Transcript GSM

2. Conventional networks
2.4 GSM
Prof. JP Hubaux
1
GSM: Global System for Mobile
communications


Objectives
Unique standard for European digital cellular networks
International roaming
Signal quality
Voice and data services
Standardization of the air and the network interfaces
Security
Principles
Strong integration with the telephone network (PSTN)
Interfaces inspired by the Integrated Services Digital
Network (ISDN)
Hence, supervision by means of Signaling System 7 (SS7)
2
Signaling System Number 7



Enhanced services requested by users require
bidirectional signaling capabilities, flexibility of call setup
and remote database access
With SS7, a signaling channel conveys, by means of
labeled messages, signaling information relating to call
processing and to network management
SS7 is the most important signaling system in the world:
it supervises the PSTN, the cellular networks (GSM), and
the Intelligent Network
3
SS7 in the PSTN
Analog
ISDN
CPE
UNI
SS7
SS7
Analog
ISDN
NNI
Switch
Switch
UNI
CPE
Circuit Switching Network
CPE: Customer Premises Equipment
UNI: User-Network Interface
NNI: Network-Network Interface
ISDN: Integrated Services Digital Network
4
Interface between the circuit switching network
and the signaling network
Signaling Links
Signaling
Point
Control
Unit
Signaling
Point
Signaling
Network
(SS7)
Fabric
Fabric
Control
Unit
Voice Circuits
5
Signaling and Switching Planes
SP: Signaling Point
STP: Signaling Transfer Point
SP
Signaling
Plane
SP
STP
Signaling link
SP
STP
SP
Switching
Plane
Voice circuits
6
Example of Signaling Network
STP
STP
STP
PTS
SP
SP
SP
SP
Operator 1
Operator 2
SP
7
SS7 Architecture
OSI Layers
7
4, 5 et 6
SS7 Layers
OMAP ASE
MAP and INAP
ISDNTCAP
User Part
For further study (ISUP)
SCCP
3
MTP Level 3
2
MTP Level 2
1
MTP Level 1
ASE: Application Service Element
INAP: Intelligent Network
Application Part
MAP: Mobile Application Part
MTP: Message Transfer Part
OMAP: Operations, Maintenance and Administration
Part
SCCP: Signaling Connection Control Part
TCAP: Transaction Capabilities Application Part
8
ISUP Call setup phase
ISDN
ISDN
SS7
SSP
SSP
STP
SETUP
IAM
IAM
SETUP
Call Proceeding
Call Proceeding
ACM
ALERTING
CONNECT
CONNECT
ACK
ANM
ACM
ANM
ALERTING
CONNECT
CONNECT ACK
9
IAM: Initial Message; ACM: Address Complete Message; ANM: Answer Message
ISUP Call Release phase
ISDN
SS7
SSP
DISCONN
ISDN
STP
REL
SSP
REL
DISCONN
RLC
RLC
RELEASE
RELEASE
RELACK
REL: Release
RLC: Release Complete
10
Addressing in GSM
Call to Nr
085-123456
SIM card
User
(identifier: IMSI)
(identifier: MSISDN)
Terminal
(identifier: IMEI)
SIM: Subscriber Identity Module
IMSI: International Mobile Subscriber Identity
IMEI: International Mobile Equipment Identity
MSISDN: Mobile Station ISDN Number
MSISDN
085-123456
IMSI
208347854033
11
GSM Architecture
Equipment
Identity
Register
Authentication Center
F
C
Um
Mobile
Station
Home
Location
Register
D
BTS
Abis
BSC
A
E
MSC
BSS
B
Visitor
Location
Register
G
BSS: Base Station System
BTS: Base Transceiver Station
BSC: Base Station Controller
MSC: Mobile Switching Center
MSC
Visitor
Location
Register
12
Functions of the MSC












Paging
Coordination of call set up from all MSs in its jurisdiction
Dynamic allocation of resources
Location registration
Interworking function with different networks (e.g., PSTN)
Handover management
Billing for all subscribers based in its area
Reallocation of frequencies to BTSs in its area to meet heavy
demand
Encryption
Echo canceler operation control
Signaling exchange between different interfaces
Gateway to Short Message Service
13
GSM air interface protocols
Air
interface
Um
A
Abis
CM
CM
MM
MM
RRM
RRM
LAPDm
LAPDm
radio
radio
LAPDm
radio
Mobile
Base transceiver
station
station
CM: call management
MM: mobility management
RRM: Radio resources management
(ISDN)
BSSAP: BSS Application Part
RRM
LAPDm
radio
BSSAP
BSSAP
SCCP
SCCP
MPT3
MTP3
MPT2
MTP2
MTP1
MPT1
Base station
Mobile switching
controller
center
SCCP: Signal connection control part
MTP: message transfer part
LAPD: link access - protocol D channel
14
Location updating
MS
BSS
MSC/VLR
HLR
Mobile turns on
Channel setup, radio resource
reservation
Location updating request
Authentication info request
Authentication challenge
Authentication info
Authentication response
Update location
Insert subscriber data
Insert subscriber data ack
Ciphering mode command
Cipher mode command
Ciphering mode complete
Cipher mode complete
Update location ack
TMSI reallocation command
TMSI reallocation complete
Location updating accept
Release radio channel
Clear command
15
Role of SS7: location updating
HLR
PSTN switch
Network
BSS
MSC/VLR
: messages conveyed by SS7
16
Role of SS7: call supervision
HLR
PSTN switch
3
1
4
2
MSC
5
Network
BSS
6 MSC/VLR
Data channels are setup after the messages shown
have been sent
: messages conveyed by SS7
17
Billing Principles in GSM


Basic principle: the calling party pays
Exception: the calling party does not pay for extra
charges induced by initiatives of the callee:
roaming
call forwarding
18
Data services of GSM



Short Message Service (SMS)
Similar to advanced paging systems
Makes use of the control channel
General Packet Radio Service (GPRS)
Aimed at interfacing the Internet (e.g., for Web browsing)
Rates up to 170kb/s
High Speed Circuit-Switched Data (HSCSD)
19
Short Message Service: message sent to a
MS
MS
BSS
MSC/VLR
HLR
SMS-MSC
Routing info req.
Service
Center
Message transfer
Routing info
Paging
Forward message
Channel setup
Authentication and ciphering
Message
Message ACK
Message ACK
Message tr. report
Release of the radio channel
Assumption: before being paged, the terminal is idle
20
General Packet Radio Service
IP address:
137.32.171.176
Laptop
128.178.151.82
GPRS Network
137.32
Internet
LAN: 128.178.151
21
GPRS architecture
Laptop
MSC
HLR
GR
SGSN
GGSN
Data Network (IP)
GPRS network (based on IP)
: signaling + data
: signaling only
GR: GPRS Register: manages the association between the IP address and the IMSI
SGSN: Serving GPRS Support Node (router)
GGSN: Gateway GPRS Support Node (router)
22
User plane protocols
Application
Network
Network layer: IP, X.25,…(Packet Data Protocol)
SNDCP
SNDCP
LAPG
LAPG
RLC
RLC BSSGP
MAC
MAC
BSSGP
Network
GTP
GTP
IP
IP
Data
link
Data
link
MAC
Physical layer
Phys. L. Phys. L.
Phys. L. Phys. L.
Physical layer
MS
BSS
SGSN
GGSN
RLC: Radio Link Control
BSSGP: BSS GPRS Protocol
GTP: GPRS Tunnel Protocol
To the
data
network
SNDCP: Subnetwork Dependent Convergence Protocol
LAPG: Link Access Protocol on G channel
23
Mobility management
IDLE
Attachment
to the network
Detachment
or time out
Detachment
Time out
STAND-BY
READY
Sending or reception of data
Idle: no active GPRS session
Ready: session established; ongoing data exchange; precise mobile location (which cell)
Stand-by: session established, with no ongoing data exchange; approximate mobile location, the mobile
has to be tracked in its routing area
During a GPRS session (Ready or Stand-by states), the session itself is identified by a TLLI
(Temporary Logical Link Identity)
24
Network attachment + context activation
MS
BSS
SGSN
HLR/GR
GGSN
Channel setup
GPRS attach request (IMSI)
Authentication
Profile + auth. request
Profile + auth. info
Ciphering activation
GPRS attach result (TLLI)
(MS is attached)
Activate PDP context req (TLLI, PDP addr of MS)
Provide registration Record request (IMSI)
Security functions
Provide registration Record response
(IP address of the GGSN,…)
GGSN update request (PDP addr of MS, QoS)
Activate PDP context response
GGSN update response
25
GSM Frequencies
Frequency band
GSM (Europe)
DCS (Europe)
GSM (USA)
890-915 MHz
935-960 MHz
1710-1785 MHz
1805-1880 MHz
1850-1910 MHz
1930-1990 MHz
DCS = Digital Cellular System: same principles as GSM, but at frequencies better suited
for microcells
26
GSM Security:
The SIM card (Subscriber Identity Module)




Must be tamper-resistant
Protected by a PIN code (checked locally by the SIM)
Is removable from the terminal
Contains all data specific to the end user which have to reside
in the Mobile Station:
IMSI: International Mobile Subscriber Identity (permanent user’s
identity)
PIN
TMSI (Temporary Mobile Subscriber Identity)
Ki : User’s secret key
Kc : Ciphering key
List of the last call attempts
List of preferred operators
Supplementary service data (abbreviated dialing, last short
messages received,...)
27
Cryptographic algorithms of GSM
Random number
User’s secret key
R
Ki
A3
A8
S
Kc
R
Authentication
Kc: ciphering key
S : signed result
A3: subscriber authentication (operator-dependent algorithm)
A5: ciphering/deciphering (standardized algorithm)
A8: cipher generation (operator-dependent algorithm)
A5
Triplet
Ciphering algorithm
28
Authentication principle of GSM
Mobile Station
Visited network
Home network
Ki
IMSI/TMSI
R
IMSI (or TMSI)
IMSI
Triplets (Kc, R, S)
Authenticate (R)
Ki
A8
A3
Kc
S
Triplets
R
A8
A3
Kc
S’
Auth-ack(S’)
S=S’?
29
Ciphering in GSM
FRAME NUMBER
Kc
PLAINTEXT
SEQUENCE
FRAME NUMBER
Kc
A5
A5
CIPHERING
SEQUENCE
CIPHERING
SEQUENCE

Sender
(Mobile Station or Network)
CIPHERTEXT
SEQUENCE

PLAINTEXT
SEQUENCE
Receiver
(Network or Mobile Station)
30
Conclusion on GSM security




Focused on the protection of the air interface
No protection on the wired part of the network
(neither for privacy nor for confidentiality)
The visited network has access to all data (except
the secret key of the end user)
Generally robust, but a few successful attacks have
been reported:
faked base stations
cloning of the SIM card
31
GSM today




The common digital cellular technique deployed
throughout Europe
Probably the leading cellular technology worldwide
Hundreds of millions of subscribers in more than 100
countries
7000+ pages of standards...
32
3GPP Security Principles (1/2)

Reuse of 2nd generation security principles (GSM):
Removable hardware security module
• In GSM: SIM card
• In 3GPP: USIM (User Services Identity Module)
Radio interface encryption
Limited trust in the Visited Network
Protection of the identity of the end user (especially on the radio
interface)

Correction of the following weaknesses of the previous
generation:
Possible attacks from a faked base station
Cipher keys and authentication data transmitted in clear between
and within networks
Encryption not used in some networks  open to fraud
Data integrity not provided
…
33
3GPP Security Principles (2/2)

New security features
New kind of service providers (content providers, HLR only
service providers,…)
Increased control for the user over their service profile
Enhanced resistance to active attacks
Increased importance of non-voice services
…
34
Authentication in 3GPP
Mobile Station
Visited Network
Home Environment
Sequence number (SQN) RAND(i)
K: User’s
secret key
Authentication vectors
〓
K
User authentication request IMSI/TMSI
RAND(i) AUTN (i)
Generation of
cryptographic material
Verify AUTN(i)
Compute RES(i)
User authentication response RES(i)
K
Compute CK(i)
and IK(i)
Compare RES(i)
and XRES(i)
Select CK(i)
and IK(i)
35
Generation of the authentication vectors
(by the Home Environment)
Generate SQN
Generate RAND
AMF
K
f1
f2
f3
f4
f5
MAC (Message
Authentication
Code)
XRES
(Expected
Result)
CK
(Cipher
Key)
IK
(Integrity
Key)
AK
(Anonymity
Key)
〓 〓
〓
: RAND XRES CK IK AUTN
〓
Authentication vector: AV
〓 〓
Authentication token: AUTN : ( SQN  AK ) AMF MAC
AMF: Authentication and Key Management Field
36
User Authentication Function in the USIM
AUTN
RAND
SQN  AK
AMF
MAC
f5
AK

SQN
K
f1
f2
f3
f4
XMAC
(Expected MAC)
RES
(Result)
CK
(Cipher
Key)
IK
(Integrity
Key)
• Verify MAC = XMAC
• Verify that SQN is in the correct range
USIM: User Services Identity Module
37
More about the authentication and key
generation function





In addition to f1, f2, f3, f4 and f5, two more functions
are defined: f1* and f5*, used in case the
authentication procedure gets desynchronized
(detected by the range of SQN).
f1, f1*, f2, f3, f4, f5 and f5* are operator-specific
However, 3GPP provides a detailed example of
algorithm set, called MILENAGE
MILENAGE is based on the Rijndael block cipher
In MILENAGE, the generation of all seven functions
f1…f5* is based on the Rijndael algorithm
38
Authentication and key generation functions
f1…f5*
RAND
SQN||AMF
OP
OPc
EK
OPc
EK
OPc
OPc
OPc
rotate
by r1
c1
rotate
by r2
c2
EK
f1
rotate
by r3
c3
EK
OPc
OPc
f1*
OPc
f5 f2
OP: operator-specific parameter
r1,…, r5: fixed rotation constants
c1,…, c5: fixed addition constants
OPc
rotate
by r4
c4
EK
OPc
c5
EK
OPc
f3
rotate
by r5
EK
OPc
f4
f5*
EK : Rijndael block cipher with
128 bits text input and 128 bits key
39
Signalling integrity protection method
SIGNALLING MESSAGE
SIGNALLING MESSAGE
FRESH
FRESH
COUNT-I
IK
COUNT-I
DIRECTION
f9
IK
DIRECTION
f9
MAC-I
XMAC-I
Sender
(Mobile Station or
Radio Network Controller)
Receiver
(Radio Network Controller
or Mobile Station)
FRESH: random input
40
f9 integrity function
COUNT || FRESH ||
KASUMI
||DIRECTION||1|| 0…0
IK
KASUMI
• KASUMI: block cipher (64 bits input,
64 bits output; key: 128 bits)
• PS: Padded String
• KM: Key Modifier
PSBLOCKS-1
PS2
PS1
PS0
IK
MESSAGE
IK
IK
KASUMI
IK KM
KASUMI
KASUMI
MAC-I (left 32-bits)
41
Ciphering method
LENGTH
BEARER
COUNT-C
CK
COUNT-C
DIRECTION
f8
CK
KEYSTREAM
BLOCK
PLAINTEXT
BLOCK

Sender
(Mobile Station or
Radio Network Controller)
LENGTH
BEARER
DIRECTION
f8
KEYSTREAM
BLOCK
CIPHERTEXT
BLOCK

PLAINTEXT
BLOCK
Receiver
(Radio Network Controller
or Mobile Station)
BEARER: radio bearer identifier
COUNT-C: ciphering sequence counter
42
f8 keystream generator
COUNT || BEARER || DIRECTION || 0…0
KM: Key Modifier
KS: Keystream
CK
KASUMI
KM
Register
BLKCNT=0
CK
BLKCNT=1
KASUMI
KS[0]…KS[63]
CK
BLKCNT=2
KASUMI
CK
BLKCNT=BLOCKS-1
KASUMI
KS[64]…KS[127] KS[128]…KS[191]
CK
KASUMI
43
Detail of Kasumi
L0
32
R0
32
64
KL1
32
16
FO1
FO2
Zero-extend
KL2
FL2
S7
KOi,2
FL3
KIi,j,2
KIi,j,1
FO3
KO4, KI4
FO4
KL4
S9
KOi,3
FL4
Zero-extend
KIi,3
FIi3
FL5
truncate
KIi,2
FIi2
KO3 , KI3
KL3
7
S9
KIi,1
FIi1
KO2 , KI2
16
9
KOi,1
KO1 , KI1
FL1
16
KO5 , KI5
KL5
FO5
S7
truncate
KO6 , KI6
FO6
KL6
FL6
Fig. 2 : FO Function
KO7 , KI7
KL7
FL7
Fig. 3 : FI Function
32
FO7
16
16
KLi,1
KO8 , KI8
FO8
<<<
KL8
FL8
KLi,2
<<<
L8
R8
Fig. 4 : FL Function
C
Fig. 1 : KASUMI
Bitwise AND operation
KLi, KOi , KIi : subkeys used at ith round
S7, S9: S-boxes
Bitwise OR operation
<<<
One bit left rotation
44
Security: 3GPP vs Mobile IP
3GPP
Mobile IP
Key management
Manual (KMH)
+ roaming agreements
Manual or via the Internet
Key Exchange (IKE)
Session key
Authentication vector
Registration key
Authentication
f1,…, f5* (e.g. MILENAGE)
AH
Data integrity
f9 (Kasumi)
AH
Confidentiality
f8 (Kasumi)
ESP
Location privacy
 wrt correspondents
 wrt foreign domain
Yes
No (it can require the IMSI)
Yes (e.g., with rev. tunnelling)
Partial
Protection of foreign
domain against
repudiation by user
No (cryptographic material
provided in advance)
?
Lawful interception
Yes
45
Conclusion on 3GPP security





Some improvement with respect to 2nd generation
Cryptographic algorithms are published
Integrity of the signalling messages is protected
Quite conservative solution
No real size experience so far
Privacy/anonymity of the user not completely
protected
2nd/3rd generation interoperation will be complicated
and might open security breaches
46
References
On Signalling System 7
Travis Russel, Signaling System #7, Second Edition, McGraw-Hill
Telecommunications, 1998.
Uyless Black, ISDN and SS7, Prentice Hall, 1997
Abdi Modaressi and Ronald A. Skoog, Signaling System N°7: A tutorial,
IEEE Communications Magazine, July 1990, pp 19-35.

On GSM
D. Goodman: Wireless Personal Communications Systems
Addison-Wesley, 1997
S. Redl et al.: GSM and Personal Communication Handbook
Artech House Publ, 1998
A. Mehrotra: GSM System Engineering Artech House Publ, 1997

On GPRS
R. Kalden et al.: Wireless Interned Access Based on GPRS
IEEE Personal Communication Magazine, April 2000

On 3GPP
3rd Generation Partnership Project: http://www.3gpp.org
47