Transcript On the Security of 3GPP Networks

On the Security of 3GPP Networks
Michael Walker
Vodafone AirTouch & Royal Holloway,
University of London
Chairman 3GPP SA3 - Security
PKS 2000, San Jose
Security of 3GPP networks
1
Acknowledgements
• This presentation is based on the technical
specifications and reports produced by the
members of 3GPP SA3 and ETSI SAGE
• available from http://www.3gpp.org
• Much of the back ground work was done as part of
the EU funded ACTS project USECA
• the partners are Vodafone, G&D, Panasonic, Siemens
Atea, Siemens AG & Katholieke Universiteit Leuven
• http://www.useca.freeserve.co.uk
PKS 2000, San Jose
Security of 3GPP networks
2
Principles for 3G Security
• Build on the security of GSM
• adopt the security features from GSM that have proved
to be needed and robust
• try to ensure compatibility with GSM in order to ease
inter-working and handover
• Correct the problems with GSM by addressing its
real and perceived security weaknesses
• Add new security features
• as are necessary to secure new services offered by 3G
• to take account of changes in network architecture
PKS 2000, San Jose
Security of 3GPP networks
3
Building on GSM Security - Architecture
UE
AN
CN
MSC
SIM
MT
Um
BTS
BSS
Abis
BS
BSC
MSC
RNS
Iub
RNC
Iur
Uu
BS
RNS
Iub
D
HLR
H
AUC
F
Gb
Iu
USIM Cu ME
GMSC
A
EIR
Uu
SCF
E,
G
Iu
USIM Cu ME
External
Networks
Gr
Gf
SGSN
Gd,
Gp,
Gn+
RNC
SGSN
SMSGMSC
SMSIWMSC
Gn+
ISDN
PSTN
PSPDN
CSPDN
PDN:
-Intranet
-Extranet
-Internet
GGSN
Note:
Not all interfaces
shown and named
UTRAN
PKS 2000, San Jose
Security of 3GPP networks
4
Building on GSM Security, 2
• Remain compatible with GSM network
architecture
• User authentication & radio interface encryption
• SIM used as security module
• removable hardware
• terminal independent
• management of all customer parameters
• Operates without user assistance
• Requires minimal trust in serving network
PKS 2000, San Jose
Security of 3GPP networks
5
Limitations of GSM Security
• Problems with GSM security stem by and large
from design limitations on what is protected rather
than on defects in the security mechanisms
themselves
• only provides access security - communications and
signalling in the fixed network portion aren’t protected
• does not address active attacks, whereby network
elements may be impersonated
• designed to be only as secure as the fixed networks to
which they connect
• lawful interception only considered as an after thought
PKS 2000, San Jose
Security of 3GPP networks
6
Limitations of GSM Security, 2
• Failure to acknowledge limitations
• encryption needed to guard against radio channel hijack
• the terminal is an unsecured environment - so trust in
the terminal identity is misplaced
• Inadequate flexibility to upgrade and improve
security functions over time
• Lack of visibility that the security is being applied
• no indication to the user that encryption is on
• no explicit confirmation to the home network that
authentication is properly used when customers roam
PKS 2000, San Jose
Security of 3GPP networks
7
Limitations of GSM Security, 3
• Lack of confidence in cryptographic algorithms
• lack of openness in design and publication of A5/1
• misplaced belief by regulators in the effectiveness of
controls on the export or (in some countries) the use of
cryptography
• key length too short, but some implementation faults
make increase of encryption key length difficult
• need to replace A5/1, but poor design of support for
simultaneous use of more than one encryption
algorithm, is making replacement difficult
• ill advised use of COMP 128
PKS 2000, San Jose
Security of 3GPP networks
8
Specific GSM Security Problems
• Encryption terminated too soon
• user traffic and signalling in clear on microwave links
• Clear transmission of cipher keys & authentication
values within and between networks
• signalling system vulnerable to interception and
impersonation
• Confidence in strength of algorithms
• failure to choose best authentication algorithms
• improvements in cryptanalysis of A5/1
• Use of false base stations
PKS 2000, San Jose
Security of 3GPP networks
9
False Base Stations
• Used as IMSI Catcher
for law enforcement
• Used to intercept
mobile originated calls
• encryption controlled
by network and user
unaware if it is not on
• Dynamic cloning risk
in networks where
encryption is not used
PKS 2000, San Jose
Security of 3GPP networks
10
3GPP Security Architecture Overview
IV.
User Application
Provider Application
I.
III.
TE
I.
USIM
II.
I.
I.
I.
MT
PKS 2000, San Jose
AN
SN/
VLR/
SGSN Transport
stratum
Security of 3GPP networks
Application
stratum
Home
stratum/
HE/AuC Serving
Stratum
I. Network access security
II. Provider domain security
III. User domain security
IV. Application security
11
Authentication & Key Agreement (AKA)
Protocol Objectives
• Authenticate user to network & network to user
• Establish a cipher key CK (128 bit) & an integrity
key IK (128 bit)
• Assure user and network that CK/IK have not
been used before
• Authenticated management field HE  USIM
• authentication key and algorithm identifiers
• limit CK/IK usage before USIM triggers a new AKA
PKS 2000, San Jose
Security of 3GPP networks
12
AKA Prerequisites
• AuC and USIM share
• user specific secret key K
• message authentication functions f1, f1*, f2
• key generating functions f3, f4, f5, f5*
• AuC has a random number generator
• AuC has scheme to generate fresh sequence
numbers
• USIM has scheme to verify freshness of received
sequence numbers
PKS 2000, San Jose
Security of 3GPP networks
13
AKA Variables and Functions
RAND
XRES
RES
CK
IK
AK
SQN
AMF
MAC
= random challenge generated by AuC
= f2K (RAND) = expected user response computed by AuC
= f2K (RAND) = actual user response computed by USIM
= f3K (RAND) = cipher key
= f4K (RAND) = integrity key
= f5K (RAND) = anonymity key
= sequence number
= authentication management field
= f1K(SQN || RAND || AMF) = message authentication code
computed over SQN, RAND and AMF
AUTN = SQNAK || AMF || MAC = network authentication
token, concealment of SQN with AK is optional
Quintet = (RAND, XRES, CK, IK, AUTN)
PKS 2000, San Jose
Security of 3GPP networks
14
AKA Message Flow
USIM
AuC
VLR or SGSN
Distribution of
quintets from
HLR/AuC
to VLR/SGSN
auth. data request
Generate
quintets
Quintets
(RAND, XRES, CK, IK, AUTN)
RAND, AUTN
Over-the-air
authentication
and key
agreement
Verify MAC, SQN
Derive CK, IK, RES
RES
XRES = RES ?
Start using CK, IK
PKS 2000, San Jose
Start using CK, IK
Security of 3GPP networks
15
Length of AKA Cryptographic Parameters
•
•
•
•
•
•
K
RAND
RES
CK
IK
AUTN
• SQN
• AMF
• MAC
PKS 2000, San Jose
128 bits
128 bits
32-128 bits
128 bits
128 bits
128 bits
Sequence number
Authentication management field
Message authentication code
Security of 3GPP networks
48 bits
16 bits
64 bits
16
Air-interface Encryption, 1
• Applies to all user traffic and signalling messages
• Uses stream ciphering function f8 - with provision for
different algorithms: UEA1 = Kasumi; UEA0 = no
encryption
COUNT-C DIRECTION
BEARER
LENGTH
f8
CK
COUNT-C DIRECTION
BEARER
LENGTH
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK
Receiver
ME or RNC
Sender
ME or RNC
PKS 2000, San Jose
PLAINTEXT
BLOCK
Security of 3GPP networks
17
Air-interface Encryption, 2
• Termination points
• user side: mobile equipment, network side: radio network controller
• Ciphering in layer 2
• RLC sublayer
non-transparent RLC mode
• MAC sublayer
transparent RLC mode
(signalling, data)
(voice)
• Key input values to algorithm
• CK
128 bits
Cipher key
• COUNT-C
32 bits
Ciphering sequence number
RLC sublayer
HFNRLC (25/20)+ SNRLC (7/12) (SNRLC is transmitted)
MAC sublayer HFNMAC (25) + CFNMAC (7)
(CFNMAC is transmitted)
• Further input values
• BEARER
5 bits
Bearer identity
• DIRECTION
1 bit
Uplink/downlink
• LENGTH
16 bits
Length of keystream block
PKS 2000, San Jose
Security of 3GPP networks
18
Air-interface Integrity Mechanism, 1
• Applies to all except a specifically excluded signalling
messages after connection and security mode set-up
• MS supervises that it is started
• Uses integrity function f9 - with provision for different
algorithms: UIA1 = Kasumi
COUNT- I DIRECTION
MESSAGE
FRESH
f9
IK
COUNT- I DIRECTION
MESSAGE
FRESH
IK
MAC- I
XMAC- I
MESSAGE
MAC- I
MAC- I =
XMAC- I ?
Receiver
ME or RNC
Sender
ME or RNC
PKS 2000, San Jose
f9
Security of 3GPP networks
19
Air-interface Integrity Mechanism, 2
• Termination points
• user side: mobile equipment, network side: radio network controller
• Integrity protection: layer 2
• RRC sublayer
• Key input values
• IK
• COUNT-I
– consists of
• FRESH
• MESSAGE
128 bits
32 bits
HFNRRC (28) + SNRRC(4)
32 bits
Integrity key
Integrity sequence number
(SNRRC is transmitted)
Connection nonce
Signalling message
• Further input values
• DIRECTION
1 bit
Uplink/downlink
• Output values
• MAC-I/XMAC-I
PKS 2000, San Jose
32 bits
Security of 3GPP networks
message authentication code
20
Connection Establishment Overview
ME/USIM
RNC
VLR/SGSN
1.
RRC Connection Establishment RRC
2.
MM
Initial L3 message
MM
3.
MM
IMSI Interrogation
MM
4.
MM
Authentication and key agreement
MM
Security mode command
5.
Security mode command
6.
7.
RRC
RRC
Security mode complete
8.
RANAP
9.
10.
RANAP
Security mode complete
Response to initial L3 message
MM
PKS 2000, San Jose
TMSI allocation
Security of 3GPP networks
MM
MM
21
Starting Ciphering & Integrity
ME/USIM
1.
RNC
VLR/SGSN
Connection Establishment
 START; UEAMS, UIAMS 
2.
Initial L3 message
CKSN
Decide AKA / No AKA
4.
Authentication and key agreement
Security mode command
5.
UEACN, UIACN, CK, IK
RNC selects UEA and UIA; start of integrity protection
6.
Security mode command
UEA, UIA, UEAMS, UIAMS
FRESH
Start of integrity protection
Start of ciphering/deciphering
7.
Start of ciphering/deciphering
Security mode complete
PKS 2000, San Jose
(first integrity protected message)
(first ciphered message)
Security of 3GPP networks
22
Security Parameters & Choices
• START(32bits) initial
hyperframe number
• AKA is performed when
• used to initialise COUNT-C/I
• assures user MAC-I is fresh
• START stored/updated USIM
• CKSN(3 bits) cipher key
sequence number
• indicates the key set that is
stored in USIM
• when START exceeds a certain
threshold, CKSN can be used
to trigger a new AKA
• the user enters a new SN
• the user indicates that a new
AKA is required when the
amount of data ciphered with
CK has reached a threshold
• the serving network decides
• Otherwise integrity-key based
authentication
• Selection of UEA and UIA by
user/user’s home environment
• FRESH(32 bits) network nonce
• assures network MAC-I fresh
PKS 2000, San Jose
Security of 3GPP networks
23
Network Domain Security
Overview
• Application layer security
• for signalling protocols running over SS7
• e.g. MAP, CAP
• IP layer security
• for native IP based protocols
• e.g. GTP, CSCF-HSS signalling
PKS 2000, San Jose
Security of 3GPP networks
24
Application Layer Security, 1
Network I
KACI
Distribute SA
intermediate
IP Network
ZA
Negotiate SA for ZC with IKE
according to DOI for MAP
with IPsec
Network II
KACII
Distribute SA
with IPsec
SS7 network
ZC
NE
SA for MAP
PKS 2000, San Jose
Security of 3GPP networks
NE
25
Application Layer Security, 2
• MAP signalling provided with encryption, origin
authentication and integrity using standard
symmetric techniques
• Block cipher BEANO designed by ETSI SAGE
for public network operators may be used
• For communications secured at the application
layer, 3GPP will define new Security Associations
(i.e. create a new Domain of Interpretation for
ISAKMP)
PKS 2000, San Jose
Security of 3GPP networks
26
IP Layer Security, 1
intermediate
IP Network
Network I
ZA
KACI
KACII
Negotiate SA for ZC with IKE
according to DOI for IPsec
Distribute SA
with IPsec
Network II
ZB
ZB
SEGI
SA Class 1
SA Class 2
with IPsec
SEGII
ZC
NE
SA Class 3
PKS 2000, San Jose
Distribute SA
Security of 3GPP networks
SA Class 1
NE
27
IP Layer Security, 2
• IP layer security provides encryption, origin
authentication and integrity using standard IPsec
techniques
• Security may be applied
• end-to-end between Network Elements (NE)
• hop-by-hop via Security Gateways (SEG)
• For communications secured using IPsec, the
IETF IPsec Security Association will be
adapted/profiled for 3GPP
PKS 2000, San Jose
Security of 3GPP networks
28
Key Management For Network Domain
Security
• A two-tiered key management architecture will be
adopted in the first phase
• KACs support IKE and public key crypto
• Migration to a PKI-based flat key management
architecture will be considered for later phases
• NEs support IKE and public key crypto
• On-line KACs become off-line CAs
PKS 2000, San Jose
Security of 3GPP networks
29
Encryption & Integrity Algorithm
Requirements
• Stream cipher f8 and integrity function f9 parameters already described
• Low power, low gate-count hardware, as well as
software
• No practical attack significantly more efficient
than exhaustive key search
• No export restrictions on terminals (or SIMs);
network equipment exportable under licence in
accordance with Wassenaar
• Time for development - six months!
PKS 2000, San Jose
Security of 3GPP networks
30
General Approach to Design
• Robust approach to exportability - full strength
algorithm and expect agencies to fall into line
• ETSI SAGE appointed as design authority
• Take existing algorithm as starting point
• Use block cipher as building block for both
algorithms - MISTY1 chosen:
•
•
•
•
fairly well studied, some provable security aspects
parameter sizes suitable
designed to be efficient in hardware and software
offered by Mitsubishi free from royalty payments
PKS 2000, San Jose
Security of 3GPP networks
31
Design and Analysis
• Designed by SAGE team, led by Gert Roelofsen with
external experts:
• SAGE design and evaluation teams
• joined by Mitsuru Matsui from Mitsubishi - designer of MISTY
• additional evaluators from Nokia, Ericsson and Motorola led by
Kaisa Nyberg
• External evaluation by three teams:
• Leuven: Lars Knudsen, Bart Preneel, Vincent Rijmen, Johan Borst,
Matt Robshaw
• Ecole Normale Superiere: Jacques Stern, Serge Vaudenay
• Royal Holloway: Fred Piper, Sean Murphy, Peter Wild, Simon
Blackburn
• Open Publication
PKS 2000, San Jose
Security of 3GPP networks
32
Kasumi
• Simpler key schedule than
MISTY
• Additional functions to
complicate cryptanalysis
without affecting provable
security aspects
• Changes to improve
statistical properties
• Minor changes to speed up
or simplify hardware
• Stream ciphering f8 uses
Kasumi in a form of
output feedback, but with:
• BLKCNT added to prevent
cycling
• initial extra encryption
added to protect against
chosen plaintext attack and
collisions
• Integrity f9 uses Kasumi
to form CBC MAC with:
• non-standard addition of
2nd feedforward
PKS 2000, San Jose
Security of 3GPP networks
33
3GPP Stream Cipher f8
PKS 2000, San Jose
Security of 3GPP networks
34
3GPP Integrity Function f9
PKS 2000, San Jose
Security of 3GPP networks
35
Other Aspects of 3GPP Security
• Options in AKA for sequence
management
• Re-authentication during a
connection and periodic in-call
• Failure procedures
• Interoperation with GSM
• AKA+ and interoperation with
3GPP2 standards
• Formal analysis of AKA
• User identity confidentiality
and enhanced user identity
confidentiality (R00)
• User configurability and
visibility of security features
PKS 2000, San Jose
• User-USIM, USIM-terminal &
USIM - network (SAT)
• Terminal (identity) security
• Lawful interception
• Fraud information gathering
• Network wide encryption (R00)
• Location services security
• Access to user profiles
• Mobile IP security (R00+)
• Provision of a standard
authentication and key
generation algorithm for
operators who do not wish to
produce their own
Security of 3GPP networks
36
References to 3GPP Security
Principles, objectives and requirements
• TS 33.120 Security principles and
objectives
• TS 21.133 Security threats and
requirements
Architecture, mechanisms and algorithms
• TS 33.102 Security architecture
• TS 33.103 Integration guidelines
• TS 33.105 Cryptographic algorithm
requirements
• TS 22.022 Personalisation of mobile
equipment
Lawful interception
• TS 33.106 Lawful interception
requirements
• TS 33.107 Lawful interception
architecture and functions
PKS 2000, San Jose
Technical reports
• TR 33.900 A guide to 3G security
• TR 33.901 Criteria for cryptographic
algorithm design process
• TR 33.902 Formal analysis of the 3G
authentication protocol
• TR 33.908 General report on the
design, specification and evaluation of
3GPP standard confidentiality and
integrity algorithms
• TR 33.909 Algorithm evaluation report
Algorithm specifications
• Specification of the 3GPP
confidentiality and integrity algorithms
•
•
•
•
Document 1: f8 & f9
Document 2: KASUMI
Document 3: implementors’ test data
Document 4: design conformance test
data
Security of 3GPP networks
37