Transcript Mobile Networks - ISSA-Sacramento

Mobile Technology Overview
Ed Gibbs
Technologist
ISSA - September 20, 2001
Sacramento, California
1
© NOKIA
FILENAMs.PPT/ DATE / NN
Ed Gibbs Biography
• Prior: Digital Equipment Corporation, Lockheed-Martin, Dow
Jones & Company, and a few start-ups that don’t exist
anymore!
• Focus on Firewalls, VPN, internetworking, 802.11, Mobile Data
including WAP, and carrier infrastructure
• Recently completed chapter for Eoghan Casey’s new book
“Handbook of Computer Crime” to be published in
October/Nov.
• Collecting digital evidence within a cellular and 802.11
network
• Contact Information:
• Nokia, 313 Fairchild Drive, Mountain View, CA 94043
• Mobile: +1 650-868-9091
• E-mail: [email protected]
2
© NOKIA
FILENAMs.PPT/ DATE / NN
Introduction
• Why is understanding Cellular networking important?
• As voice and data merge over cellular networks, you may
be tasked securing both
• Wireless data handsets are inescapable
• Carrier infrastructures are very complex – to what degree
should one become acquainted?
• Just the basics – that’s what we’ll cover here today
• As security experts, there’s significant value in obtaining this
knowledge to prepare you for the future
• Carriers have enjoyed closed networks, opening them up to
the Internet is a major challenge
3
© NOKIA
FILENAMs.PPT/ DATE / NN
Types of Cellular Networks
4
© NOKIA
FILENAMs.PPT/ DATE / NN
Analog Mobile Phone Service
• What is AMPS:
• Commercially available in 1970 by Bell Telephone
Laboratories
• Geographic areas are subdivided into smaller areas which
are commonly known as “cells”
• Each cell has it’s own antenna that is set to operate at
distinct transmission frequencies
7-cell pattern, each with
different frequencies to avoid
interference
824Mhz to 894Mhz with
30Khz of bandwidth
separation per assigned
channel for Transmit/Receive
• Communications occur at a set frequency in each direction
• AMPS is still widely used today
5
© NOKIA
FILENAMs.PPT/ DATE / NN
Digital Advanced Mobile Phone Service
• D-AMPS is far more complex than AMPS and supports two
modes of operations
• Voice traffic is digital
• AMPS used for channel setup and signaling
• IS-54 – Uses Time-Division Multiple Access (TDMA) to
divide the radio channels used by AMPS
• IS-136 (D-AMPS 1900) supports dual-mode, dual-band:
– Dual-Mode: Analog or Digital
– 800Mhz cellular frequency used by AMPS
– 1900Mhz frequency spectrum – Personal Communications
Service (PCS)
– Allows for pages and short message services (SMS) of up to
239 characters
6
© NOKIA
FILENAMs.PPT/ DATE / NN
Time Division Multiple Access
• TDMA separates users by assigned time slots, which
minimizes interference from other simultaneous transmissions
• Disadvantage: When changing cells (handoff), the assigned
time-slot in the new cell may already be occupied however
this is a capacity problem
• Transmission (uplink/downlink or send/receive) is allocated two
slots:
• One used at a defined frequency for uplink
• Second used at a particular frequency for downlink
• Extends battery life-time of handset by only transmitting a
portion of time instead of a continuous transmission
• AT&T, Cingular (Eastern/Central US) uses TDMA
• Cingular formally PacificBell uses a technology called GSM
which is not compatible with TDMA
7
© NOKIA
FILENAMs.PPT/ DATE / NN
Code Division Multiple Access
• CDMA (IS-95) offers 6-10x the capacity of TDMA and uses
codes to separate users as opposed to TDMA, which uses
assigned time slots
• Uses broadband spread-spectrum developed in the 1940s for
military purposes and uses a direct sequence technique, with
the spreading sequence based on a pseudorandom binary
sequence
• Also uses the 800Mhz and 1900Mhz frequency bands.
• When using 800Mhz AMPS mode, more AMPS channels
needed to obtain frequency for CDMA (operator must clear
1.23Mhz/30khz or 41 channels) to accommodate
• When in 1900Mhz mode, CDMA uses PCS
• Directly supports IP packet data protocols
• Sprint, SBC uses CDMA
8
© NOKIA
FILENAMs.PPT/ DATE / NN
Global System for Mobile
Communications
• GSM developed in Europe in 1980s and became an
international standard 13 years later
• There are two standards:
• European: 900Mhz (International Standard)
• North American – 800Mhz (900Mhz used by Government)
and 1900Mhz GSM PCS
•
•
9
North American GSM and European GSM are not compatible due to their
frequency
Tri-mode phones are available that operate at 800Mhz, 900Mhz, and
1900Mhz
• Uses TDMA framework but not compatible
• Subdivides each radio channel into eight time slots; DAMPS subdivides into six time slots
• Over 250 GSM Networks are presently operating in 110
countries
• Data rates: 9.6Kbps to 14.4Kbps
• Carriers: Pacific Bell (now Cingular), VoiceStream, and now
AT&T Wireless
© NOKIA
FILENAMs.PPT/ DATE / NN
GSM
• GSM uses the Subscriber Information Module (SIM card)
which comes in two forms – credit card sized format and thumb
tip size
• Embedded in the card is a microprocesor, ROM and RAM
• Also contains data such as:
• The subscriber’s phone number which is referred to as the
MSISDN (Mobile Subscriber ISDN Number)
• The IMSI (International Mobile Subscriber Identity). The
IMSI is globally unique to a particular subscriber
• The subscriber’s PIN which is used to prevent unauthorized
use of the mobile device
• Authentication Keys
10
© NOKIA
FILENAMs.PPT/ DATE / NN
Carrier Infrastructure
11
© NOKIA
FILENAMs.PPT/ DATE / NN
Simple Architecture
Core Network
Mobile Device
Subscriber
Information
Switch
Radio Access Network
Base Station
To other
Networks
Billing
Records
Radio Link
Network Operations
and Maintenance
12
© NOKIA
FILENAMs.PPT/ DATE / NN
Detailed Architecture
Core Network
BTS
BSC
BTS
HLR
VLR
BTS
Mobile Phone
To other networks
(e.g. PSTN)
MSC
Charging
Gateway
LIG
BTS
BSC
SMSc
BTS
Connected to all elements in
the core network
BTS
Connected
to all BSCs
Radio Access Network
13
© NOKIA
FILENAMs.PPT/ DATE / NN
OMC
Network Operation Parameters
• The adjunct processor handling operational issues may handle records that
drill down deep into the network operation details. These records can cover
such items as:
• A subscriber’s phone call attempt
• Whether the attempt was successful
• Whether the call was ended normally or was dropped
• Date and time of the call
• Signal strength of the subscriber’s mobile device as seen by the BTS
• In what cell site was the call set up
• In what cell site sector was the call set up
• Handover information
• What channel was used
• What frequency/time slot/PN number was used
14
© NOKIA
FILENAMs.PPT/ DATE / NN
Surveillance & Tracking
15
© NOKIA
FILENAMs.PPT/ DATE / NN
Methods of Tracking
• AOA: By knowing the direction from which a wireless signal is received (via
the use of special antennas at the cell site), Angle of Arrival techniques
calculate the location of a mobile device.
• This technology is deployed at the cell sites of the network operator.
• TDOA: Time Difference of Arrival technology uses the difference in time that
it takes for a wireless signal to arrive at multiple cell sites to calculate the
location of the mobile device.
• This technology is deployed at the cell sites of the network operator.
• E-OTD: Enhanced Observed Time Difference involves a mobile device
receiving the signals from at least three base stations, while a special
receiver in the network (at a known position) also receives these signals.
• The mobile device location is calculated by comparing the time
differences of arrival of the signals from the base stations at both the
mobile device and the special receiver.
• This technology is deployed at cell sites and in the mobile device itself.
16
© NOKIA
FILENAMs.PPT/ DATE / NN
Methods of Tracking
• Triangulation is a process by which the location of a radio
transmitter can be determined by measuring either the radial
distance, or the direction of the received signal from two or
three different points
• Time delay response can be used in conjunction with
triangulation to determine how far away the signal is between
multiple points
• When a cell phone is turned on – it’s communicating!
• Call or standby mode
• Tracking is often difficult if not impossible in some situations
• Signal reflection, distortion, weak signal, etc.
17
© NOKIA
FILENAMs.PPT/ DATE / NN
Triangulation & Timed Response
Base
•
X
Base
•
Z
•
Cell Phone
Base
•
Y
•
Measured Response
Time + Direction
18
© NOKIA
FILENAMs.PPT/ DATE / NN
Lawful Interception
GSM & UMTS
Gs
MSC/VLR
SGSN Gn
Gp
3G
GPRS backbone
Gf
GGSN
Gr
EIR
HLR
Gi
PDN
19
© NOKIA
FILENAMs.PPT/ DATE / NN
Functional Roles
User
5
Law
Enforcement
Authority (LEA)
1
4
4
3
Network Operator
Target User
2
2
4
Authorisation
Authority (AA)
Equipment
Manufacturer
Host/Terminal
20
© NOKIA
FILENAMs.PPT/ DATE / NN
Authorizing interceptions
Authorizing Agency (AA)
• Authorizes session using the web interface at the
LIC
21
© NOKIA
FILENAMs.PPT/ DATE / NN
Enabling interceptions
Law Enforcement Agency (LEA)
• Starts interception at the LIC
22
© NOKIA
FILENAMs.PPT/ DATE / NN
E911 Update
• August 2000: FCC adopted an Order to implement the
Wireless Communications and Public Safety Act of 1999 (911
Act), enacted on October 26,1999.
• Implemented in two phases:
• First Phase – Reveals cell phone number and base-station
caller is using
• Second Phase – Pinpoints location accurate within 50-100
meters
• October 1, 2001 Deadline will “not be met”
• All major carriers will file an extension with the FCC
• Location based service and tracking software not in place
• Only %10 of law enforcement is equipped to handle E911
• Official Web-site
• http://www.fcc.gov/e911/
23
© NOKIA
FILENAMs.PPT/ DATE / NN
Steps to 3rd Generation within the US
Introduction of 3rd generation radio
2003-2005
2002
New multimedia services
Mass market cost of service (WCDMA)
2Mbps
Enhanced speed and capacity (EDGE)
2001-2002
Internet-like IP packet services for mass market (GPRS) 144Kbps
2000
Landline-like circuit services (HSCSD) & Interactive messaging (USSD)
1997
Basic GSM data at 9.6 kbit/s & Smart messaging
Evolution
24
© NOKIA
FILENAMs.PPT/ DATE / NN
GPRS Architecture
Firewall
VPN
VPN
Firewall
25
© NOKIA
FILENAMs.PPT/ DATE / NN
WAP
26
© NOKIA
FILENAMs.PPT/ DATE / NN
Wireless Application Protocol (WAP)
• De-facto world standard for wireless information and
telephony services on digital mobile phones and other
wireless terminals
"Internet in Every Pocket"
•
• Objectives:



General environment for wireless applications
Internet or Intranet-like services and content to mobile terminals
Network, bearer and manufacturer independent
• WAP Forum


Started 1997 by Nokia, Ericsson, Motorola and Unwired Planet
Now close to 500 member companies
• WAP 1.1 (June ‘99)
•
The first release for commercial products
• WAP 1.2 (December ’99)
27
© NOKIA
FILENAMs.PPT/ DATE / NN
WAP System Architecture
Web Server
WAP Gateway
WML
WML Encoder
WMLScript
WSP/WTP
WMLScript
Compiler
HTTP
CGI
Scripts
etc.
WTAI
Protocol Adapters
Etc.
28
© NOKIA
FILENAMs.PPT/ DATE / NN
Content
WML Decks
with WML-Script
Client
Common WAP Deployment Scenarios
Customer
Technical Architecture
Business Model
Total Corporate Solution
Typical WAP Enabled
'Web Destination Site'
Open WAP Portal +
Content providers
and Merchants
Closed WAP
Key
Portal e.g.
Operator / ISPEnterpr. hosted
Mobile
29
© NOKIA
Dial-in
Server
FILENAMs.PPT/ DATE / NN
WAP
Content & Applications
Server/Gateway
Server (s)
xSP hosted
Wireless Transport Layer Security
• WTLS provides encryption from the mobile handset to the
WAP Gateway
• WTLS to SSL conversion on WAP gateway must decrypt
WTLS and re-encrypt to SSL
• Vulnerability: Clear-text
• Four classes:
• Class 0: No Security
• Class 1: Server Authentication (dh_anon)
•
•
Class 2: Signed Server Certificate
•
•
© NOKIA
Available today
Class 3: Signed Client Servificate
•
30
Available today
Coming Soon
FILENAMs.PPT/ DATE / NN
WTLS
31
© NOKIA
FILENAMs.PPT/ DATE / NN
Wireless Identity Module (WIM)
• Wireless PKI Capability
• WIM has five implementation possibilities
Terminal HW
(terminal SW)
32
© NOKIA
External
reader
FILENAMs.PPT/ DATE / NN
Integrated
reader I.e.
"dual slot"
Additional
chip,
"Dual chip"
WIM inside
SIM = SWIM
WAP Modes
• The four modes for WAP communications are:
•
•
•
•
33
© NOKIA
Mode
UDP Port WTLS Security
Connectionless 9200
No
Connection
9201
No
Connectionless 9202
Yes
Connection
9203
Yes
FILENAMs.PPT/ DATE / NN
GSM Security
Security in WAP
WAP can secure
communication between
terminal and WAP gateway.
Wireless Network
For communications between
gateway and origin server,
other means e.g. SSL are
required.
Terminal
FIREWALL
Leased
modem pool
FIREWALL
Internet
Company
WAP
Gateway
intranet
34
© NOKIA
FILENAMs.PPT/ DATE / NN
Origin Server
Internet Security
Future Example
1. Choosing the movie
2. Choosing the payment method
3. Entering the PIN-code
4. Downloading tickets to the chip
5. Confirming the downloading and loyalty points
35
© NOKIA
FILENAMs.PPT/ DATE / NN
EMPS: Many ways to use it
In the Cinema:
Printing the tickets from terminal with bluetooth
36
© NOKIA
FILENAMs.PPT/ DATE / NN
Corporate Impact
37
© NOKIA
FILENAMs.PPT/ DATE / NN
Cellular Phones Outnumber PCs
• Currently there are 350 million mobile phone subscribers. By 2003 there will
be more than 1 billion! Of these, around 600m are likely to be using WAP
compatible products to access the web, compared to a PC installed base of
around 400m
1200
1000
800
Cellular Subscribers.
Source: EMC 1999
PC installed base.
Source: Dataquest 1999
600
400
200
0
1997
38
© NOKIA
1998
FILENAMs.PPT/ DATE / NN
1999
2000
2001
2002
2003
Mobile Phone will be a new online
Channel
• Mobile phones are becoming media phones
• WAP (Wireless Application Protocol) brings standard way to connect mobile
customers to content services
• Now near 300 million mobile phone users, by 2003 there will be more than 1
billion!
WAP
GSM
50 Milj.
Users
TV
Radio
WWW
Internet
5
15
35
Years
Today there are more than 150 million GSM subscribers
world wide
39
© NOKIA
FILENAMs.PPT/ DATE / NN
Is you’re organization ready?
• Mobile data is here today
• Accessibility
• Modems
•
•
•
Internal
External
Internet Portal
• Encryption
• WTLS
• SSL
• VPN
• Device
• Applications
40
© NOKIA
FILENAMs.PPT/ DATE / NN
Terms
• 2G – Second Generation Phone Service – What we have today!
• 2.5G - GPRS
• 3G – Third Generation – Packet Switched Radio
• BTS – Base Transceiver Station
• BSC – Base Station Controller
• GGSN – GPRS Gateway Server Node
• HLR – Home Location Registry
• LIG – Lawful Interception Gateway
• MSC – Mobile Switching Center
• SMSc – Small Message Service Center
• PSTN – Public Switched Telephone Network
• SGSN – Serving GPRS Support Node
• VLR – Visitor Location Registry
41
© NOKIA
FILENAMs.PPT/ DATE / NN
Questions?
Thank You for listening
Danke für Ihre Aufmerksamkeit
Kiitos huomiostanne
Muchas gracias por atención
Merci pour votre attention
[email protected]
42
© NOKIA
FILENAMs.PPT/ DATE / NN