.
• H – the matrix that describes these 272 equations H – the matrix that describes these 272 equations
i.e. Hi.e. H·(M xor g) = 0(M xor g) = 0
Ciphertext-Only Attack on Ciphertext-Only Attack on A5/2A5/2
• C = M xor k (k is the keystream)C = M xor k (k is the keystream)
• HH·(C xor g) = H(C xor g) = H·(M xor k xor g) = (M xor k xor g) = HH·(M xor g) xor H(M xor g) xor H·k = 0 xor Hk = 0 xor H·k = Hk = H·kk
• C known, so we have linear C known, so we have linear equations over the bits of k.equations over the bits of k.
GSM GSM Service Request and Service Request and Authentication ProtocolAuthentication Protocol
MSC AuCSIM
AUTHREQ(RAND)
AUTHREQ(SRES)
{RAND, XRES, Kc}
Authentication Data Request A3 A8
Ki RAND
Kc
Kc RES
A3 A8
Ki RAND
XRES
SRES = XRES?
Cipher
Service Req
Ack (Use A5/1)
Class-Mark AttackClass-Mark Attack
AttackerPhoneService Req (A5/1)
Service Req (A5/2)
• An attacker can change the class-mark information that the phone sends to the network.
Use A5/2
Network
• The signal of the attacker must override the phone signal or by man-in-the-middle attack.
Recovering Kc of Past or Future Recovering Kc of Past or Future ConversationsConversations
AttackerSIMRAND
RESKc RES
A3 A8
Ki RAND
• The protocol doesn’t provide any key separation (all encryption algorithms use the same key)•An attacker can use a fake base station and instruct the phone to use A5/2 and then easily resolve Kc (Future Conversation Attack).
Use A5/2
Cipher (A5/2)
• If the attacker has access to the sim he can easily get Kc.
• If he doesn’t he can instruct the phone to use A5/2.
•If an attacker recorded the conversation he can sends the recorded RAND to the phone.
Man in the middle attackMan in the middle attackAttacker NetworkVictim
RAND
RES
RAND
Kc RES
A3 A8
Ki RAND
CIPHMODCMD:A5/2
CIPHMODCMD (Encrypted)
RES
CIPHMODCMD:A5/1
CIPHMODCMD (Encrypted)
Find A5/2 key
Attacks ScenariosAttacks Scenarios
• Call Wire-TappingCall Wire-Tapping
• Call HijackingCall Hijacking
• Alerting of Data Messages (SMS)Alerting of Data Messages (SMS)
• Call Theft – Dynamic CloningCall Theft – Dynamic Cloning
Protocol Weakness Protocol Weakness • Authentication protocol can execute at the Authentication protocol can execute at the
beginning of the call. The phone cannot ask for beginning of the call. The phone cannot ask for authentication. In case that there is no authentication. In case that there is no authentication Kc stays as in previous conversationauthentication Kc stays as in previous conversation
• The network chooses the encryption algorithm (the The network chooses the encryption algorithm (the phone only reports the ciphers it support)phone only reports the ciphers it support)
• The class-mark message is not protected.The class-mark message is not protected.
• There is no mechanism that authenticates the network to the phone There is no mechanism that authenticates the network to the phone
• No key separation between the algorithms or method of communicationNo key separation between the algorithms or method of communication
• RAND reuse is allowedRAND reuse is allowed
Acquire a Specific VictimAcquire a Specific Victim• GSM includes a mechanism that is intended to GSM includes a mechanism that is intended to
provide protection on the identity of the mobile provide protection on the identity of the mobile phone.phone.
• Each subscriber is allocated a Temporary Mobile Each subscriber is allocated a Temporary Mobile Subscriber Identity (TMSI) over an encrypted linkSubscriber Identity (TMSI) over an encrypted link
• The TMSI can be reallocated every once in a while The TMSI can be reallocated every once in a while in particular when there is a change in the location.in particular when there is a change in the location.
• TMSI used to page on incoming calls and for TMSI used to page on incoming calls and for identification during un-encrypted parts.identification during un-encrypted parts.
• The fixed identification of the subscriber is its The fixed identification of the subscriber is its International Mobile Subscriber Identity (IMSI)International Mobile Subscriber Identity (IMSI)
• If both TMSI and IMSI are unknown to the attacker If both TMSI and IMSI are unknown to the attacker he may forced to listen in to all the conversations he may forced to listen in to all the conversations in the area.in the area.
Acquire a Specific Victim (2)Acquire a Specific Victim (2)• The attacker has the victim's phone The attacker has the victim's phone
number and wish to associate it with number and wish to associate it with the subscriber's IMSI or TMSI.the subscriber's IMSI or TMSI.
• Solutions : Solutions : – Can call the victim, and monitor all the Can call the victim, and monitor all the
calls (recognize his own caller ID).calls (recognize his own caller ID).– Send a malformed SMS message.Send a malformed SMS message.
• When performing an active attack, When performing an active attack, the attacker needs to lure the mobile the attacker needs to lure the mobile into his own fake base station.into his own fake base station.
GSM-SecurityGSM-Security• Cryptographic methods secret, not “well Cryptographic methods secret, not “well
examined“examined“• Symmetric procedureSymmetric procedure
– consequence: storage of user special secret consequence: storage of user special secret keys with net operators requiredkeys with net operators required
• No end-to-end encryptionNo end-to-end encryption• Key generation and administration not controlled Key generation and administration not controlled
by the participantsby the participants• Same key uses for A5/1 and A5/2.Same key uses for A5/1 and A5/2.• No mutual authentication intendedNo mutual authentication intended
– consequence: Attacker can pretend a GSM-Net consequence: Attacker can pretend a GSM-Net • No end-to-end authenticationNo end-to-end authentication• As a result of the initial publication of this paper As a result of the initial publication of this paper
GSM security group are working to remove A5/2 GSM security group are working to remove A5/2 from the handsets.from the handsets.
Thank youThank you
HomeworkHomework
1.1. Define in one line the following: GSM, UMTS, Define in one line the following: GSM, UMTS, DECT, TETRA, ERMES.DECT, TETRA, ERMES.
2.2. Why using a SIM helps security?Why using a SIM helps security?3.3. How would you attack someone’s GSM mobile How would you attack someone’s GSM mobile
phone? describe the system and the steps on phone? describe the system and the steps on the attack.the attack.
4.4. Describe at least 3 known weaknesses of GSM Describe at least 3 known weaknesses of GSM and how you can fix them if you could change and how you can fix them if you could change the standard or the system. the standard or the system.
5.5. Bonus: Describe a new attack (which isn't Bonus: Describe a new attack (which isn't mentioned in the paper) on GSM network.mentioned in the paper) on GSM network.
E-Mail : [email protected] : [email protected]