On the Security of 3GPP Networks

Download Report

Transcript On the Security of 3GPP Networks

Security for 3G Systems
Michael Walker
Head of R&D Vodafone UK
Vodafone Professor of Telecommunications at
Royal Holloway, University of London
Chairman 3GPP SA3 - Security
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
1
Acknowledgements
This presentation is based on the technical
specifications and reports produced by the
members of 3GPP SA3 and ETSI SAGE
• available from http://www.3gpp.org
Much of the back ground work was done as part of
the EU funded ACTS project USECA
• the partners are Vodafone, G&D, Panasonic, Siemens
Atea, Siemens AG & Katholieke Universiteit Leuven
• http://www.useca.freeserve.co.uk
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
2
Principles for 3G Security
Build on the security of GSM
• adopt the security features from GSM that have proved
to be both needed and robust
• try to ensure compatibility with GSM in order to ease
inter-working and handover
Correct the problems with GSM by addressing its
real and perceived security weaknesses
Add new security features
• as are necessary to secure new services offered by 3G
• to take account of changes in network architecture
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
3
3GPP/GSM Architecture
UE
AN
CN
MSC
SIM
MT
Um
BTS
BSS
Abis
BS
BSC
MSC
RNS
Iub
RNC
Iur
Uu
BS
RNS
Iub
D
HLR
H
AUC
F
Gb
Iu
USIM Cu ME
GMSC
A
EIR
Uu
SCF
E,
G
Iu
USIM Cu ME
External
Networks
Gf
SGSN
Gd,
Gp,
Gn+
RNC
SGSN
Gr
SMSGMSC
SMSIWMSC
Gn+
ISDN
PSTN
PSPDN
CSPDN
PDN:
-Intranet
-Extranet
-Internet
GGSN
Note:
Not all interfaces
shown and named
UTRAN
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
4
Building on GSM Security
Be compatible with the GSM core network
Provide user authentication and radio interface
encryption
Continue to use a smart card as a security module
• removable hardware
• terminal independent
• management of all customer parameters
Security must operate without user assistance
Require minimal trust in serving network
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
5
Limitations of GSM Security
Security problems in GSM stem by and large from
design limitations on what is protected rather than
on defects in the security mechanisms themselves
• design only provides access security - communications
and signalling in the fixed network portion aren’t
protected
• design does not address active attacks, whereby
network elements may be impersonated
• designed to be only as secure as the fixed networks to
which GSM systems connect
• lawful interception only considered as an after thought
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
6
Limitations of GSM Security, 2
Failure to acknowledge limitations
• encryption needed to guard against radio channel hijack
• the terminal is an unsecured environment - so trust in
the terminal identity is misplaced
Inadequate flexibility to upgrade and improve
security functions over time
Lack of visibility that the security is being applied
• no indication to the user that encryption is on
• no explicit confirmation to the home network that
authentication is properly used when customers roam
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
7
Limitations of GSM Security, 3
Lack of confidence in cryptographic algorithms
• lack of openness in design and publication of A5/1
• misplaced belief by regulators in the effectiveness of
controls on the export or (in some countries) the use of
cryptography led to A5/2
• encryption key length of 54 bits too short - some
implementation faults make increase of length even to
64 bits difficult
• ill advised use of COMP 128 for authentication
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
8
Specific GSM Security Problems
Encryption terminated too soon
• user traffic and signalling in clear on microwave links
Clear transmission of cipher keys & authentication
values within and between networks
• signalling system vulnerable to interception and
impersonation
Confidence in strength of algorithms
• failure to choose best authentication algorithms
• improvements in cryptanalysis of A5/1
Use of false base stations
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
9
False Base Stations
Used as IMSI Catcher
for law enforcement
Used to intercept
mobile originated calls
• encryption controlled
by network and user
unaware if it is not on
Dynamic cloning risk
in networks where
encryption is not used
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
10
3GPP Security Architecture Overview
IV.
User Application
Provider Application
I.
III.
TE
I.
USIM
II.
I.
I.
I.
MT
PKS 2000, San Jose
19-21 September 2000
AN
SN/
VLR/
SGSN Transport
stratum
Security for 3G Systems
Application
stratum
Home
stratum/
HE/AuC Serving
stratum
I. Network access security
II. Provider domain security
III. User domain security
IV. Application specific
security
11
Authentication & Key Agreement (AKA)
Provides authentication of user (USIM) to
network & network to user
Establishes a cipher key CK & an integrity key IK
Provides an authenticated management field from
home network to USIM to allow
• algorithms and authentication keys to be selected
• the home network to control the number of times a
particular (CK,IK) pair is used
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
12
AKA Message Flow
USIM
HLR/AuC
VLR or SGSN
Distribution of
quintets from
HLR/AuC
to VLR/SGSN
auth. data request
Generate
quintets
Quintets
(RAND, XRES, CK, IK, AUTN)
RAND, AUTN
Over-the-air
authentication
and key
agreement
Verify MAC, SQN
Derive CK, IK, RES
RES
XRES = RES ?
Start using CK, IK
Start using CK, IK
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
13
AKA Variables and Functions
K
RAND
SQN
XRES
CK
IK
AK
AMF
MAC
= user specific authentication key
= random challenge generated by AuC in user‘s home network
= sequence number
= f2K (RAND) = expected user response computed by AuC
= f3K (RAND) = cipher key
= f4K (RAND) = integrity key
= f5K (RAND) = anonymity key
= authentication management field
= f1K(SQN || RAND || AMF) = message authentication code
computed over SQN, RAND and AMF
AUTN = SQNAK || AMF || MAC = network authentication
token, concealment of SQN with AK is optional
Quintet = (RAND, XRES, CK, IK, AUTN)
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
14
AKA Cryptographic Parameters
K
RAND
RES
CK
IK
AUTN
• SQN
• AMF
• MAC
PKS 2000, San Jose
19-21 September 2000
128 bits
128 bits
32 -128 bits
128 bits
128 bits
128 bits
Sequence number
Authentication management field
Message authentication code
Security for 3G Systems
48 bits
16 bits
64 bits
15
Air-interface Encryption, 1
Applies to all user traffic and signalling messages
Uses stream ciphering function f8:
• UEA1 = Kasumi; UEA0 = no encryption
COUNT-C DIRECTION
BEARER
LENGTH
f8
CK
COUNT-C DIRECTION
BEARER
LENGTH
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Receiver
ME or RNC
Sender
ME or RNC
PKS 2000, San Jose
19-21 September 2000
PLAINTEXT
BLOCK
Security for 3G Systems
16
Air-interface Encryption, 2
• Termination points
• user side: mobile equipment, network side: radio network controller
• Ciphering in layer 2
• RLC sublayer
non-transparent RLC mode
• MAC sublayer
transparent RLC mode
(signalling, data)
(voice)
• Key input values to algorithm
• CK
128 bits
Cipher key
• COUNT-C
32 bits
Ciphering sequence number
• BEARER
5 bits
Bearer identity
• DIRECTION
1 bit
Uplink/downlink
• LENGTH
16 bits
Length of keystream block
• Further input values
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
17
Air-interface Integrity Mechanism, 1
 Applies to all except a specifically excluded signalling
messages after security mode set-up
 MS supervises that it is started
 Uses integrity function f9: UIA1 = Kasumi
COUNT- I DIRECTION
MESSAGE
FRESH
f9
IK
COUNT- I DIRECTION
MESSAGE
FRESH
IK
MAC- I
XMAC- I
MESSAGE
MAC- I
MAC- I =
XMAC- I ?
Receiver
ME or RNC
Sender
ME or RNC
PKS 2000, San Jose
19-21 September 2000
f9
Security for 3G Systems
18
Air-interface Integrity Mechanism, 2
• Termination points
• user side: mobile equipment, network side: radio network controller
• Integrity protection: layer 2
• RRC sublayer
• Key input values
•
•
•
•
IK
COUNT-I
FRESH
MESSAGE
128 bits
32 bits
32 bits
Integrity key
Integrity sequence number
Connection nonce
Signalling message
• Further input values
• DIRECTION
1 bit
Uplink/downlink
• Output values
• MAC-I/XMAC-I
PKS 2000, San Jose
19-21 September 2000
32 bits
Security for 3G Systems
message authentication code
19
Security Choices
AKA is performed when
• the user enters a new SN
• the user indicates that a new AKA is required when the
amount of data ciphered with CK has reached a
threshold
• the serving network decides
Otherwise integrity-key based authentication
Selection of UEA and UIA by user’s home
environment
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
20
Network Domain Security
Secures signalling data transmitted between and
within 3GPP networks
• for example the authentication vectors
Two different security protocols being designed
Application layer security
• for signalling protocols running over SS7, for example
MAP and CAP
IP layer security
• for native IP based protocols such as GTP and CSCFHSS signalling
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
21
Application Layer Security Architecture
Network I
KACI
Intermedi ate
IP Network
ZA
Network II
KACII
negotiate SA for ZC with IKE
according to DOI for MAP
distribute SA
distribute SA
with IPsec
with IPsec
ZB
SS7 network
ZB
ZC
NE
SA for MAP
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
NE
22
Application Layer Security Features
MAP signalling provided with encryption, origin
authentication and integrity using standard
symmetric techniques
Block cipher BEANO designed by ETSI SAGE
for securing signalling on public networks may be
used
For communications secured at the application
layer, 3GPP will define new Security Associations
(i.e. create a new Domain of Interpretation)
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
23
IP Layer Security Architecture
Intermedi ate
IP Network
Network I
ZA
KACI
distribute SA
ZB
ZB
SEGI
SA Class 1
SA Class 2
ZC
NE
SA Class 3
PKS 2000, San Jose
19-21 September 2000
KACII
negotiate SA for ZC with IKE
according to DOI for IPsec
distribute SA
with IPsec
Network II
Security for 3G Systems
with IPsec
SEGII
SA Class 1
NE
24
IP Layer Security Features
IP layer security provides encryption, origin
authentication and integrity using standard IPsec
techniques
Security may be applied
• end-to-end between Network Elements (NE)
• hop-by-hop via Security Gateways (SEG)
For communications secured using IPsec, the
IETF IPsec Security Association will be
adapted/profiled for 3GPP
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
25
Key Management For Network Domain
Security
A two-tiered key management architecture will be
adopted in the first phase
• KACs support IKE and public key
Migration to a PKI-based flat key management
architecture will be considered for later phases
• NEs support IKE and public key
• On-line KACs become off-line CAs
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
26
Encryption & Integrity Algorithm
Requirements
Low power with low gate-count hardware
implementation as well as software
No practical attack significantly more efficient
than exhaustive key search
No export restrictions on terminals (or USIM),
and network equipment exportable under licence
in accordance with Wassenaar
Time for development - six months!
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
27
General Approach to Design
ETSI SAGE appointed as design authority
Robust approach to exportability - full strength
algorithm and expect agencies to fall into line
Use existing block cipher as starting point
MISTY1 chosen:
•
•
•
•
•
fairly well studied
some provable security aspects
parameter sizes suitable
designed to be efficient in hardware and software
offered by Mitsubishi free from royalty payments
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
28
Design and Analysis
 SAGE work led by Gert Roelofsen, with external experts:
• separate SAGE design and evaluation teams
• joined by Mitsuru Matsui from Mitsubishi - designer of MISTY
• additional evaluators for feasibility of implementation from Nokia,
Ericsson and Motorola led by Kaisa Nyberg
 External security evaluation by three teams:
• Leuven: Lars Knudsen, Bart Preneel, Vincent Rijmen, Johan Borst,
Matt Robshaw
• Ecole Normale Superiere: Jacques Stern, Serge Vaudenay
• Royal Holloway: Fred Piper, Sean Murphy, Peter Wild, Simon
Blackburn
 Open Publication - http://www.etsi.org/dvbandca/
PKS 2000, San Jose
19-21 September 2000
Security for 3G Systems
29
Other Aspects of 3GPP Security
 Options in AKA for sequence
management
 Interoperation with GSM
 AKA+ and interoperation with
3GPP2 standards
 Formal analysis of AKA
 User identity confidentiality
 User configurability and
visibility of security features
 Lawful interception
 SIM application toolkit security
 MExE security
PKS 2000, San Jose
19-21 September 2000





Fraud information gathering
GERAN security
OSA/VHE security
Location services security
Access security for IP based
services
 Provision of a standard
authentication and key
generation algorithm for
operators who do not wish to
produce their own
Security for 3G Systems
30
References to 3GPP Security
Principles, objectives and requirements
 TS 33.120 Security principles and
objectives
 TS 21.133 Security threats and
requirements
Architecture, mechanisms and algorithms
 TS 33.102 Security architecture
 TS 33.103 Integration guidelines
 TS 33.105 Cryptographic algorithm
requirements
 TS 22.022 Personalisation of mobile
equipment
Lawful interception
 TS 33.106 Lawful interception
requirements
 TS 33.107 Lawful interception
architecture and functions
PKS 2000, San Jose
19-21 September 2000
Technical reports
 TR 33.900 A guide to 3G security
 TR 33.901 Criteria for cryptographic
algorithm design process
 TR 33.902 Formal analysis of the 3G
authentication protocol
 TR 33.908 General report on the
design, specification and evaluation of
3GPP standard confid. & integ algs.
 TR 33.909 Report on the evaluation of
3GPP standard confid. & integ. Algs.
Algorithm specifications
 Specification of the 3GPP
confidentiality and integrity algorithms
•
•
•
•
Security for 3G Systems
TS 35.201 : f8 & f9
TS 35.202: KASUMI
TS 35.203: implementors’ test data
TS 35.204: design conformance test
data
31