cellular network security

Download Report

Transcript cellular network security

Network Security:
Cellular Security
Ravishankar Borgaonkar / Tuomas Aura
T-110.5241 Network Security
Aalto University, Autumn 2015
Outline
Cellular networks and threats
2G/GSM Security & pitfalls
3G/UMTS Security
3G/UMTS AKA and session protocols
4G/LTE improvements
2
Cellular networks
Cellular networks
Complex inter-connected systems
6 Billon+ subscribers use for essential services
Provides voice, video,& data services
Base Stations
Mobile Switching Centre
Source: GSMA
5
Different stakeholders
cellular network providers
user equipment vendors
infrastructure & support services
content, applications, and other services
standard organizations
6
Threats against cellular networks
Discussion: What are the threats?
Charging fraud, unauthorized use
Charging disputes
Handset cloning (impersonation attack)
→ multiple handsets on one subscription
→ let someone else pay for your calls
Voice interception → casual eavesdropping and industrial
espionage
Location tracking
Call and location data retention
Handset theft
Handset unlocking (locked to a specific operator)
Network service disruption (DoS)
What about integrity?
7
1G networks
Transformation from Military to
commercial usage
Nordic Mobile Telephone system
(NMT) in northern Europe
Advanced Mobile Phone system
(AMPS) in the USA
Consist of mobile stations (in car),
base stations & telephone switch
Source: Ericsson
8
Security in 1G networks
No authentication
No encryption
What are possible threats?
Source: Ericsson - http://www.ericssonhistory.com/products/mobile-telephony/MTX--the-first-mobile-switch/
9
GSM security (2G)
We’ll start with the GSM protocol
because its is so simple. It is easier to
understand the 3G security protocol by
following the historical development.
Besides, the networks and phones are
still backward compatible.
GSM authentication
Ki
Ki
MS =
ME + SIM
BS
MSC/VLR
IMSI or TMSI
HLR/AuC
IMSI
SRES = A3 (Ki, RAND)
Kc =
A8 (Ki, RAND)
!
On or more
authentication triplets:
< RAND, SRES, Kc >
Challenge: RAND
RES =
Kc =
A3 (Ki, RAND)
A8 (Ki, RAND)
Response: RES
RES = SRES ?
Kc
Encryption with Kc
TMSI
11
GSM authentication
Alice-and-Bob notation:
1. Network → MS: RAND
2. MS → Network: A3 (Ki, RAND)
Ki = shared master key between SIM and AuC
Kc = A8 (Ki, RAND) = session key
After authentication, BS asks mobile to turn on
encryption on the radio interface
Kc is generated in the SIM, used by the mobile equipment
Encryption: A5 cipher with the key Kc
12
GSM security
Mobile authenticated → prevents charging fraud
Encryption on the air interface
→ No casual sniffing
→ Encryption of signalling gives some integrity protection
Temporary identifier TMSI used instead of the globally unique IMSI
TMSI → not easy to track mobile with a passive radio
Hash algorithms A3, A8 can be replaced by home operator
AuC and SIM must use the same algorithms
Encryption algorithm A5 implemented in the phone and BS
Many versions of the algorithm
Non-protocol features:
Subscriber identity module (SIM) is separate from the handset
→ Flexibility
→ Thiefs and phone unlockers don’t even try to break the SIM
International mobile equipment identity (IMEI) to track stolen devices
13
GSM security issues
No mutual authentication - Mobile authenticated
but not network
Active attacks not considered (fake base station
problem)
Weak crypto algorithms (A5/1, A5/2)
Secret and weak Comp128 - SIM cloning
Smaller key size - 64 bits
Encryption ends early on base stations
Plaintext communication within and between
networks
14
UMTS (3G) network
Based on the earlier GSM architecture
User equipment (UE) i.e. terminal = mobile equipment
(ME) + universal subscriber identity module (USIM)
UMTS terrestrial radio access network (UTRAN) = radio
network controller (RNC) + base stations (Node B = BS)
Core network = multiple service domains + home
location register
3GPP Release 8 specifies an all-IP network for signalling
and data, replacing old SS7 telephony signalling network
Circuit-switched (CS) domain for voice
Packet-switched (PS) domain for IP data
16
UMTS architecture
UMTS terrestrial radio network (UTRAN)
Core network
CS domain
Base station BS = Node B
Radio network
controller RNC
Terminal
BS
Mobile switching
center MSC /
Visitor location
register VLR
Public switched
telephone network
PSTN
MSC
Home location register HLR /
Authentication center AuC
MSC
PS domain
Internet
BS
Serving GPRS
support node (SGRN)
IMS domain etc.
17
Security architecture
Home location register (HLR) of the subscriber’s home
operator keeps track of the mobile’s location
Visitor location register (VLR) keeps track of roaming
(visiting) mobiles at each network
SIM card has a globally unique international mobile
subscriber identifier (IMSI)
Shorter, temporary identifier TMSI allocated by the current network
Shared key between SIM and authentication center
(HRL/AuC) at the home network
Only symmetric cryptography
VLR of the visited network obtains authentication tuples
(triplets in 2G) from AuC of the mobile’s home network and
authenticates the mobile
Main goals: authentication of the mobile for charging
purposes, and encryption of the radio channel
Counters for freshness
Using counters for freshness
Simple shared-key authentication with nonces:
1. A → B: NA
2. B → A: NB, MACK(Tag2, A, B, NA, NB)
3. A → B: MACK(Tag3, A, B, NA, NB)
K = master key shared between A and B
SK = h(K, NA, NB)
Using counters can save one message or roundtrip:
1. A → B:
2. B → A: NB, SQN, MACK(Tag2, A, B, SQN, NB)
3. A → B: MACK(Tag3, A, B, SQN, NB)
SK = h(K, SQN, NB)
Another benefit: B can pre-compute message 2
A must check that the counter always increases
20
Using counters
Counters must be monotonically increasing
Absolutely never accept previously used values
Persistent counter storage needed
Recovering from lost synchronization:
Verifier can maintain a window of acceptable counter values to
recover from message loss or reordering
Nonce-based protocol for resynchronization if counters get
badly out of sync
Counter values must not run out or wrap to zero
Limit the rate at which values can be consumed
But support bursts of activity
Use long enough counter to last the equipment lifetime or
lifetime of the shared key in use
21
UMTS (3G) authentication
and key agreement (AKA)
The AKA protocol is
used in 3G/4G networks
UMTS AKA (simplified)
K,
SQN
Network
K,
SQN
Phone
MAC =
XRES =
CK =
IK =
f1 (K, RAND,SQN)
f2 (K, RAND)
f3 (K, RAND)
f4 (K, RAND)
RAND, AUTN [SQN, MAC]
XMAC = f1 (K, RAND,SQN)
RES = f2 (K, RAND)
CK =
f3 (K, RAND)
IK =
f4 (K, RAND)
MAC = XMAC?
RES
RES= XRES?
Encryption and integrity protection with CK, IK
24
UMTS AKA (simplified)
K,
SQN
K,
SQN
Phone
RNC
MSC/VLR
AuC
IMSI
MAC =
XRES =
CK =
IK =
f1 (K, RAND,SQN)
f2 (K, RAND)
f3 (K, RAND)
f4 (K, RAND)
RAND, AUTN [SQN, MAC],
XRES, CK, IK
RAND, AUTN [SQN, MAC]
MAC =
XRES =
CK =
IK =
f1 (K, RAND,SQN)
f2 (K, RAND)
f3 (K, RAND)
f4 (K, RAND)
MAC = XMAC?
RES
RES= XRES?
CK, IK
Encryption and integrity
protection with CK, IK
25
K,
SQN
K,
SQN
UE =
ME + USIM
RNC
MSC/VLR
AuC
MAP authentication data request:
IMSI
MAC =
XRES =
CK =
IK =
AK =
UMTS
AKA
!
MAP authentication data
response: one of more
authentication vectors
<RAND, AUTN [SQN⊕AK, AMF,
MAC], XRES, CK, IK, AK>
User authentication request:
RAND, AUTN [SQN⊕AK, AMF, MAC]
MAC =
XRES =
CK =
IK =
AK =
f1 (K, RAND,SQN,AMF)
f2 (K, RAND)
f3 (K, RAND)
f4 (K, RAND)
f5 (K, RAND)
f1 (K, RAND,SQN,AMF)
f2 (K, RAND)
f3 (K, RAND)
f4 (K, RAND)
f5 (K, RAND)
MAC = XMAC?
User authentication response: RES
RES= XRES?
RANAP security mode
command: CK, IK
RRC security mode command
Encryption and integrity
protection with CK, IK
27
RSQ Resynchronization
K,
SQN
UE =
ME + USIM
Resynchronization
needed if the sequence
number gets out of sync
between USIM and AuC.
K,
SQN
MSC/VLR
AuC
IMSI
RAND, AUTN [SQN⊕AK,
AMF, MAC], XRES, CK,IK,AK
RAND, AUTN [SQN⊕AK, AMF, MAC]
MAC = f1 (K, RAND,SQN,AMF)
AK =
f5 (K, RAND)
MAC = XMAC?
SQN too high!
MAC-S = f1* (K, RAND,SQN,AMF)
AUTS [ SQN⊕AK, MAC-S ]
RAND,
AUTS [ SQN⊕AK, MAC-S ]
Update stored SQN
31
AKA Protocol Linkability Attack
Source: Borgaonkar et al.
32
Remaining UMTS security weaknesses
IMSI may still be sent in clear, when requested by
base station
Authentication tuples available to thousands of
operators around the world, and all they can create
fake base stations
Equipment identity IMEI still not authenticated
Non-repudiation for call and roaming charges is still
based on server logs, not on public-key signatures
Still no end-to-end security
Thousands of legitimate radio network operators
 Any government or big business gain control of one
and intercept calls at RNC
38
LTE network security
39
LTE security architecture
S-GW
UP protection
AS protection
ME +UICC
eNodeB
HSS
MME
NAS protection
Serving Network
ME Mobile Equipment
UICC Universal Integrated Circuit Card
eNodeB Evolved NodeB
AS Access Stratum
UP User Plane
Home Network
S-GW Security Gateway
MME Mobility Management Entity
HSS Home Subscriber Server
NAS Non Access Stratum
40
LTE AKA protocol (simplified)
MME
ME +UICC
HSS
IMSI, SN id
Distribution of AV
from HSS to MME
Generate AV
RAND, XRES, AUTN
KASME
RAND, AUTN
Verify AUTN
Compute RES
RES
RES ≠ XRES
Compute KASME
Authentication and key establishment
41
Key hierarchy
Cryptographic key separation
Key renewal
Minimize distribution of same key elements
Key freshness is important
Source: NTT Docomo Whitepaper
42
IMSI catcher problem
passive and active types : affects all security
aspects
Authentication, confidentiality, integrity,
availability
works for 2G networks only
Fake BTS attacks
for 3G and 4G, legitimate BTS attacks
Rogue femtocell
Software defined radios (USRP)
deficiency in security standards and
regulation
no security indication in mobile phones
ultimate power (encryption on/off) is to BTS
Source: product manuals
43
Exercises
Who could create false location traces in the GSM HLR
and how? Is this possible in UMTS?
Consider replacing the counter with the phone’s nonce
in AKA. What would be lost?
Try to design a protocol where the IMSI is never sent
over the air interface, i.e. the subscriber identity is
never sent in clear. Remember that the terminal may
have just landed from an intercontinental flight, and the
terminal does not know whether it has or not
Why IMSI catcher attack would not work easily in LTE?
What are possible ways for normal users to detect fake
base station?
44
Related reading
Gollmann, Computer security, 3rd ed. chaptes 19.2–19.3
http://www.ericsson.com/ericsson/corpinfo/publications/review/2006_0
3/files/3_fifty_years.pdf
New privacy issues in mobile telephony: fix and verification
http://dl.acm.org/citation.cfm?id=2382221
LTE Security, 2nd Edition, Dan Forsberg, Gunther Horn, Wolf-Dietrich
Moeller, Valtteri Niemi ISBN: 978-1-118-35558-9
(Check E-book in Aalto Library)
45