Transcript GSM
2. Conventional networks 2.4 GSM Prof. JP Hubaux 1 GSM: Global System for Mobile communications Objectives Unique standard for European digital cellular networks International roaming Signal quality Voice and data services Standardization of the air and the network interfaces Security Principles Strong integration with the telephone network (PSTN) Interfaces inspired by the Integrated Services Digital Network (ISDN) Hence, supervision by means of Signaling System 7 (SS7) 2 Signaling System Number 7 Enhanced services requested by users require bidirectional signaling capabilities, flexibility of call setup and remote database access With SS7, a signaling channel conveys, by means of labeled messages, signaling information relating to call processing and to network management SS7 is the most important signaling system in the world: it supervises the PSTN, the cellular networks (GSM), and the Intelligent Network 3 SS7 in the PSTN Analog ISDN CPE UNI SS7 SS7 Analog ISDN NNI Switch Switch UNI CPE Circuit Switching Network CPE: Customer Premises Equipment UNI: User-Network Interface NNI: Network-Network Interface ISDN: Integrated Services Digital Network 4 Interface between the circuit switching network and the signaling network Signaling Links Signaling Point Control Unit Signaling Point Signaling Network (SS7) Fabric Fabric Control Unit Voice Circuits 5 Signaling and Switching Planes SP: Signaling Point STP: Signaling Transfer Point SP Signaling Plane SP STP Signaling link SP STP SP Switching Plane Voice circuits 6 Example of Signaling Network STP STP STP PTS SP SP SP SP Operator 1 Operator 2 SP 7 SS7 Architecture OSI Layers 7 4, 5 et 6 SS7 Layers OMAP ASE MAP and INAP ISDNTCAP User Part For further study (ISUP) SCCP 3 MTP Level 3 2 MTP Level 2 1 MTP Level 1 ASE: Application Service Element INAP: Intelligent Network Application Part MAP: Mobile Application Part MTP: Message Transfer Part OMAP: Operations, Maintenance and Administration Part SCCP: Signaling Connection Control Part TCAP: Transaction Capabilities Application Part 8 ISUP Call setup phase ISDN ISDN SS7 SSP SSP STP SETUP IAM IAM SETUP Call Proceeding Call Proceeding ACM ALERTING CONNECT CONNECT ACK ANM ACM ANM ALERTING CONNECT CONNECT ACK 9 IAM: Initial Message; ACM: Address Complete Message; ANM: Answer Message ISUP Call Release phase ISDN SS7 SSP DISCONN ISDN STP REL SSP REL DISCONN RLC RLC RELEASE RELEASE RELACK REL: Release RLC: Release Complete 10 Addressing in GSM Call to Nr 085-123456 SIM card User (identifier: IMSI) (identifier: MSISDN) Terminal (identifier: IMEI) SIM: Subscriber Identity Module IMSI: International Mobile Subscriber Identity IMEI: International Mobile Equipment Identity MSISDN: Mobile Station ISDN Number MSISDN 085-123456 IMSI 208347854033 11 GSM Architecture Equipment Identity Register Authentication Center F C Um Mobile Station Home Location Register D BTS Abis BSC A E MSC BSS B Visitor Location Register G BSS: Base Station System BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center MSC Visitor Location Register 12 Functions of the MSC Paging Coordination of call set up from all MSs in its jurisdiction Dynamic allocation of resources Location registration Interworking function with different networks (e.g., PSTN) Handover management Billing for all subscribers based in its area Reallocation of frequencies to BTSs in its area to meet heavy demand Encryption Echo canceler operation control Signaling exchange between different interfaces Gateway to Short Message Service 13 GSM air interface protocols Air interface Um A Abis CM CM MM MM RRM RRM LAPDm LAPDm radio radio LAPDm radio Mobile Base transceiver station station CM: call management MM: mobility management RRM: Radio resources management (ISDN) BSSAP: BSS Application Part RRM LAPDm radio BSSAP BSSAP SCCP SCCP MPT3 MTP3 MPT2 MTP2 MTP1 MPT1 Base station Mobile switching controller center SCCP: Signal connection control part MTP: message transfer part LAPD: link access - protocol D channel 14 Location updating MS BSS MSC/VLR HLR Mobile turns on Channel setup, radio resource reservation Location updating request Authentication info request Authentication challenge Authentication info Authentication response Update location Insert subscriber data Insert subscriber data ack Ciphering mode command Cipher mode command Ciphering mode complete Cipher mode complete Update location ack TMSI reallocation command TMSI reallocation complete Location updating accept Release radio channel Clear command 15 Role of SS7: location updating HLR PSTN switch Network BSS MSC/VLR : messages conveyed by SS7 16 Role of SS7: call supervision HLR PSTN switch 3 1 4 2 MSC 5 Network BSS 6 MSC/VLR Data channels are setup after the messages shown have been sent : messages conveyed by SS7 17 Billing Principles in GSM Basic principle: the calling party pays Exception: the calling party does not pay for extra charges induced by initiatives of the callee: roaming call forwarding 18 Data services of GSM Short Message Service (SMS) Similar to advanced paging systems Makes use of the control channel General Packet Radio Service (GPRS) Aimed at interfacing the Internet (e.g., for Web browsing) Rates up to 170kb/s High Speed Circuit-Switched Data (HSCSD) 19 Short Message Service: message sent to a MS MS BSS MSC/VLR HLR SMS-MSC Routing info req. Service Center Message transfer Routing info Paging Forward message Channel setup Authentication and ciphering Message Message ACK Message ACK Message tr. report Release of the radio channel Assumption: before being paged, the terminal is idle 20 General Packet Radio Service IP address: 137.32.171.176 Laptop 128.178.151.82 GPRS Network 137.32 Internet LAN: 128.178.151 21 GPRS architecture Laptop MSC HLR GR SGSN GGSN Data Network (IP) GPRS network (based on IP) : signaling + data : signaling only GR: GPRS Register: manages the association between the IP address and the IMSI SGSN: Serving GPRS Support Node (router) GGSN: Gateway GPRS Support Node (router) 22 User plane protocols Application Network Network layer: IP, X.25,…(Packet Data Protocol) SNDCP SNDCP LAPG LAPG RLC RLC BSSGP MAC MAC BSSGP Network GTP GTP IP IP Data link Data link MAC Physical layer Phys. L. Phys. L. Phys. L. Phys. L. Physical layer MS BSS SGSN GGSN RLC: Radio Link Control BSSGP: BSS GPRS Protocol GTP: GPRS Tunnel Protocol To the data network SNDCP: Subnetwork Dependent Convergence Protocol LAPG: Link Access Protocol on G channel 23 Mobility management IDLE Attachment to the network Detachment or time out Detachment Time out STAND-BY READY Sending or reception of data Idle: no active GPRS session Ready: session established; ongoing data exchange; precise mobile location (which cell) Stand-by: session established, with no ongoing data exchange; approximate mobile location, the mobile has to be tracked in its routing area During a GPRS session (Ready or Stand-by states), the session itself is identified by a TLLI (Temporary Logical Link Identity) 24 Network attachment + context activation MS BSS SGSN HLR/GR GGSN Channel setup GPRS attach request (IMSI) Authentication Profile + auth. request Profile + auth. info Ciphering activation GPRS attach result (TLLI) (MS is attached) Activate PDP context req (TLLI, PDP addr of MS) Provide registration Record request (IMSI) Security functions Provide registration Record response (IP address of the GGSN,…) GGSN update request (PDP addr of MS, QoS) Activate PDP context response GGSN update response 25 GSM Frequencies Frequency band GSM (Europe) DCS (Europe) GSM (USA) 890-915 MHz 935-960 MHz 1710-1785 MHz 1805-1880 MHz 1850-1910 MHz 1930-1990 MHz DCS = Digital Cellular System: same principles as GSM, but at frequencies better suited for microcells 26 GSM Security: The SIM card (Subscriber Identity Module) Must be tamper-resistant Protected by a PIN code (checked locally by the SIM) Is removable from the terminal Contains all data specific to the end user which have to reside in the Mobile Station: IMSI: International Mobile Subscriber Identity (permanent user’s identity) PIN TMSI (Temporary Mobile Subscriber Identity) Ki : User’s secret key Kc : Ciphering key List of the last call attempts List of preferred operators Supplementary service data (abbreviated dialing, last short messages received,...) 27 Cryptographic algorithms of GSM Random number User’s secret key R Ki A3 A8 S Kc R Authentication Kc: ciphering key S : signed result A3: subscriber authentication (operator-dependent algorithm) A5: ciphering/deciphering (standardized algorithm) A8: cipher generation (operator-dependent algorithm) A5 Triplet Ciphering algorithm 28 Authentication principle of GSM Mobile Station Visited network Home network Ki IMSI/TMSI R IMSI (or TMSI) IMSI Triplets (Kc, R, S) Authenticate (R) Ki A8 A3 Kc S Triplets R A8 A3 Kc S’ Auth-ack(S’) S=S’? 29 Ciphering in GSM FRAME NUMBER Kc PLAINTEXT SEQUENCE FRAME NUMBER Kc A5 A5 CIPHERING SEQUENCE CIPHERING SEQUENCE Sender (Mobile Station or Network) CIPHERTEXT SEQUENCE PLAINTEXT SEQUENCE Receiver (Network or Mobile Station) 30 Conclusion on GSM security Focused on the protection of the air interface No protection on the wired part of the network (neither for privacy nor for confidentiality) The visited network has access to all data (except the secret key of the end user) Generally robust, but a few successful attacks have been reported: faked base stations cloning of the SIM card 31 GSM today The common digital cellular technique deployed throughout Europe Probably the leading cellular technology worldwide Hundreds of millions of subscribers in more than 100 countries 7000+ pages of standards... 32 3GPP Security Principles (1/2) Reuse of 2nd generation security principles (GSM): Removable hardware security module • In GSM: SIM card • In 3GPP: USIM (User Services Identity Module) Radio interface encryption Limited trust in the Visited Network Protection of the identity of the end user (especially on the radio interface) Correction of the following weaknesses of the previous generation: Possible attacks from a faked base station Cipher keys and authentication data transmitted in clear between and within networks Encryption not used in some networks open to fraud Data integrity not provided … 33 3GPP Security Principles (2/2) New security features New kind of service providers (content providers, HLR only service providers,…) Increased control for the user over their service profile Enhanced resistance to active attacks Increased importance of non-voice services … 34 Authentication in 3GPP Mobile Station Visited Network Home Environment Sequence number (SQN) RAND(i) K: User’s secret key Authentication vectors 〓 K User authentication request IMSI/TMSI RAND(i) AUTN (i) Generation of cryptographic material Verify AUTN(i) Compute RES(i) User authentication response RES(i) K Compute CK(i) and IK(i) Compare RES(i) and XRES(i) Select CK(i) and IK(i) 35 Generation of the authentication vectors (by the Home Environment) Generate SQN Generate RAND AMF K f1 f2 f3 f4 f5 MAC (Message Authentication Code) XRES (Expected Result) CK (Cipher Key) IK (Integrity Key) AK (Anonymity Key) 〓 〓 〓 : RAND XRES CK IK AUTN 〓 Authentication vector: AV 〓 〓 Authentication token: AUTN : ( SQN AK ) AMF MAC AMF: Authentication and Key Management Field 36 User Authentication Function in the USIM AUTN RAND SQN AK AMF MAC f5 AK SQN K f1 f2 f3 f4 XMAC (Expected MAC) RES (Result) CK (Cipher Key) IK (Integrity Key) • Verify MAC = XMAC • Verify that SQN is in the correct range USIM: User Services Identity Module 37 More about the authentication and key generation function In addition to f1, f2, f3, f4 and f5, two more functions are defined: f1* and f5*, used in case the authentication procedure gets desynchronized (detected by the range of SQN). f1, f1*, f2, f3, f4, f5 and f5* are operator-specific However, 3GPP provides a detailed example of algorithm set, called MILENAGE MILENAGE is based on the Rijndael block cipher In MILENAGE, the generation of all seven functions f1…f5* is based on the Rijndael algorithm 38 Authentication and key generation functions f1…f5* RAND SQN||AMF OP OPc EK OPc EK OPc OPc OPc rotate by r1 c1 rotate by r2 c2 EK f1 rotate by r3 c3 EK OPc OPc f1* OPc f5 f2 OP: operator-specific parameter r1,…, r5: fixed rotation constants c1,…, c5: fixed addition constants OPc rotate by r4 c4 EK OPc c5 EK OPc f3 rotate by r5 EK OPc f4 f5* EK : Rijndael block cipher with 128 bits text input and 128 bits key 39 Signalling integrity protection method SIGNALLING MESSAGE SIGNALLING MESSAGE FRESH FRESH COUNT-I IK COUNT-I DIRECTION f9 IK DIRECTION f9 MAC-I XMAC-I Sender (Mobile Station or Radio Network Controller) Receiver (Radio Network Controller or Mobile Station) FRESH: random input 40 f9 integrity function COUNT || FRESH || KASUMI ||DIRECTION||1|| 0…0 IK KASUMI • KASUMI: block cipher (64 bits input, 64 bits output; key: 128 bits) • PS: Padded String • KM: Key Modifier PSBLOCKS-1 PS2 PS1 PS0 IK MESSAGE IK IK KASUMI IK KM KASUMI KASUMI MAC-I (left 32-bits) 41 Ciphering method LENGTH BEARER COUNT-C CK COUNT-C DIRECTION f8 CK KEYSTREAM BLOCK PLAINTEXT BLOCK Sender (Mobile Station or Radio Network Controller) LENGTH BEARER DIRECTION f8 KEYSTREAM BLOCK CIPHERTEXT BLOCK PLAINTEXT BLOCK Receiver (Radio Network Controller or Mobile Station) BEARER: radio bearer identifier COUNT-C: ciphering sequence counter 42 f8 keystream generator COUNT || BEARER || DIRECTION || 0…0 KM: Key Modifier KS: Keystream CK KASUMI KM Register BLKCNT=0 CK BLKCNT=1 KASUMI KS[0]…KS[63] CK BLKCNT=2 KASUMI CK BLKCNT=BLOCKS-1 KASUMI KS[64]…KS[127] KS[128]…KS[191] CK KASUMI 43 Detail of Kasumi L0 32 R0 32 64 KL1 32 16 FO1 FO2 Zero-extend KL2 FL2 S7 KOi,2 FL3 KIi,j,2 KIi,j,1 FO3 KO4, KI4 FO4 KL4 S9 KOi,3 FL4 Zero-extend KIi,3 FIi3 FL5 truncate KIi,2 FIi2 KO3 , KI3 KL3 7 S9 KIi,1 FIi1 KO2 , KI2 16 9 KOi,1 KO1 , KI1 FL1 16 KO5 , KI5 KL5 FO5 S7 truncate KO6 , KI6 FO6 KL6 FL6 Fig. 2 : FO Function KO7 , KI7 KL7 FL7 Fig. 3 : FI Function 32 FO7 16 16 KLi,1 KO8 , KI8 FO8 <<< KL8 FL8 KLi,2 <<< L8 R8 Fig. 4 : FL Function C Fig. 1 : KASUMI Bitwise AND operation KLi, KOi , KIi : subkeys used at ith round S7, S9: S-boxes Bitwise OR operation <<< One bit left rotation 44 Security: 3GPP vs Mobile IP 3GPP Mobile IP Key management Manual (KMH) + roaming agreements Manual or via the Internet Key Exchange (IKE) Session key Authentication vector Registration key Authentication f1,…, f5* (e.g. MILENAGE) AH Data integrity f9 (Kasumi) AH Confidentiality f8 (Kasumi) ESP Location privacy wrt correspondents wrt foreign domain Yes No (it can require the IMSI) Yes (e.g., with rev. tunnelling) Partial Protection of foreign domain against repudiation by user No (cryptographic material provided in advance) ? Lawful interception Yes 45 Conclusion on 3GPP security Some improvement with respect to 2nd generation Cryptographic algorithms are published Integrity of the signalling messages is protected Quite conservative solution No real size experience so far Privacy/anonymity of the user not completely protected 2nd/3rd generation interoperation will be complicated and might open security breaches 46 References On Signalling System 7 Travis Russel, Signaling System #7, Second Edition, McGraw-Hill Telecommunications, 1998. Uyless Black, ISDN and SS7, Prentice Hall, 1997 Abdi Modaressi and Ronald A. Skoog, Signaling System N°7: A tutorial, IEEE Communications Magazine, July 1990, pp 19-35. On GSM D. Goodman: Wireless Personal Communications Systems Addison-Wesley, 1997 S. Redl et al.: GSM and Personal Communication Handbook Artech House Publ, 1998 A. Mehrotra: GSM System Engineering Artech House Publ, 1997 On GPRS R. Kalden et al.: Wireless Interned Access Based on GPRS IEEE Personal Communication Magazine, April 2000 On 3GPP 3rd Generation Partnership Project: http://www.3gpp.org 47